What Should Lawyers Do In the Case of a Data Breach Incident

By Albatross Editorial Team

No lawyer or law firm wants to deal with a data breach incident; But the fact is, there’s a significant possibility of it happening with the increased use of technology. When a data breach does occur, it is the lawyers legal and moral obligation to inform their client and take steps to address the breach immediately; The ABA addresses this within Formal Opinion 483:

“Model Rule 1.4 requires lawyers to keep clients “reasonably informed” about the status of a matter and to explain matters “to the extent reasonably necessary to permit a client to make an informed decision regarding the representation.” Model Rules 1.1, 1.6, 5.1 and 5.3, as amended in 2012, address the risks that accompany the benefits of the use of technology by lawyers. When a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their obligations under these Model Rules.“

The ABA goes on to explain that law firms run a risk of becoming victims of hackers due to their holding of private and sensitive information. As an example, a Texas Lawbook survey from 2019 reported that out of 49 law firms surveyed, 31 said that during the 2017 and 2018 years, their firms experienced a data breach - that’s a remarkably high 63 percent.

There is an obligation of lawyers and law firms to take security measures and preventive action to protect the client’s data, but unfortunately, breaches can still occur. So what should lawyers do in the case of a data breach incident? Below, we’ll take a look at ABA and other professionally recommended steps and recommendations for what lawyers and law firms should do.

  1. Act Promptly

According to the ABA, once it is discovered that there was a data breach, it is the obligation of the law firm or attorney to act “reasonably and promptly” to mitigate and resolve the problem.

  1. Investigate and Identify

Once it’s been determined that there was a data breach, a thorough investigation of the incident(s) must be done to determine how and why it happened and deduce what course of action to take. This portion of data breach response can be lengthy, sometimes taking a couple of months.

  1. Repair

What needs to be done to repair the issue and prevent further or new access by hackers? For most, this won’t be an easy answer as it often requires lengthy structural repairs to the law firm’s database and networks and requires additional security steps to be taken and implemented. 

  1. Notify Affected Parties

The ABA states, “When a data breach occurs involving, or having a substantial likelihood of involving, material client confidential information a lawyer has a duty to notify the client of the breach.” This step is essential because the client should be allowed the opportunity to be involved and make decisions relevant to the breach. The ABA does further note that there is no explicit rule or regulation regarding notification of former clients, just current ones; This does not mean, however, that the lawyer or law firm does not have an obligation to protect a former client’s data. The ABA recommends obtaining waivers from previous clients.

Following the data breach, every effort must be taken to prevent the incident from occurring again. Below are several recommendations that encourage lawyers and law firms to be proactive in maintaining data security.

Address Security Plan Revisions

What was identified as allowing for a data breach? Following a hacking incident, it’s crucial to revise security plans to accommodate and prevent the same situation from occurring again. Things like revamped password requirements, the use of different cloud service providers, or retraining of employees in proper security procedures may all be required.

For more on how to best protect your law firm from a security breach, read this.

Consider Contractual Agreements or Waivers

As previously mentioned, obtaining contractual agreements or waivers from clients should be considered. While a law firm does not hold any obligation to former clients of notification in the event of a data breach, there is an obligation of safeguarding any documents and data retained.

According to the ABA, “... as a matter of best practices, lawyers are encouraged to reach agreement with clients before conclusion, or at the termination, of the relationship about how to handle the client’s electronic information that is in the lawyer’s possession.”

 If waivers and contractual agreements are obtained with clients regarding the handling of their secure data, it can help by outlining a document retention schedule and what protections the client and law firm are given in the case of an incident.

Hire IT

By hiring a professional IT company or with the creation of an IT department, law firms can add an extra layer of protection between themselves and potential hackers and data breaches. IT professionals can assist by locating and repairing security issues before they become a problem and help with the development and implementation of an effective security plan to avoid data breaches.


Experiencing a security issue or data breach is practically inevitable for businesses and law firms; What matters is how the problem is responded to and what steps are taken to prevent the issue from happening in the future. By following the recommended actions and requirements above, law firms and lawyers give themselves the best chance for successfully navigating a data breach and protecting their client’s data.