When a law firm experiences a data breach, which includes both unauthorized data access as well as disclosure, the consequences extend far beyond reputational harm. Increasingly, attackers exfiltrate entire client files—including documents filed under seal or protected by attorney–client privilege—and post them on the dark web. Once that happens, courts can’t “unring the bell,” and firms must navigate a complex mix of ethical duties, procedural obligations, and legal protections.
Below, we outline how law firms should respond, drawing on ABA Formal Opinion 483, the Model Rules of Professional Conduct, and relevant case law.
1. Ethical Duties to Clients
Current Clients: Mandatory Notification
For current clients, the duty is clear. Under Model Rule 1.4, lawyers must keep clients informed about significant developments in their representation, including data breaches that compromise confidential information.
If a breach is discovered, firms must notify affected clients promptly, explaining what happened (e.g., unauthorized access or exfiltration), what was affected (e.g., categories of data, types of filings), and what the firm is doing (e.g., containment measures, investigations, remediation steps).
Failing to communicate transparently can violate the duties of competence, confidentiality, and communication, and may expose the firm to disciplinary or civil consequences.
Former Clients: A Best-Practice Imperative
For former clients, the Model Rules do not impose the same black-letter duty to notify. While Rule 1.9(c) prohibits revealing former clients’ confidential information, it doesn’t mandate breach notifications.
However, ABA Formal Opinion 483 emphasizes that notification is often advisable. Former-client files may still contain sensitive personal or business information, and notice may likely be required by state and federal data breach laws, retention agreements or engagement letters, or common law duties of care.
In short: current clients must always be notified; former clients should often be notified as a matter of prudence, compliance, and trust.
2. Sealed and Privileged Documents: Heightened Stakes
When leaked files include sealed court filings or privileged materials, the breach implicates not only ethical obligations but also the integrity of ongoing litigation.
Continuing Confidentiality
Even when confidential materials surface publicly, courts continue to enforce sealing orders and protective designations. Protective orders often provide that inadvertent disclosure does not affect a document’s confidential status or waive protections, and courts have upheld such provisions. Ramirez v. Clark Nissan, LLC, No. CV 25-32-M-KLD, 2025 WL 1755222, at *5 (D. Mont. June 25, 2025).
Federal Rules of Civil Procedure 5.2(d) and 26(c) empower courts to keep filings under seal and control how sensitive information is used. Lawyers for each party subject to a sealing or protective order must continue treating these documents as confidential, even if hackers post them on the dark web.
Privilege Survives Unauthorized Disclosure
A breach does not automatically waive privilege. Courts have previously held that involuntary disclosures, such as hacking, theft, or leaks, do not constitute voluntary waiver:
- Resolution Trust Corp. v. Dean, 813 F. Supp. 1426 (D. Ariz. 1993): Privilege preserved despite a media leak of a memorandum drafted by inside counsel because the disclosure was unauthorized and criminal.
- In re Grand Jury Proceedings (Berkley & Co.), 466 F. Supp. 863 (D. Minn. 1979): Company documents stolen by a former employee retained privilege.
- Dukes v. Wal-Mart Stores, Inc., No. 01-cv-2252, 2013 WL 1282892 (N.D. Cal. Mar. 26, 2013): Privilege upheld for a leaked confidential memo drafted by outside counsel because the company took steps to maintain its confidentiality and acted promptly.
These cases demonstrate that privilege remains intact, provided the firm consistently treats the documents as confidential and takes proper remedial action.
3. Obligations to the Court and Opposing Counsel
When court-sealed or privileged documents are compromised, attorneys may have duties under Model Rules 1.4 (communication) and 3.3 (candor to the tribunal) to notify the court and, where appropriate, opposing counsel.
Although courts lack the power to compel hackers to return or destroy exfiltrated materials, and therefore cannot invoke Federal Rule of Evidence 502’s clawback mechanisms against the hacker, they can take meaningful steps within the litigation to mitigate the impact of the disclosure. In practice, courts may exercise their authority in ways that mirror the protective aims of Rule 502, reinforcing the confidentiality and privileged status of compromised materials and reducing the risk of further prejudice in the case.
For example, courts may reaffirm sealing orders and confidentiality designations; bar parties from using or referencing leaked documents outside proper discovery channels; supervise privilege review if disputes arise; and require certifications from both counsel and their respective clients regarding non-use or destruction of hacked materials.
These measures, while not undoing the public disclosure, help preserve the integrity of the litigation and maintain the protections to which clients are entitled.
4. Practical Takeaways for Firms
Given these challenges, law firms should take proactive steps to minimize legal, ethical, and operational risks when breaches occur.
Prepare in advance. First and foremost, sealed documents should be tagged and segregated from general client information to minimize delays in notification in the event of a breach. Additional protective measures, such as enhanced access controls and encryption policies, may prevent disclosure in the event of a firm-wide breach. Law firms should also ensure that their incident response plans specifically address scenarios involving sealed or privileged information. This includes pre-identifying response teams, outlining escalation procedures, and developing protocols for coordinating with courts and opposing counsel in the event that sensitive litigation materials are compromised.
Act quickly and transparently. Timely and accurate notification to clients and, where appropriate, the court is essential. Prompt communication not only builds trust and helps clients make informed decisions, but also satisfies ethical obligations of competence, confidentiality, and communication under the Model Rules.
Preserve privilege. A data breach does not automatically waive attorney–client privilege or confidentiality protections. Firms must continue treating leaked documents as privileged and confidential, taking affirmative steps to reaffirm designations and prevent unauthorized use within the litigation.
Engage counsel and cybersecurity technical experts early. Breaches involving sealed or privileged documents often require both legal and technical expertise. Early involvement of litigation counsel ensures appropriate interaction with courts and opposing parties, while cybersecurity counsel and technical professionals can help contain the breach, investigate its scope, and support remediation efforts.
Monitor the dark web. Ongoing monitoring can help firms understand the scope of dissemination and inform both legal strategy and technical response. Tracking leaked materials can also provide valuable evidence to support motions, protective measures, or court orders designed to limit further harm.
A breach involving sealed or privileged client materials is among the most challenging scenarios a law firm can face. While courts have limited ability to claw back leaked documents from the dark web, ethical obligations remain clear: notify clients, preserve confidentiality, and work with courts to reinforce protective orders.
Cybersecurity Awareness Month serves as a reminder that law firms are high-value targets, and that robust incident response planning, informed by ethical rules and case law, is essential to protecting both clients and the justice system.
Contact Steven Teppler, or Carly Rothstein from our Cybersecurity and Data Privacy Practice Group for more information.