The rules of professional conduct require a fact-based inquiry and disclosure to those clients whose material data is known or reasonably suspected to have been accessed by an intruder. A law firm’s duty to notify clients about a data breach depends on the severity of the breach, the level of knowledge the lawyer has about the breach, and the materiality of the improperly accessed data. The consensus of the organized bar recommends client notification of a data breach affecting clients’ confidential data that are material and reasonably suspected to have been accessed, disclosed, or lost. The materiality of the data and their importance to the client are fact-specific.  

Law firms should proactively prepare for a future cyber intrusion and mitigate their risk by preparing a breach notification plan. In the event of a breach, law firms can avoid or mitigate professional malpractice claims by notifying their cyber insurance carriers, undertaking a prompt and thorough investigation, and employing third-party breach mitigation experts. Prompt and diligent disclosure to clients of the breach may also help mitigate the risk and severity of litigation.