How to Respond to a Data Breach: A Practical Response Framework

Data breaches are a major business crisis for law firms and accounting firms because they compromise client confidentiality, professional reputation and regulatory compliance; once an unauthorized party gains access to confidential information, all three are at risk.

The speed and quality of a firm's response to a data breach will determine whether it results in a temporary disruption or a long-term impact to a firm's reputation. Organizations that identify and contain breaches quickly experienced lower costs than those that did not take prompt action.

As reported in IBM's 2024 Cost of a Data Breach Report, the total average cost of a data breach globally rose to $4.45 million; however, organizations that took swift action to contain breaches incurred much lower costs than those that did not.

For law, accounting, and advisory firms, having a well-developed plan in place to address a data breach is key to responding effectively. Below is a basic framework that is grounded in advice provided by federal regulators and cybersecurity experts.

Step 1: Contain the Breach ASAP

The primary goal of containing a data breach is to limit further unauthorized access and to prevent the loss of additional data. This can be achieved through disconnecting affected systems, resetting administrator credentials, isolating devices that have been compromised, and working with your IT provider or security team to secure the entry points.

During containment, the Cybersecurity and Infrastructure Security Agency (CISA) recommends preserving evidence and avoiding wiping systems until the necessary logs, devices and access records have been preserved to provide insight into how the breach occurred.

Containment immediately limits financial and operational damage. According to IBM, organizations that utilize incident response teams and test their incident response plans experience savings in the millions of dollars in costs associated with breaches compared to organizations that do not have an organized response plan in place.

Step 2: Conduct an Assessment of the Breach

After immediate risk is stabilized, a comprehensive assessment of the breach must occur. The assessment will determine which data was accessed, how many individuals were impacted, and whether the breach impacts personal information protected under state, federal, or international law.

For law firms and accounting firms, potentially breached data includes social security numbers, financial information, tax documents, health information, and/or privileged communications. Each category may require different notification obligations to affected parties.

The Federal Trade Commission emphasizes that before notifying affected parties or regulatory agencies, the firm must identify precisely what information was breached. Failure to identify what information was breached can result in additional legal liability.

Legal counsel should be engaged early in the breach response process. Decisions regarding breach response should be coordinated with privacy and compliance professionals.

Step 3: Notify Affected Parties and Regulatory Agencies

Most states require notification when certain categories of personal information are breached. The National Conference of State Legislatures provides up-to-date information regarding breach notification statutes in each of the 50 states.

Depending upon the nature of the data involved in the breach, you may also be required to notify federal regulatory agencies. For example, if health information is involved, the U.S. Department of Health and Human Services requires notification under the Health Insurance Portability and Accountability Act (HIPAA).

Timing is everything. Many state breach notification statutes require notification without unreasonable delay. Transparency is also important in maintaining client confidence. When clients are proactively notified regarding the breach and its consequences, they are less likely to lose faith in the firm.

Notification should include what occurred, what data was involved, the steps the firm is taking to remediate the breach, and recommendations for client self-protection including credit monitoring or changing passwords.

Step 4: Retain Forensic and Security Expertise

To better understand how the breach occurred, firms should engage cyber security experts to perform a forensic analysis of the breach. These experts can determine the initial point of entry, whether malware remains active, and whether other systems within the firm remain compromised.

According to Verizon’s 2024 Data Breach Investigations Report, a large number of breaches continue to involve phishing and/or stolen credentials.

In addition to strengthening the firm’s internal defenses, a forensic analysis may be necessary for insurance claims and/or regulatory review purposes.

Step 5: Communicate Internally

Communication from leadership during a breach is crucial. Employees must be informed regarding what occurred, how to respond to client inquiries, and what actions the firm is taking to remediate the breach.

Employee uncertainty can cause inconsistent messaging. Identify one central person of contact regarding employee inquiries, and make sure all client-facing employees understand the firm’s approved methods of communicating the breach to clients.

Internal employee communication can reinforce professionalism and reduce speculation.

Step 6: Assess Your Existing Controls & Strengthen Them

Once the emergency has been addressed, take stock of all policy, technical controls, and employee training for the company.

According to the FTC (Federal Trade Commission), organizations should implement reasonable security measures that meet the level of sensitivity of their data; this can include multi-factor authentication, access controls, encrypting data, and employee training on security best practices.

Employee training is particularly relevant for law firms and accounting firms, which continue to be targeted by phishing scams and business email compromise attacks. Verizon reports that human error continues to be one of the primary reasons for breach-related incidents.

Use this breach to improve your organization’s processes. Update your incident response plan. Run tabletop exercises to test your response. Assess the security of your vendors. Improve your data retention policies so you do not retain more sensitive information than necessary.

Preparation = Protection

No organization is immune to cyber-risk. Professional services organizations like law firms and accounting firms are attractive to hackers due to the large volumes and high sensitivities of client data that these organizations maintain.

Developing a structured response plan will help limit the financial impact of a cyber event, protect client relationships, and demonstrate effective leadership during times of stress. Organizations that have prepared for cyber events, responded promptly, and communicated openly and transparently are much better positioned to recover from a cyber event with their reputation intact.

Cybersecurity is not just an IT problem. It is a leadership problem. Organizations that view cybersecurity as a leadership problem will be much more resilient when faced with a cyber threat.