ABA guidance for attorneys on data breach response

---

Summary

• Lawyers must act fast to contain data breaches while meeting ethical duties regarding technology competence and client confidentiality within the first 24 hours.
• Centralized communication is critical to protect attorney-client privilege and prevent legal liability by using a single coordinator and secure, out-of-band channels.
• Legal professionals should engage experts, including digital forensics and cyber insurance, to analyze system access and identify mandatory breach notification requirements.

Rawlstock via Getty Imagess

Jump to:

---

---

Tech Column

A data breach introduces immediate pressure and profound uncertainty. Whether you manage an in-house legal department, a sprawling law firm, or a solo practice, the stakes are doubly high. One must act with speed to contain the threat while simultaneously upholding rigid ethical and legal obligations. Although the most effective response begins long before an incident occurs through a formal response plan, the actions taken in the initial 24 hours determine whether a breach remains a manageable event or becomes a catastrophe.

Address Legal and Ethical Obligations

Once the initial technical chaos subsides, the legal professional must pivot to their specific duties. This phase requires a cool-headed assessment of what was lost and to whom it belonged.

Review Ethical Duties

Lawyers and legal departments carry professional responsibilities that persist even during a crisis. In most jurisdictions, these duties center on competence in technology, absolute confidentiality of client information, and honest communication.

If an attacker accessed or exposed confidential records, you must determine if notification is mandatory. Consider these factors:

• Was client information actually accessed or exfiltrated?
• Does the breach create a material risk of harm to the client?
• Is disclosure necessary for the client to protect their interests?

Evaluate Breach Notification Laws

Every U.S. state maintains data breach notification statutes (see overview from Masuda Funai). These laws typically trigger when specific personal information is exposed. Within the first day, your goal is not to complete a final legal memo but to identify which jurisdictions apply.

Initial Regulatory Checklist

• Identify Data Types: Did the breach include Social Security numbers, financial account numbers, or health information?
• Identify the Victims: For in-house teams, this includes employees and customers; for firms, it includes clients and opposing counsel.
• Map Locations: Identify the residency of affected individuals to determine which state laws apply.
• Notify Authorities: Check if the relevant states require notice to the attorney general or credit reporting agencies. As the legal team identifies its exposure and the specific data at risk, the focus must shift to how to handle this information internally. Maintaining control over the narrative is essential to prevent further legal complications or a loss of attorney-client privilege.

Communicate with Care

In the wake of a breach, uncontrolled talk creates confusion and legal liability. Information must flow through a single, designated coordinator (such as a general counsel or a managing partner) to ensure accuracy.

Establish the Chain of Command

Establishing a strict hierarchy for information flow prevents the distorted facts that often arise as data passes between departments. The coordinator serves as the ultimate clearinghouse for all data, ensuring that every internal update and external disclosure remains consistent. This centralization is a defensive tactic to protect the attorney-client privilege and work-product doctrine during the investigative phase.

Protocol for Internal Reporting

Define clear reporting lines for IT staff and third-party vendors. Rather than allowing tech teams to send broad status updates via email, require them to report directly to the coordinator. This practice minimizes the creation of “loose” documentation that could be misinterpreted during future discovery or regulatory audits.

Control Internal Communications

Instruct staff and colleagues to limit discussions to the designated response team. Speculation about the cause of the breach or the identity of the attacker often finds its way into discoverable documents. Use secure, out-of-band communication channels (such as encrypted messaging or personal phone lines) whenever possible and document every step of the response.

Secure Information Silos

Apply the principle of “least privilege” to the communication plan. Only individuals with a direct role in the recovery (typically a core group of leadership, IT, and legal) should be privy to the granular details of the investigation. By compartmentalizing information, the organization reduces the risk of an accidental leak by a well-meaning but uninformed employee or colleague.

---

---

---

---

Managing the Human Element

Acknowledge the stress levels of the team without compromising operational security. The coordinator should provide regular, high-level briefings to the broader staff to quell rumors, but these briefings must focus on the process of recovery rather than the specifics of the vulnerability. Instruct all personnel that “no comment” is the only acceptable response to any inquiry, referring all questions directly to the coordinator’s office.

Avoid Premature Public Statements

Facts are usually incomplete in the early hours. Making a public statement too soon risks spreading incorrect information or making unintended admissions. If the media, board members, or outside parties inquire, stick to a concise script:

1. The organization is currently investigating a security incident.
2. We have engaged outside experts to assist.
3. We will provide updates as more information becomes available. Effective communication provides a shield for the legal professional, but words alone cannot solve a technical crisis. To move from damage control to discovery, the practice or department must enlist specialized technical and financial support.

Work with Outside Experts

A legal professional should rarely handle a breach alone. Engaging specialized third parties provides the technical depth and insurance backing necessary for a full recovery.

Engage Digital Forensics

A digital forensics firm performs the “medical exam” of your network. They determine how the attacker entered, what systems they touched, and whether they are still hiding in your environment. For both in-house teams and firms, it is standard practice for counsel to retain these experts directly to help preserve legal privilege over their findings.

Contact Cyber Insurance

Cyber insurance policies are more than just a source of funds; they provide a prevetted stable of investigators, breach counsel, and notification vendors. Contact your carrier or the company’s risk management department immediately. Waiting too long to report a potential incident can jeopardize your coverage, even if the breach later proves to be minor.

With the right experts engaged and the insurance carrier notified, the initial fog of the crisis begins to lift. This clarity allows the legal team to transition from reacting to the past to planning for the immediate future.

Plan the Next Steps

As the twenty-four-hour mark approaches, the focus shifts from frantic containment to structured recovery and compliance.

Develop a Seventy-Two-Hour Response Plan

By the end of the first day, establish a clear road map for the remainder of the week. This plan should include:

• Completing the forensic deep dive.
• Finalizing the list of parties requiring notification (clients, employees, or shareholders).
• Coordinating with law enforcement if the situation warrants it.
• Beginning the secure restoration of systems from backups.

Begin Immediate Remediation

Full restoration takes time, but you can take several defensive steps immediately to prevent a "second wave" of the attack.

Immediate Remediation Steps

• Reset All Passwords: Force a practice-wide or department-wide password change.
• Enforce MFA: Enable multifactor authentication on every entry point, especially email.
• Patch Vulnerabilities: Close the holes the attacker used to gain entry (see SecurityScorecard overview).
• Update Monitoring: Increase the sensitivity of your security alerts. Securing the perimeter and drafting a timeline provides the foundation for long-term recovery. These early technical and strategic victories ensure the legal professional emerges from the first day with their reputation and the trust of their organization intact.

The first day of a breach is a test of preparation. By focusing on five priorities (containing the threat, preserving evidence, engaging experts, understanding the scope, and evaluating legal duties), an organization protects its clients, colleagues, and its reputation. Preparation makes these first 24 hours easier, turning a potential disaster into a disciplined professional response.

---

Endnotes

---

Authors

Ashley Hallene

Ashley Hallene is an Attorney and Land Acquisition Specialist with Demeter Land Development. She is based in Houston, Texas. She is the co-author of several books, including Technology Tips for Seniors Volume 2.0 (2018),...

View Bio →

Jeffrey M Allen

Graves & Allen

Jeffrey Allen is a principal in the law firm of Graves & Allen, in Oakland, California. He runs a general practice that, since 1973, has emphasized real estate and business transactions, receiverships and related...

View Bio →

---

Authors

Ashley Hallene

Jeffrey M Allen

Graves & Allen

Related Content