What to Do If Your Attorney Client Data Is Exposed

If your law firm has experienced a data breach exposing attorney client information, your first priority is to contact your cyber liability insurance...

If your law firm has experienced a data breach exposing attorney client information, your first priority is to contact your cyber liability insurance carrier immediately for incident response support and forensic specialists. This single step often determines whether your firm can contain the damage, mitigate costs, and navigate the complex legal obligations that follow. The stakes are substantial—in March 2023, Orrick, Herrington & Sutcliffe settled a breach that exposed names, addresses, birth dates, and Social Security numbers of over 600,000 people for $8 million, setting a precedent for the scale of liability firms now face. Data breaches in law firms are no longer hypothetical risks.

Twenty percent of law firms experienced a cyberattack in the past year, with 39% of those incidents resulting in data loss or exposure. When sensitive client information is compromised—whether through ransomware, hacking, or system failure—firms must act within hours, not days. The longer a breach remains unaddressed, the greater the financial, reputational, and legal damage. What happens next depends on several factors: the type of data exposed, the number of people affected, where your clients are located, and how your firm responds in the critical first hours. This guide walks you through the immediate actions, legal requirements, and longer-term consequences of attorney client data exposure.

Table of Contents

THE FIRST HOURS—IMMEDIATE ACTIONS AFTER DISCOVERING A BREACH

The moment you suspect or confirm a breach, your response must be methodical and swift. Beyond contacting your cyber liability insurance carrier, secure your systems and fix vulnerabilities promptly to prevent further data exfiltration. This means isolating affected servers, disconnecting compromised devices from your network, and preserving evidence for forensic investigation. Do not delay this step hoping the breach will resolve itself or assuming you can handle it internally—external forensic specialists are essential to determine exactly what happened and what data was accessed. Your insurance carrier will typically provide or recommend forensic investigators and legal counsel who understand data breach protocol.

This support is crucial because firms often lack the in-house expertise to handle encryption analysis, server logs, and compromised account investigations. Gunster Yoakley & Stewart learned this lesson when a 2022 breach exposed personal and health information of nearly 10,000 individuals, resulting in an $8.5 million settlement in November 2024. The firm’s response time and handling of the breach directly influenced the settlement amount—delays or missteps compound liability. Simultaneously, begin documenting everything. Preserve emails, system logs, forensic reports, and communications about the breach. This documentation serves multiple purposes: it demonstrates due diligence to regulators and courts, it protects your firm in subsequent litigation, and it provides a timeline that may reduce penalties if your response was prompt and professional.

THE FIRST HOURS—IMMEDIATE ACTIONS AFTER DISCOVERING A BREACH

Law firms face overlapping notification obligations that vary dramatically by jurisdiction. Under ABA Rule 1.4, you must notify current clients of a material data breach as soon as reasonably possible—not weeks later. Material client confidential information is defined as data that, if misappropriated or compromised, would “significantly impair” your ability to perform legal services. This includes names, addresses, Social Security numbers, financial information, case details, and health data—which is why the Orrick and Gunster settlements were so costly. If your clients are in the European Union or you maintain data on EU residents, GDPR compliance requires notification within 72 hours of discovering the breach. This is a hard deadline with no exceptions. U.S.

firms without European clients often overlook this, but the penalty is substantial—up to 4% of global annual revenue. State attorneys general also require notification under state-specific breach notification laws, which vary considerably. Some states require notification within 30 days, others within 60 days. Perkins Coie maintains a comprehensive security breach notification chart that shows this variation state by state, but the safest assumption is to notify as soon as your initial investigation confirms the scope of exposure. A critical problem: over half of breached law firms are unfamiliar with their notification obligations, delaying notification and inviting regulatory fines. Do not assume you know your state’s requirements—consult breach notification law directly or have your legal counsel verify timelines. Wacks Law Group’s March 2024 ransomware incident exposed Social Security numbers and driver’s licenses, demonstrating that notification requirements apply regardless of how the data was stolen—malicious hackers and system failures trigger the same obligations.

Average Data Breach Costs in Law Firms (2023-2025)Notification & Credit Monitoring$750000Legal & Settlement Fees$2000000System Remediation$800000Lost Business$900000Regulatory Fines$550000Source: 2025 Law Firm Cybersecurity Data (Integris, Embroker, WilmerHale)

UNDERSTANDING WHO YOU MUST NOTIFY AND HOW

Notification obligations extend far beyond your current clients. You must notify any individual whose data was exposed, which can mean thousands of notification letters if the breach was large. Each notification must include a clear explanation of what data was exposed, how the breach occurred (in general terms), what you’ve done to address it, and concrete steps individuals should take to protect themselves (credit monitoring services, password changes, fraud alerts). Regulators increasingly expect firms to offer credit monitoring—two years minimum, ideally three—to affected individuals. The Orrick settlement exposed over 600,000 people, meaning the firm faced a notification and monitoring obligation extending across multiple states and jurisdictions.

Firms often underestimate the logistical and financial burden of notification. Printing, mailing, and processing returned letters; maintaining a call center to handle questions; and managing credit monitoring subscriptions can cost hundreds of thousands of dollars beyond the settlement amount itself. State attorneys general receive notification copies and may investigate independently. Forty percent of law firm clients say they would fire or consider firing a firm that experienced a breach, so notification also carries reputational risk. The way you frame the breach—transparency about what happened and what you’re doing to prevent recurrence—can partially mitigate client defection, but some loss of business is inevitable.

UNDERSTANDING WHO YOU MUST NOTIFY AND HOW

COMMUNICATING WITH AFFECTED CLIENTS—STRATEGY AND TRANSPARENCY

How you notify clients determines whether they remain your clients or switch to competitors. A rushed, poorly written notification suggests negligence. A transparent, detailed notification with clear next steps suggests competence and commitment to client protection. Your notification should explain exactly what data was exposed (not “personal information” but specifically “names, addresses, birth dates, and Social Security numbers”), acknowledge the seriousness of the breach, and detail your firm’s response measures. Most firms hire outside legal counsel specializing in breach notification to draft client communications. This is wise because the language matters legally and reputationally.

The notification must comply with FTC guidance on data breach response, which requires explaining the breach in plain language, describing steps already taken to secure systems, and providing concrete resources. Include a list of credit monitoring providers, fraud alert contact information, and recommendations for password changes. This turns a crisis into an opportunity to demonstrate that you take client security seriously. Beyond the formal notification letter, consider direct phone calls to key clients and in-person meetings for your largest or most sensitive client relationships. Forty percent of clients willing to fire a firm after a breach suggests that personal communication—where possible—can preserve some relationships. Be honest about what happened and what you’re changing to prevent it.

LONG-TERM COSTS—FINANCIAL AND REPUTATIONAL CONSEQUENCES

The average data breach in the legal industry costs $5.08 million, a 10% increase from the previous year. This figure includes notification expenses, credit monitoring, legal fees, regulatory fines, insurance deductibles, system remediation, and lost business. For smaller firms, a single breach can be existential. Only 36% of law firms have an incident response plan—meaning most firms will scramble when a breach occurs, making expensive mistakes and facing reactive rather than proactive responses. The cost difference is stark depending on firm size. Solo practices and firms with 2-9 attorneys have incident response plans less than 25% of the time.

Firms with 100+ attorneys have plans 80% of the time. This disparity means small firm breaches typically cost more per firm as a percentage of revenue because they lack prepared procedures and must hire external expertise at emergency rates. The Gunster settlement of $8.5 million, while large in absolute terms, reflects the firm’s substantial size and client base. A solo practitioner facing the same breach scope might settle for less but experience the same reputational damage relative to their practice. Client confidence erosion is lasting. Thirty-seven percent of legal clients say they are willing to pay a premium for firms with stronger cybersecurity—a finding that inverts traditional cost calculus. The firms investing in security before a breach are gaining competitive advantage, while firms recovering from breaches are losing clients for years.

LONG-TERM COSTS—FINANCIAL AND REPUTATIONAL CONSEQUENCES

BUILDING SYSTEMS TO PREVENT THE NEXT BREACH

Prevention is radically cheaper than response. Global cybersecurity spending in 2025 reached $183.9 billion, with an estimated 15% increase, yet the median firm still operates with inadequate protections. Multi-factor authentication, encrypted file storage, zero-trust network architecture, and regular security audits remain optional at many firms rather than baseline requirements.

Your incident response plan should outline roles and responsibilities, communication protocols, forensic procedures, and notification timelines before a breach occurs. It should designate a breach response lead, identify insurance carriers and forensic vendors, and establish decision-making authority. Firms with pre-arranged plans respond 30-50% faster than firms without plans, reducing both the scope of damage and the regulatory and reputational fallout.

THE FUTURE OF LAW FIRM CYBERSECURITY—REGULATORY AND MARKET PRESSURE

The trend is clear: regulatory agencies and clients increasingly penalize inadequate security. State bars are beginning to incorporate cybersecurity competence into attorney ethics rules. Insurance carriers are raising premiums and excluding coverage for firms without incident response plans.

The market is also shifting—clients in regulated industries (healthcare, finance, legal services) now demand security certifications before engaging counsel, and this expectation will spread across practice areas. For firms that have experienced a breach, recovery requires demonstrating sustained commitment to security improvements, not one-time remediation. Courts and regulators look for evidence of ongoing training, regular penetration testing, security audits, and updated incident response plans. The firms that recover fastest and retain the most clients are those that treat the breach as a wake-up call for systemic change.

Conclusion

If your attorney client data is exposed, your first action is to contact your cyber liability insurance carrier for immediate incident response support and forensic investigation. From there, your response is governed by overlapping legal obligations—ABA Rule 1.4 notification timelines, GDPR’s 72-hour deadline, and state-specific breach notification laws—that vary significantly and require immediate legal guidance. The cost of a breach spans notification expenses, credit monitoring, settlements, and lost client relationships, averaging $5.08 million for law firms, with larger firms facing settlements in the eight-figure range.

The firms that manage breaches most effectively are those with pre-existing incident response plans, established relationships with forensic and legal specialists, and transparent communication strategies with clients. Your response in the first hours determines the scope of your liability, the length of your recovery, and whether clients remain or defect. If you have not yet created an incident response plan, the time to do so is now—not after a breach occurs.


You Might Also Like