Do I have to notify clients if my firm has a data breach?

Under ABA Formal Opinion 483 (2018), yes — attorneys have an ethical duty to notify affected clients if a breach involves confidential client information, unless there is an applicable exception. Your state bar may have its own ethics opinion that is controlling in your jurisdiction. Additionally, state breach notification statutes may independently require notification depending on the nature of the data and the individuals affected.

What is the ABA's Formal Opinion 483?

ABA Formal Opinion 483, issued in October 2018, addresses lawyer obligations after an electronic data breach. It concludes that the duty of competence (Rule 1.1), the duty of communication (Rule 1.4), and the duty of confidentiality (Rule 1.6) collectively require attorneys to monitor for, respond to, and notify clients of breaches involving their information. The full opinion is available on the ABA's website.

Does my state have a separate breach notification law?

Yes — all 50 states, plus DC, Puerto Rico, and the U.S. Virgin Islands, have enacted data breach notification laws. These vary significantly in their triggers (e.g., what types of data are covered), notification timelines, and who must be notified (individuals, state attorneys general, regulators). The National Conference of State Legislatures maintains a tracker of all state statutes at ncsl.org. You should identify your own state's law and understand its specific requirements.

How quickly do I need to notify after a breach?

This depends on your state statute. Many states require notification within 30, 45, or 60 days of discovering the breach, though timelines vary. Some states allow a reasonable investigation period before the clock starts. Your state's statute is the authoritative source. A security attorney in your jurisdiction can advise on the specific requirements that apply to you.

What should I do immediately after discovering a potential breach?

The first steps are: (1) isolate affected systems to stop ongoing access; (2) preserve evidence — do not wipe or reset systems before documenting what happened; (3) identify what data may have been accessed; (4) begin documenting your incident response timeline; (5) consult with legal counsel about notification obligations. If client data is involved, assume your ABA 483 and state statutory duties are triggered until you determine otherwise.

Blog / Incident Response

Law Firm Data Breach Notification: What Solo & Small Firms Must Do

ABA Formal Opinion 483 establishes a clear duty to notify clients after a breach. Every state has its own notification statute too. This is what the combined picture looks like for a small firm, and what to do first when something goes wrong.

By Fradley Joseph · June 11, 2026

Note: This article covers technical and general legal landscape information only. It is not legal advice. For advice specific to your jurisdiction, consult your state bar’s ethics counsel or a security attorney.

The ethical foundation: ABA Formal Opinion 483

In October 2018, the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 483, which addresses attorney obligations following an electronic data breach. The opinion interprets three existing Model Rules as creating a breach response and notification duty:

1.1Competence — requires attorneys to understand how they store and protect client information, and to have the technical knowledge or assistance to respond when systems are compromised.
1.4Communication — requires attorneys to promptly inform clients of circumstances that may require them to take protective action regarding their information.
1.6Confidentiality — requires reasonable efforts to prevent unauthorized access to client information, and to respond appropriately when a breach occurs.

Opinion 483 does not create a bright-line notification requirement in every case — it concludes that the duty to notify is triggered when the breach involves information that requires the client to take protective action. But in practice, a breach that exposes client files, correspondence, or identifying information will typically trigger that duty.

Your state bar controls which ethics opinions are authoritative in your jurisdiction. Some state bars have issued their own opinions on breach notification that may be more or less prescriptive than Formal Opinion 483. Check with your state bar’s ethics resources.

State breach notification statutes: all 50 states have one

Separate from ethics rules, every U.S. state has enacted a data breach notification statute. These are consumer protection laws, not bar rules — they apply to businesses and organizations generally, and law firms are not exempt.

The statutes differ significantly across states on key dimensions:

→Trigger definition — what types of personal information trigger the law (most cover Social Security numbers, financial account numbers, and driver’s license numbers; some extend to health information, biometrics, or login credentials).
→Notification timeline — most states require notification “in the most expedient time possible” or within a specified period (commonly 30, 45, or 60 days) after discovery of the breach, though some allow time for an investigation first.
→Who gets notified — affected individuals always; many states also require notifying the state attorney general or a consumer protection agency when the breach exceeds a certain number of affected residents.
→Encrypted data exceptions — most states carve out breaches where the accessed data was encrypted and the encryption key was not also compromised.

The National Conference of State Legislatures (NCSL) maintains a regularly updated tracker of all state breach notification laws. If you practice in a state you are not familiar with, that is the right starting point for identifying the applicable statute. This article does not provide state-specific legal advice — know your state’s statute.

Practical incident response for a small firm

Solo and small-firm attorneys often lack the IT infrastructure that larger firms use for incident response. That does not reduce the legal obligation — it raises the importance of having a basic plan before an incident occurs, not after.

Here are the practical steps that apply to most small-firm breach scenarios:

Contain first

Disconnect affected devices from the network. Change credentials for any accounts that may have been exposed. If you use a cloud service (practice management software, email), revoke active sessions and enable multi-factor authentication immediately if not already in place.

Preserve evidence before cleaning up

Do not wipe, reset, or reimage systems until you have documented what happened. Screenshot error messages, log files, and any indicators of compromise. If law enforcement or an insurer will be involved, they will need this evidence. Wiping first destroys your ability to understand — and prove — what occurred.

Identify what data was exposed

Determine which client files, emails, or databases were on the affected system. What personal information was accessible? Which clients are affected? The scope of your notification obligation flows from the scope of the exposure — you cannot assess one without the other.

Document the incident timeline

Record when you discovered the breach, what you observed, and every step you take in response — with timestamps. This documentation is evidence of your reasonable response efforts. It matters for bar inquiries, insurance claims, and regulatory notifications alike.

Assess your notification obligations

With the scope of the breach understood, review your duties under ABA Formal Opinion 483 (and your state bar’s ethics guidance), your state’s breach notification statute, and any applicable federal law (HIPAA if you handle health information, for example). A security attorney in your jurisdiction can help you assess what is required. Notification timelines under state statutes can be short — do not delay this step.

Notify affected clients

Client notification should explain: what happened, what information was involved, what you have done in response, and what the client can do to protect themselves (credit monitoring, password changes, etc.). Plain, clear language is better than legal hedging. Clients respond better to straightforward disclosure than to communications that seem designed to minimize.

Prevention is cheaper than response

The incident response checklist above is necessary to know, but the better outcome is not needing it. Most breaches that affect small law firms are not sophisticated — they are phishing attacks that succeed because of reused passwords, stolen credentials from a breach elsewhere, or ransomware delivered through a malicious email attachment.

Basic controls that remove the most common attack vectors:

+Multi-factor authentication on email, practice management software, and cloud storage
+Unique passwords for every service account (a password manager removes the friction)
+Regular backups stored offline or in a separate cloud account — your only defense against ransomware
+Encrypted storage for client files — most breach notification statutes have an encryption exception
+A written incident response plan, even a one-page document, so you know what to do at 2am when something goes wrong

If you are not sure which of these are in place at your firm, or whether your AI tool usage creates additional exposure, a CyberFrad audit identifies the gaps and delivers a prioritized remediation plan.

AI tools as a breach vector

One increasingly relevant source of law firm data exposure is the AI tools attorneys use for drafting, research, and client communication. Consumer AI products — including the default tiers of ChatGPT — retain conversation data and, in some cases, use it for model training. If an attorney pastes client documents or facts into one of these tools, that data leaves the firm’s control.

Whether this constitutes a “breach” under a state statute depends on the statute’s definition of breach and the nature of the information disclosed. But it clearly raises Rule 1.6 concerns, and ABA Formal Opinion 512 (2024) confirms that existing confidentiality duties apply when attorneys use generative AI.

For a detailed breakdown of which ChatGPT tiers train on your data and what safer patterns look like, see our article Is ChatGPT Confidential?

Get assessed

Know your exposure before an incident forces you to find out

A CyberFrad AI Security Audit inventories your firm’s tools, identifies the most likely breach vectors, and delivers a written report with prioritized remediation steps. Flat fee, one-week turnaround.

Book a 15-min call Learn about audits