Incident Response

Law Firm Data Breach: The 72-Hour Response Playbook (2026)

A step-by-step law firm data breach response playbook for 2026: how to confirm the incident, preserve privilege, trigger your cyber policy, notify clients and regulators, and avoid the mistakes that turn an incident into a malpractice claim.

Attorney Armor Security Team June 20, 2026 12 min read
Law Firm Data Breach: The 72-Hour Response Playbook (2026)

A law firm data breach is not just an IT incident. It is a privilege event, a regulatory event, a malpractice exposure, and — increasingly — a client-relationship event that ends in a Request for Proposal you don't win. This playbook is what we wish every managing partner had pinned above the desk before the call comes in at 11:47 p.m.

The next 72 hours decide whether your firm spends the following 18 months in litigation, in front of bar counsel, and on the front page of Law360 — or whether the incident becomes a footnote in next year's renewal application.

What counts as a "law firm data breach" in 2026

The 2026 definition is broader than most partners realize. Under current state notification statutes and the ABA's evolving guidance on Model Rule 1.6(c), a reportable incident at a law firm includes:

  • Confirmed exfiltration of client documents, PII, PHI, or matter metadata.
  • Ransomware deployment, even when no data is proven to have left the network — most states now treat unauthorized access to systems holding personal information as triggering notification.
  • Business email compromise (BEC) where an attacker read or sent mail from a lawyer's mailbox, regardless of whether wire fraud occurred.
  • Vendor breaches at your eDiscovery, document management, or practice management provider where firm data was in scope.
  • Lost or stolen devices containing unencrypted client information.
  • Insider access abuse — a departing associate exporting matter files to personal storage.

If you're asking "is this a breach?", you're already inside the response clock. Treat it as one until counsel tells you otherwise in writing.

Hour 0 to Hour 1: Contain, do not investigate

The first instinct of most IT teams is to dig in and figure out what happened. That is the wrong first move. The right first move is containment and preservation.

  • Isolate, don't shut down. Pulling the network cable preserves volatile memory and disk state. Powering off a compromised host destroys evidence that determines both your insurance coverage and your notification obligations.
  • Disable, don't delete. Suspend suspected user accounts; do not delete them. Revoke active OAuth tokens and force re-authentication on the tenant.
  • Snapshot before remediation. Take forensic images of affected endpoints and VM snapshots of affected servers before any clean-up.
  • Stop the bleeding at the perimeter. Block known C2 domains and IPs at the firewall and DNS layer. Disable external email forwarding rules created in the last 30 days — a classic BEC persistence trick.
  • Do not negotiate yet. If a ransom note appears, do not respond, do not click the chat link, do not run the "decryption test." Every interaction is logged and used against you in coverage disputes.

Hour 1 to Hour 4: Call the right four numbers, in this order

The order matters because each call shapes what the next call can hear under privilege.

1. Your breach coach (outside privacy counsel)

Not your general outside counsel. A breach coach is a privacy attorney whose engagement letter is structured to establish attorney-client privilege over the forensic investigation that follows. Without this call first, your forensic report is likely discoverable in the inevitable class action.

2. Your cyber insurance carrier's hotline

Almost every 2026 cyber policy requires notification "as soon as practicable" and pre-approval of vendors. Calling your preferred forensics firm before the carrier approves them is the single fastest way to void coverage. The hotline is on the policy declarations page — store it in your phone now.

3. The carrier-approved DFIR firm

Digital forensics and incident response. They will be retained under the breach coach's engagement to preserve privilege. They handle imaging, log collection, malware analysis, and the eventual root-cause report.

4. Your managing partner and general counsel

Internal escalation comes fourth, not first, because the conversation needs to happen on a privileged channel that has already been established by steps 1 through 3.

Hour 4 to Hour 24: Preserve privilege or lose it

Privilege over the breach investigation is fragile and easily waived. The Capital One, Rutters, and Wengui decisions all turned on the same mistake: forensic work that looked like it was done for business or regulatory reasons rather than for legal advice.

To hold privilege at a law firm — which should, in theory, know better — the program needs to look like this:

  • The DFIR firm is engaged by the breach coach, not by the firm directly.
  • The engagement letter recites that the work is to enable legal advice regarding regulatory, contractual, and litigation exposure.
  • The forensic report is delivered to the breach coach, who then summarizes findings for the firm.
  • Two reports get written: a privileged legal-advice memo and a non-privileged remediation runbook for the IT team.
  • All breach-related communications use a clearly labeled privileged channel — not the firm's main Slack or Teams.

If your IT director is forwarding the forensic Slack thread to the firm's cyber insurance broker without counsel in the loop, privilege is already gone.

Hour 24 to Hour 72: The notification clock

Multiple clocks start ticking simultaneously, and they do not align.

State data breach notification statutes

All 50 states have one. The fastest are tight:

  • Florida and Colorado — 30 days from determination of a breach.
  • Maine — 30 days, with AG notice.
  • Texas — 30 days, plus AG notice if more than 250 Texans are affected.
  • California — "in the most expedient time possible and without unreasonable delay."

You are obligated under the law of every state where an affected resident lives, not just where your office sits. A 40-lawyer firm in Chicago with a national client base routinely triggers 20+ state statutes from a single incident.

Federal and sector overlays

  • HIPAA — 60 days from discovery if matter data includes PHI; 500+ individuals triggers HHS and media notice.
  • GLBA Safeguards Rule — 30 days to notify the FTC for incidents affecting 500+ consumers.
  • SEC Reg S-P amendments — 30-day individual notice for covered financial institution clients whose data you hold.
  • State AG notification in most states above a threshold (often 250 or 500 residents).

Client and outside counsel guidelines

Read every active OCG. Many require notification within 24 to 72 hours of any suspected incident affecting that client's data — far faster than statute. Missing an OCG notification window is how firms lose institutional clients in a single email.

Bar counsel

A growing number of state bars now expect proactive disclosure of incidents that may have exposed client confidences. Coordinate this with the breach coach; the wrong wording in a self-report becomes the wrong wording in a disciplinary complaint.

What to actually say to clients

Notification letters drafted by IT vendors fail two ways: they over-promise on facts that change, and they under-deliver on the empathy that keeps the client. A defensible 2026 client notification has six parts:

  • What happened, in plain language, with the date range of unauthorized access.
  • What data was involved for that specific client's matters — not the firm-wide list.
  • What you have done — containment, forensic engagement, law enforcement notification if applicable.
  • What you are offering — credit monitoring is table stakes; for corporate clients, a written remediation plan and a call with the breach coach is what they actually want.
  • A named contact — a partner, not a generic inbox.
  • No speculation about attribution, motive, or scope beyond what forensics has confirmed in writing.

Common mistakes that turn an incident into a malpractice case

After hundreds of legal-sector incidents, the same five errors keep showing up:

  • Talking to the press before the breach coach approves the statement. "We take security very seriously" said badly becomes a plaintiff's exhibit.
  • Paying the ransom from an operating account without OFAC screening. Sanctions exposure can dwarf the original loss.
  • Restoring from backups before forensic imaging. You have now destroyed the evidence that proves what was and was not taken — which means you must assume everything was taken for notification purposes.
  • Notifying clients in a single mass email that names every affected client in the To: line. Yes, this still happens.
  • Treating the post-incident report as the end. Underwriters, regulators, and clients will all ask in 12 months what changed. If the answer is "we bought a new EDR," you will not pass the next renewal.

The 72-hour kit to assemble this week

You cannot improvise this at 11:47 p.m. Build the kit now and store it offline:

  • One-page incident response card with the four phone numbers above, taped inside the managing partner's desk drawer.
  • Pre-negotiated breach coach engagement letter on retainer.
  • Cyber policy declarations page with the carrier hotline highlighted.
  • Out-of-band communication channel — a Signal group or separate Microsoft 365 tenant — that does not depend on the production environment.
  • Current asset inventory and data map showing where client data lives by matter and by client.
  • Notification template library pre-reviewed by the breach coach for the top 10 jurisdictions where your clients reside.
  • Tabletop exercise run at least annually with the managing partner, GC, IT lead, marketing lead, and breach coach in the room.

Frequently asked questions

Is a phishing email that an attorney clicked but reported a "data breach"?

Not by itself. It becomes a reportable incident if the credentials were used, if mail rules were created, or if any data was accessed or exfiltrated. Investigate every click; report based on findings.

Does cyber insurance cover the ransom payment?

Most 2026 policies do, subject to sublimits, OFAC screening, and carrier pre-approval. Paying outside that process almost always voids the coverage.

Do we have to notify clients if no data was actually taken?

If unauthorized access occurred to systems holding personal information, most state statutes presume notification is required unless you can document, through forensics, that the data was not acquired. That documentation is expensive and time-sensitive — another reason to image before you remediate.

How long does a typical law firm breach take to resolve?

Containment in days. Forensic root cause in 4 to 8 weeks. Notifications in 30 to 90 days. Class action and regulatory tail in 18 to 36 months. The control improvements you commit to in the notification letters become audit findings against you for the next two renewal cycles.

See what an attacker sees — before they call you

Most law firm data breaches we investigate begin with something the firm could have seen for free, three months earlier, from the outside: an exposed login portal without MFA, a leaked credential in a third-party dump, an unpatched VPN, or a spoofable email domain. Attorney Armor runs a free external attack-surface scan against your firm's domain in under two minutes — no agent, no sales call, no obligation. It is the same view the attacker is about to use.

Free Assessment

See what an attacker sees.

Run a no-obligation external attack-surface scan on your firm's domain in under two minutes.

Start the assessment

Continue reading