THE TECHNOLOGY BLIND SPOT
On the morning of July 29, 2017, a network administrator at Equifax renewed an expired TLS certificate. Routine maintenance. The kind of task that barely registers in an incident log. But the moment encrypted traffic resumed flowing through the company’s monitoring tools, alarms lit up across the security operations center. Anomalous outbound data transfers. Unauthorized access patterns. Evidence of exfiltration stretching back seventy-six days, to mid-May, when attackers first exploited an unpatched Apache Struts vulnerability that had been publicly disclosed and patched in March.
What happened next became a case study in institutional failure. Equifax waited six weeks to inform the public that personal records of 147.9 million Americans had been compromised. During that silence, three executives sold $1.8 million in company stock. The notification website Equifax eventually launched forced consumers into terms that waived their right to join a class-action lawsuit. The company lost $4 billion in market value, paid $1.38 billion in settlements and remediation, and handed Congress a textbook example of what happens when an organization treats breach disclosure as a liability management exercise rather than a legal obligation.
Equifax is not a law firm. But the disclosure failures that defined its breach raise a question that every attorney in private practice should be asking: if your firm suffers a breach exposing client data, what exactly do the Model Rules require you to do, how fast must you do it, and what happens when you delay?
The Direct Answer
Your ethical obligations after a breach extend well beyond compliance with state notification statutes. ABA Formal Opinion 483 requires attorneys to monitor for breaches, stop ongoing intrusions, investigate what happened, and notify affected current clients of any material compromise of confidential information. State laws increasingly impose firm deadlines of 30 to 60 days. The SEC can subpoena your client list. And delay compounds every category of harm: financial, reputational, regulatory, and disciplinary.
This is not a cybersecurity article dressed in legal language. This is an analysis of the ethical framework that governs how attorneys must respond when client data leaves their control.
The Ethics Framework You Cannot Ignore
ABA Formal Opinion 483 (2018) established the profession’s most comprehensive guidance on post-breach obligations. The opinion grounded its analysis in three Model Rules that every attorney should know by number.
Model Rule 1.1 requires competent representation, including (per Comment 8) an understanding of “the benefits and risks associated with relevant technology.” This competence obligation extends to understanding how client data can be compromised and what to do when it is. An attorney who cannot explain the firm’s incident response plan has a competence problem before any breach occurs.
Model Rule 1.6(c) mandates “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Formal Opinion 483 interpreted this as requiring an ongoing risk assessment process: monitoring for intrusions, stopping breaches promptly, and investigating the scope of any compromise. The opinion emphasized that this “is not a strict liability standard.” An ethical violation occurs not because a breach happened, but because the lawyer failed to take reasonable precautions or failed to respond appropriately after discovery.
Model Rule 1.4 requires lawyers to keep clients “reasonably informed about the status of a matter.” Formal Opinion 483 applied this directly to breach notification: “An obligation exists for a lawyer to communicate with current clients about a data breach” when the breach involves “material client confidential information.” The notification must provide enough information for the client to make informed decisions about continued representation, potential exposure, and any remedial steps the client should take independently.
The New York City Bar Association’s Formal Opinion 2024-3 extended this framework further. The opinion addressed ransomware payments, conflicts of interest arising from breaches, supervisory obligations under Rules 5.1 and 5.3, and the obligation to conduct due diligence on third-party vendors who store or transmit client data. The opinion also clarified that disclosing a client’s identity as a breach victim could itself expose the client to harm, creating a tension between disclosure obligations and confidentiality duties that requires careful judgment.
The Cost of Delay
IBM’s 2024 Cost of a Data Breach Report analyzed 604 real-world breaches across 16 countries and found the global average cost reached $4.88 million, a 10% increase from the prior year. The most telling number is the lifecycle metric: organizations took an average of 194 days to identify a breach and 64 days to contain it. Breaches extending beyond 200 days cost an average of $5.46 million. Those contained under 200 days averaged $4.07 million. That $1.39 million gap reflects the compounding damage of every additional day without detection, containment, and disclosure.
Internal detection proved decisive. Organizations that discovered breaches through their own security teams rather than learning about them from attackers or third parties shortened the breach lifecycle by 61 days and reduced costs by nearly $1 million. Organizations that involved law enforcement in ransomware incidents saved an additional $1 million on average compared to those that handled incidents alone.
For law firms, the financial calculus carries additional weight. A six-attorney estate planning firm in New Jersey learned this in March 2024, when the Qilin ransomware group breached its network and exposed Social Security numbers, driver’s licenses, and confidential documents. The firm’s five-month delay in notifying victims triggered a class-action lawsuit. The notification delay gave attackers a substantial head start in exploiting the stolen data, and it gave plaintiffs’ attorneys a straightforward negligence theory: the firm knew, the firm waited, and people got hurt.
SEC v. Covington: When Your Breach Becomes a Regulatory Problem
The Covington & Burling case illustrates how a law firm breach can cascade into regulatory exposure that extends far beyond the initial compromise.
In November 2020, a Chinese state-sponsored actor exploited a zero-day vulnerability in Microsoft Exchange Server and breached Covington’s systems. Covington disclosed the intrusion to the FBI in 2021, but it did not disclose the names of clients whose information may have been accessed. In March 2022, the SEC served an administrative subpoena demanding the names of 298 publicly traded clients potentially affected by the breach. Covington refused, citing attorney-client privilege and ethical confidentiality obligations. The SEC sued to compel compliance in January 2023.
In July 2023, U.S. District Judge Amit Mehta ruled that Covington must disclose the names of seven clients whose material nonpublic information may have been accessed. Judge Mehta found that the client identities themselves did not constitute privileged communications. The ruling sent a clear signal: law firms cannot use privilege as a blanket shield against regulatory inquiry into breach impacts. Eighty-three law firms filed an amicus brief supporting Covington, arguing that the subpoena turned “advocate into informant.” The court was unpersuaded.
Covington ultimately disclosed six client names (the seventh objected and the matter remained pending). The case established that regulators can reach past the firm to assess whether clients’ own disclosure obligations were met, whether insider trading occurred on compromised information, and whether the breach triggered securities law reporting requirements that the clients themselves may have missed.
For solo practitioners and small firms, the Covington scenario may feel remote. But the underlying principle applies at every scale: when your firm is breached, you are not the only party with regulatory obligations. Your clients may have their own notification duties under state law, industry regulations, or contractual commitments. Your delay in telling them becomes their delay in meeting those obligations.
The Notification Clock Is Getting Shorter
All 50 states now maintain breach notification statutes, and the trend line points firmly toward shorter deadlines and stricter enforcement.
New York amended its General Business Law § 899-aa in December 2024, imposing a firm 30-day deadline for notifying affected residents after discovering a breach. The amendment eliminated the prior standard of “the most expedient time possible and without unreasonable delay,” which had given organizations significant discretion. California followed with its own 30-day requirement. Colorado, Florida, Maine, and Washington already maintained similarly tight timelines.
The SEC’s cybersecurity disclosure rules, effective December 2023, require public companies to report material cybersecurity incidents within four business days of determining materiality. The EU’s General Data Protection Regulation mandates 72-hour notification to regulators. Pennsylvania’s 2024 amendments added attorney general notification requirements for breaches affecting more than 500 residents and imposed mandatory credit monitoring obligations.
For attorneys, these overlapping regimes create a compliance matrix that grows more complex each year. A firm with clients in New York, California, and Pennsylvania may face three different notification timelines triggered by a single breach event. Formal Opinion 483’s ethical obligations layer on top of (and sometimes diverge from) these statutory requirements. A breach that falls below a state statute’s threshold for notification may still require client communication under Model Rule 1.4 if the compromised information is material to the representation.
The Collective Defense Argument
Public disclosure protects more than the breached organization’s clients. It activates the broader defensive ecosystem.
When a compromised firm shares indicators of compromise (malware signatures, command-and-control infrastructure, exploited vulnerabilities), organizations across the legal industry can deploy countermeasures before the same attack chain reaches their networks. NIST’s Cybersecurity Framework 2.0, released in February 2024, elevated “Governance” to a core pillar and emphasized information sharing as essential to managing cybersecurity risk across supply chains and sector boundaries.
The 2017 NotPetya attack demonstrated this principle through devastating counterexample. The attack caused an estimated $10 billion in global damage, crippling Maersk, Merck, FedEx’s TNT Express, and DLA Piper within hours. DLA Piper’s experience alone required 15,000 hours of IT overtime to recover and left attorneys unable to access email or documents for days. Organizations that received early warning from peers suffered measurably less damage than those that learned about the attack from their own collapsing systems. This blog previously examined DLA Piper’s experience and the broader pattern of law firm targeting in “Why Hackers Target Law Firms: Where All the Secrets Are Buried.”
The IBM data reinforces this point from a different angle: organizations deploying security AI and automation extensively saved an average of $2.2 million per breach compared to those without. Rapid detection, rapid response, and rapid sharing of threat intelligence reduce costs for everyone. Disclosure is the mechanism that makes coordination possible.
The Case Against Speed
The strongest argument against mandating rapid disclosure rests on a legitimate concern: premature notification causes its own harm.
Alex Stamos, formerly Facebook’s chief security officer, has argued that GDPR-style timelines force companies to disclose breaches before they can confirm what data was actually compromised, how many individuals were affected, or whether the attacker has been fully expelled from the network. A notification that says “we were breached, but we don’t know what was taken or by whom” can trigger panic, crater stock prices, and overwhelm consumers with alerts they cannot act on meaningfully.
Stewart Baker, former general counsel of the National Security Agency, has warned that aggressive deadlines produce incomplete breach reports and drive “breach notice fatigue”: consumers, bombarded with notifications, simply stop reading them. The IAPP has documented cases where premature notification identified an excessively broad population of affected individuals, causing unnecessary alarm, or an inappropriately narrow one, creating a false sense of security.
There is also a national security dimension. Mandating disclosure during an active investigation can compromise law enforcement operations and alert threat actors that their infrastructure has been identified. The SEC acknowledged this by allowing disclosure delays when the U.S. Attorney General determines that immediate reporting would pose a substantial risk to national security or public safety.
These objections carry weight. ABA Formal Opinion 477R explicitly acknowledges that the reasonableness standard does not require perfect security. No ethics opinion mandates instantaneous disclosure. The standard is “reasonable efforts” and “reasonably informed,” not “absolute transparency within hours.”
The SEC’s case against SolarWinds and its CISO, Timothy Brown, reinforces the skeptic’s position from a different angle. In October 2023, the SEC filed the first-ever cybersecurity enforcement action against an individual CISO, alleging that SolarWinds and Brown misled investors about the company’s security practices before and after the 2020 SUNBURST attack, a Russian state-sponsored supply-chain compromise of SolarWinds’ Orion software platform. The SEC’s theory broke new ground: it attempted to stretch the Exchange Act’s “internal accounting controls” provisions to encompass cybersecurity systems and used Brown’s own internal presentations flagging security gaps as evidence of fraud.
The courts rejected that approach decisively. In July 2024, U.S. District Judge Paul Engelmayer dismissed most of the SEC’s claims in a 107-page opinion. He found that SolarWinds’ public security statements constituted “non-actionable corporate puffery,” rejected the accounting-controls theory as an overreach beyond the statute’s intended scope, and ruled that the SEC’s post-breach disclosure claims relied impermissibly on hindsight. In November 2025, the SEC dismissed the remaining claims with prejudice, ending the litigation entirely. Brown, who remained SolarWinds’ CISO throughout, stated publicly: “We did nothing wrong.”
The SolarWinds outcome sent a clear signal that courts will not permit regulators to weaponize candid internal security assessments. CISOs and security professionals voiced relief: penalizing executives for documenting vulnerabilities would create perverse incentives to avoid the very internal transparency that good security requires. For law firm managing partners who also serve as their firm’s de facto security officer, the ruling provides some comfort that honest internal risk assessments will not become litigation exhibits.
But the comfort has limits. The SEC brought the case, named Brown personally, and forced two years of litigation before the claims failed. SolarWinds spent millions in legal fees defending a theory that 83 amici law firms, multiple business groups, and a bipartisan coalition of former government officials all argued was meritless. Winning an SEC enforcement action is not the same as avoiding one. And the SEC’s July 2023 cybersecurity disclosure rules remain in effect: public companies must still report material incidents within four business days. The SolarWinds dismissal narrowed how the SEC can enforce those rules. It did not eliminate the rules themselves.
Why the Counterargument Has Limits
The premature-disclosure objection contains a flaw: it treats speed and accuracy as mutually exclusive. The SEC’s four-day rule starts not when an incident occurs, but when the company determines materiality. Organizations retain time to investigate scope and impact. What they cannot do is sit on that determination while executives sell stock and legal teams strategize about minimizing fallout.
For attorneys specifically, the ethics framework already builds in this nuance. Formal Opinion 483 does not require notification the moment a firewall alert triggers. It requires reasonable efforts to monitor, investigate, and then communicate with clients once the firm has enough information to provide meaningful notice. The question is whether “reasonable” ever means “six weeks” or “five months.” After Equifax and the New Jersey estate planning firm, the answer from courts and regulators appears to be no.
A tiered approach resolves the tension between speed and accuracy: confidential reporting to law enforcement and regulators within hours, sector-specific sharing of technical indicators within days, and client notification once the scope is reasonably understood. NIST SP 800-61, the Computer Security Incident Handling Guide, already outlines this graduated model. The infrastructure exists. The gap is in adoption.
Practice-Specific Implications
Corporate and M&A Practices: Deal communications involve material nonpublic information. A breach during an active transaction triggers potential securities law implications beyond malpractice exposure. The Covington case demonstrated that the SEC will investigate whether compromised deal intelligence led to insider trading. As this blog examined in the email privacy series, these communications face compounding vulnerabilities: insecure transmission, recipient-side exposure, and now the risk that your firm’s own systems become the breach vector.
Criminal Defense: Defense strategy files represent some of the most sensitive information in legal practice. A breach exposing witness identities, cooperation agreements, or defense theories can endanger lives. The phone call security analysis in this series noted that Salt Typhoon attackers specifically compromised the CALEA systems used for law enforcement wiretaps, creating secondary exposure for clients already under government scrutiny.
Family Law: Asset disclosures, custody evaluations, and domestic abuse allegations involve information that hostile parties actively seek. A breach notification delay in a contested divorce gives the opposing spouse time to exploit compromised information before the client can take protective measures.
Estate Planning: The New Jersey estate planning firm breach exposed Social Security numbers and confidential documents. Estate files contain detailed financial information, family dynamics, and distribution plans that become relevant in subsequent litigation between beneficiaries. A five-month notification delay left clients exposed to identity theft without the ability to take basic protective steps like credit freezes.
What to Do Before the Breach Happens
First, develop an incident response plan. ABA Formal Opinion 483 specifically identified incident response planning as a component of the duty of competence under Rule 1.1. Two-thirds of law firms lack such a plan despite most carrying cyber insurance. Your insurer may require one, and you will need it when the breach occurs. The plan should identify who leads the response, how to contact forensic specialists, when to notify law enforcement, and the decision framework for client notification.
Second, review your engagement letters. Include language addressing how the firm will handle breach notification, what communication channels will be used, and what the client’s own obligations may be if firm systems are compromised. Address data retention policies explicitly. Formal Opinion 483 noted that agreements with former clients about data retention can limit exposure when breaches affect archived files.
Third, map your notification obligations. Identify every state where your clients reside and catalog the applicable breach notification timelines, attorney general reporting thresholds, and credit monitoring requirements. A firm with clients across multiple states cannot afford to learn these requirements during a crisis.
Fourth, train your staff. Model Rule 5.3 extends supervisory responsibility to nonlawyer assistants. Every person in your office who touches client data needs to understand what constitutes a potential breach, who to notify internally, and what not to do (such as deleting evidence or attempting unauthorized remediation). This blog’s analysis of password security documented that 95% of breaches involve human error. Training is not optional.
Fifth, document your security posture. If a bar complaint or malpractice claim questions your practices, contemporaneous documentation of risk assessments, security measures, and policy decisions provides evidence of deliberate professional judgment. Formal Opinion 483 emphasized that the standard is “reasonable efforts,” not perfection. Documentation proves you made the effort.
The Math of Silence
Most breach victims who filed claims in the Equifax settlement received between $5 and $20, not the $125 initially advertised, because 4.5 million people filed against a capped $31 million fund. The arithmetic of delayed disclosure concentrates cost savings on the breached organization and distributes harm across millions of people who never had a chance to protect themselves. Rapid disclosure inverts that equation.
Silence is not a security strategy. It is a liability strategy. And for attorneys, it is a strategy that Formal Opinion 483, Model Rule 1.4, and an accelerating wave of state notification statutes have firmly rejected.
Standards evolve through verdicts, not opinions. The question for your firm is whether your incident response plan will survive the retrospective scrutiny of a bar disciplinary panel, a malpractice jury, or a federal judge reviewing your post-breach conduct years after the fact. Equifax had six weeks of silence and paid $1.38 billion. The New Jersey estate planning firm had five months and faces a class action. Covington’s breach led to an SEC subpoena that 83 law firms could not prevent.
Your clients trust you with their most sensitive information. That trust includes an expectation that if something goes wrong, you will tell them. Promptly. Completely. Before the damage compounds.
The clock is already running.
This blog provides general information for educational purposes only and does not constitute legal advice. Consult qualified counsel for advice on specific situations.
About the Author
JD Morris is Co-Founder and COO of LexAxiom. With over 20 years of enterprise technology experience and credentials including an MLS from Texas A&M, MEng from George Washington University, and dual MBAs from Columbia Business School and Berkeley Haas, JD focuses on the intersection of legal technology, cybersecurity, and professional responsibility.
Connect: LinkedIn | X | Bluesky
References
ABA Model Rules of Professional Conduct, Rules 1.1 (Comment 8), 1.4, 1.6(c) (Comment 18), 5.1, 5.3
ABA Standing Committee on Ethics and Professional Responsibility, Formal Opinion 477R (May 22, 2017)
ABA Standing Committee on Ethics and Professional Responsibility, Formal Opinion 483 (October 17, 2018): Lawyers’ Obligations After an Electronic Data Breach or Cyberattack
New York City Bar Association, Formal Opinion 2024-3: Ethical Obligations Relating to a Cybersecurity Incident (August 2024)
SEC v. Covington & Burling, LLP, No. 23-MC-00002 (APM), 2023 WL 4706125 (D.D.C. July 24, 2023)
U.S. Securities and Exchange Commission, “SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies,” Press Release 2023-139 (July 26, 2023)
IBM Security & Ponemon Institute, “Cost of a Data Breach Report 2024,” IBM (July 2024)
National Institute of Standards and Technology, “NIST Cybersecurity Framework 2.0,” NIST CSWP 29 (February 2024)
National Institute of Standards and Technology, “Computer Security Incident Handling Guide,” SP 800-61 Rev. 2
New York General Business Law § 899-aa (as amended December 24, 2024, imposing 30-day notification deadline)
California Civil Code § 1798.82 (as amended, imposing 30-day notification deadline)
Pennsylvania Senate Bill 824 (effective September 26, 2024, adding AG notification and credit monitoring requirements)
U.S. Government Accountability Office, “Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach,” GAO-18-559 (August 2018)
Equifax Inc., Equifax Data Breach Settlement, equifaxbreachsettlement.com
Wacks Law Group Ransomware Breach (March 2024), class-action filing documented by ClassAction.org and New Jersey Law Journal
International Association of Privacy Professionals (IAPP), “Ten Steps Every Organization Should Take to Address Global Data Security Breach Notification Requirements”
Sidley Austin LLP / Lawfare Institute, “‘Cyclops Blink’ Shows Why the SEC’s Proposed Cybersecurity Disclosure Rule Could Undermine the Nation’s Cybersecurity,” Lawfare (June 2022)
SEC v. SolarWinds Corp. & Timothy G. Brown, No. 1:23-cv-09518-PAE (S.D.N.Y.), Opinion on Motion to Dismiss (July 18, 2024); Stipulation of Dismissal with Prejudice (November 20, 2025)
Perkins Coie LLP, “2025 Breach Notification Law Update” (October 2025)
