Law Firms Must Embed Cybersecurity in Governance to Protect Data

The Bottom Line

• Law firms’ volume of sensitive data make them targets for data breaches, so cyber risk should be critical to client service.
• Attorneys may have ethical and legal obligations to safeguard client data and communicate clearly and promptly with affected clients about the extent of a data breach.
• Firms should consider best practices outside the IT department such as integrating cybersecurity into firm governance and giving staff regular security training.

Law firms are especially attractive targets for data breaches given the volume and sensitivity of their data. In April, Jones Day became the latest victim of the “Silent Ransom Group,” a hacking ring that posted data from 10 of the firm’s clients.

A robust internal cybersecurity program is no longer enough. To protect themselves and their clients, law firms must prioritize rigorous due diligence of vendors, continuous monitoring, and a security-conscious culture that treats cyber risk as a core element of client service and professional responsibility.

Ethical Obligations

While ethics duties don’t impose strict liability for every incident, they require firms to use reasonable efforts to safeguard client information, detect and respond to incidents, communicate with affected clients, and supervise personnel and vendors appropriately.

The American Bar Association has long addressed ethical duties related to data breaches, including in Formal Opinions 477R and 483. The New York City Bar Association also issued guidance. And in 2020, a California ethics opinion found that lawyers must conduct a reasonable inquiry and notify clients of a data breach.

Notice requirements: Firms must promptly evaluate notice obligations when they know or reasonably should know that a data breach has occurred. They must notify current clients if the breach involves or has likely involved material client information or hampers their ability to perform legal services.

Notice should, at minimum, disclose the breach and known extent of affected information. As a best practice, firms should explain their response plan and security improvements. They must share notice without unreasonable delay, with a continuing duty to communicate material developments. While the duty to safeguard information continues for former clients, Opinion 483 stops short of requiring notice to former clients absent a specific state rule or applicable law.

Disciplinary consequences: The ABA opinions clarify that a data breach doesn’t automatically establish an ethics violation, particularly when information is accessed or lost despite reasonable safeguards. But a lawyer or firm does face disciplinary risk when they fail to make reasonable efforts to prevent and detect breaches, supervise personnel or vendors, investigate adequately, or notify clients when required.

Failure to implement reasonable protections could implicate duties of competence, confidentiality, and safeguarding property, while failure to adequately disclose could implicate duties of communication and rules against misrepresentation by omission.

Compliance Obligations

In addition to ethical obligations, state and federal laws impose more specific notification requirements on law firms and may create additional enforcement risk or private rights of action for violations.

State laws: As of Jan. 1, 2026, all 50 states and Washington, DC, have breach-notification laws that often extend beyond ethical obligations,
though they differ in timing, scope, and requirements. Twenty states specify deadlines ranging from 30 to 60 days; others use language such as “without unreasonable delay.”

States vary on what information triggers notification duties, such as biometric data, medical information, government IDs, or online credentials. Many require notifying the attorney general when specific numbers of residents are affected, and almost half recognize a private right of action.

Federal laws: There is no single comprehensive federal breach-notification requirement for law firms. Instead, firms face sector-specific obligations depending on their clients and the data they handle.

If a firm handles protected health information as a HIPAA business associate, it must notify the covered entity (client) within 60 days of a breach. The client then notifies affected individuals, the Department of Health and Human Services, and potentially the media if the breach affects more than 500 residents of a state or jurisdiction. Health privacy law violations can result in annual penalties exceeding $2 million for unauthorized disclosures, plus more for inadequate safeguards.

The Federal Trade Commission’s Gramm-Leach-Bliley Act applies to financial institution but may sometimes impact firms. In American Bar Association v. FTC, the US Court of Appeals for the DC Circuit held that law firms aren’t “financial institutions” under GLBA’s privacy provisions. But the FTC expanded reporting requirements in 2023, and firms still may have contractual notification obligations to clients subject to GLBA requirements.

The Securities and Exchange Commission similarly expanded reporting rules in 2023. Law firms may have breach-reporting duties under some circumstances, as shown by a settlement requiring Covington & Burling to disclose the names of clients targeted by hackers so the government could determine if nonpublic information was used for illegal trading. The FTC has taken the position that Section 5 of the FTC Act imposes a de facto notification requirement because failure to notify may increase consumer harm.

International laws: Firms with European offices or EU clients should be aware of the General Data Protection Regulation and sector-specific EU laws imposing additional data protection and breach-reporting obligations. The GDPR applies when an entity is regularly handling EU residents’ personal data and requires foreign entities to designate a representative in an EU member state to report significant breaches within 72 hours after becoming aware and (in the case of highly sensitive data) to notify the affected individuals without undue delay.

Class-Action Liability

Beyond regulatory enforcement and ethical scrutiny, law firms suffering data breaches increasingly face class-action litigation from impacted individuals. Plaintiffs in law firm data breach class actions typically assert multiple causes of action:

Negligence. Plaintiffs allege the firm breached a duty of care to safeguard information by failing to implement reasonable security measures and should have foreseen the breach given well-documented cyberattacks targeting law firms. They may also allege negligence per se, claiming that if a firm’s actions violated a law like the FTC Act, the firm was necessarily negligent because they breached the required standard of care established by the law.

Breach of implied contract. Plaintiffs argue that providing personal information to a firm created an implied contract to safeguard it and provide timely breach notice and may include damages such as loss of the benefit of the bargain.

Breach of fiduciary duty. Plaintiffs argue firms assume fiduciary obligations to safeguard sensitive information and timely notify of breaches. While viability remains contested, the theory carries particular weight against law firms given the profession’s heightened duty of confidentiality.

Other claims. Other claims might include unjust enrichment, invasion of privacy, and violations of state or federal statutes providing a private right of action.

Standing, causation, and damages: For Article III standing, plaintiffs must demonstrate a concrete “injury-in-fact” (not a vague or hypothetical harm) fairly traceable to the defendant’s conduct and redressable by the court. In data breach cases, plaintiffs have argued that data exposure alone can create a sufficiently concrete injury-in-fact even absent evidence of misuse, citing Spokeo, Inc. v. Robins, which recognized that an increased risk of future identity theft, combined with mitigation costs, can satisfy that requirement.

Alleged harms include diminished value of data, time and costs for monitoring accounts and credit reports, emotional distress, and ongoing risk to information remaining in the firm’s possession. Several circuit courts have held that a substantial risk of future harm can suffice, particularly when highly sensitive information such as Social Security numbers was exposed.

Courts have been receptive to arguments that delayed notification aggravates harms, limiting plaintiffs’ opportunity to take timely protective measures and increasing the risk of identity theft.

Firms argue that third-party hackers constitute an intervening cause, but plaintiffs counter that inadequate security made the breach foreseeable and delayed notification compounded harm. Plaintiffs seek compensatory damages, punitive damages, and injunctive relief requiring security improvements, audits, and credit monitoring.

Notable settlements and rulings: In recent years, multiple law firms have suffered millions of dollars in liability in data breach litigation. In 2025, a California federal judge approved a $1.3 million settlement against Houser over a 2023 breach affecting more than 326,000 individuals, and a suit against Riley Pope & Laney was resolved under mediation.

Class actions filed in 2025 include cases against Kelley Drye & Warren; Pillsbury Winthrop Shaw Pittman; TorHoerman Law; Zumpano Patricios; and Brown Paindiris & Scott. And Barton Gilman was sued in early 2026. Most of these cases are pending.

In 2024, Orrick, Herrington & Sutcliffe paid $8 million to settle a class action over a 2023 breach affecting more than 152,000 individuals. Later that year, Florida-based Gunster, Yoakley & Stewart agreed to pay $8.5 million and undergo security improvements for a 2022 breach affecting approximately 9,550 individuals, with each receiving reimbursements of up to $35,000 and three years of credit monitoring.

Proactive Risk Mitigation

While there’s no one-size-fits-all approach, firms of any size should consider several best practices:

Integrate cybersecurity into firm governance. Designate a partner, committee, or security lead to oversee information security with clear authority and documented responsibilities. Ensure reporting to firm leadership so cybersecurity is managed as a business and ethics risk, not just an IT issue.

Conduct periodic risk assessments. Regularly identify where client data resides, the main internal and external threats, and what safeguards are proportionate to the sensitivity of the information and likelihood of harm.

Adopt and maintain comprehensive written security policies, including policies for AI use. Policies should set clear expectations, support training, and provide proof of compliance for clients and regulators. Ensure coverage for remote work and mobile/personal devices. If not in effect, consider an artificial intelligence acceptable-use policy.

The use of unsecure AI tools at work can create unanticipated exposure, with one recent report finding nearly 84% of the AI tools analyzed had been subject to at least one data breach. Establishing clear data usage policies for AI and ensuring that approved AI applications are implemented securely can help mitigate the risk.

Require strong authentication. Use strong passwords and multifactor authentication, especially for email, cloud platforms, VPNs, administrator accounts, and remote access.

Restrict and review access rights. Apply least-privilege access so lawyers, staff, and vendors have only the data and system access necessary for their roles. Remove access promptly when roles change. Limit physical access to devices containing sensitive information, and remind users to secure devices when not in use.

Encrypt sensitive data. Apply encryption to emails, devices, databases, and cloud repositories. Ensure data is encrypted in transit, at rest, and in backups.

Keep systems patched and protected. Regularly update all software, operating systems, and applications to patch known vulnerabilities. Enable automatic updates when possible. Deploy firewalls and intrusion detection systems to monitor network traffic and identify suspicious activity.

Train lawyers and staff regularly. Provide ongoing training for every team member on phishing, confidentiality risks, secure communications, approved tools, appropriate AI use, and escalation procedures for suspicious activity. Maintain training records as proof of compliance.

Vet and monitor vendors carefully. Perform due diligence on cloud and other service providers, impose contractual protection for client data, and reassess periodically. Consider independent audits or third-party vetting.

Maintain secure backups and business continuity measures. Keep regular, tested backups, including offline or segregated copies where feasible, to support recovery from ransomware, deletion, or system failure.

Monitor, test, and audit security controls. Use logging, alerting, vulnerability scanning, and periodic testing to detect weaknesses early and verify safeguards are functioning. Consider external testing by security professionals.

Maintain a written incident response plan. Understand obligations specific to your practice and prepare a clear breach-response process covering containment, investigation, evidence preservation, internal escalation, client notification, and restoration of operations.

Looking Ahead

Hackers on the hunt for sensitive data have increasingly set their sights on law firms—treasure troves of confidential client information, including trade secrets, financial records, health information, and privileged communications.

With so much at stake, the impact now extends beyond IT concerns, reaching the profession’s core ethical obligations and potentially exposing firms to disciplinary action, regulatory scrutiny, or class action litigation. Firms must act proactively to mitigate the risks—before they fall victim to a breach.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.

Author Information

Sid Mody is a partner at O’Melveny focused on cybersecurity, data privacy, and white-collar defense.

Randall W. Edwards is a partner at O’Melveny focused on class actions and data-security matters.

Alexander Biggs is a litigation associate at O’Melveny specializing in data privacy and healthcare matters.

Interested in writing? Review our author guidelines, and submit pitches to Insights@bloombergindustry.com.