Law Firm Data Breach Response: Ethics and Notification Duties for Texas Attorneys
A data breach at your firm triggers three separate clocks: Texas Chapter 521, TDRPC 1.05 ethics duties, and possibly HIPAA. Here's what triggers notification, the current timelines (including a 2023 change many sources still get wrong), and when to bring in outside breach counsel.
What Triggers Notification Duties
A data breach at a Texas law firm rarely trips a single wire. Instead, three separate legal obligations can activate independently, and a firm that clears one hurdle may still be exposed on another. Understanding which trigger applies — and that they don't require the same facts to fire — is the first step in any competent breach response.
The narrowest of the three is the statutory trigger under Texas Business and Commerce Code § 521.002. Texas law defines "sensitive personal information" specifically: an individual's name combined with a Social Security number, driver's license number, or financial account number paired with an access code, plus certain categories of health information and biometric data. If the exposed data doesn't fit that combination, or if it was encrypted, the statute's notification duty generally doesn't attach on its own.
Even within that narrow definition, the statute is triggered by acquisition, not mere access. Section 521.053 requires notice when sensitive personal information "was, or is reasonably believed to have been, acquired by an unauthorized person." A firm that discovers an intruder viewed a file server but finds no evidence the data was copied, downloaded, or exfiltrated has a materially different legal posture than one that confirms exfiltration — the forensic distinction between access and acquisition is often what determines whether Chapter 521 applies at all.
That statutory analysis, however, is not the end of the inquiry. The Texas Disciplinary Rules of Professional Conduct impose a separate and broader confidentiality duty. TDRPC Rule 1.05 protects not just privileged communications but a wider category the rule calls "unprivileged client information," and it obligates lawyers not to knowingly reveal confidential client information regardless of whether that information meets the statutory definition of "sensitive personal information." A breach involving client information that falls outside Chapter 521's narrow categories — litigation strategy notes, settlement terms, business records — can still create an ethics obligation to act, even where no statutory notice duty exists.
Underlying both is an affirmative duty to prevent the breach in the first place. ABA Formal Opinion 483 — persuasive guidance interpreting the Model Rules rather than binding Texas authority, but the leading interpretive source Texas practitioners and disciplinary counsel look to — holds that lawyers with managerial or supervisory authority must adopt reasonable measures to safeguard electronic client information. Under that opinion, a firm's failure to take reasonable security precautions can itself constitute an ethics violation, independent of any later failure to notify, and the duty of competence requires prompt action to stop a breach and mitigate damage once it's suspected or detected.
A fourth trigger applies conditionally: firms that handle protected health information, such as counsel representing healthcare providers or personal injury practices that maintain client medical records, may face notification duties under the HIPAA Breach Notification Rule, which requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media following a breach of unsecured PHI. Whether a given law firm actually qualifies as a HIPAA "business associate" is fact-specific — it typically turns on whether a Business Associate Agreement is in place and how the medical records were obtained — and no Texas statute or ethics opinion automatically classifies a firm holding client medical records as a business associate. Firms that touch PHI without a clear answer on their HIPAA status should resolve that question before an incident occurs, not during one.
Notification Timelines and Who to Notify
Once a firm confirms a breach, three separate clocks start running, and they don't run on the same schedule or notify the same people. Confusing them is one of the most common mistakes firms make in the first 48 hours after discovery, and it's worth walking through each obligation on its own terms before circling back to how they interact.
The statutory clock: individuals, the Attorney General, and (rarely) credit agencies
Under Section 521.053(b) of the Texas Business and Commerce Code, notification to affected individuals must be made "without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred," except that notice may be delayed at the written request of law enforcement or as necessary to determine the scope of the breach and restore system integrity. That 60-day individual notice deadline is the figure most firms already know. What fewer firms know — and what a surprising number of blog posts and compliance checklists still get wrong — is that the deadline for notifying the Texas Attorney General is shorter.
The AG report must be submitted electronically through the Attorney General's breach reporting form and must include the nature of the breach, the number of affected Texas residents, whether individual notice has been provided, and the measures the firm has taken in response. There is a third, rarely-triggered obligation worth noting for completeness: if a single breach requires notifying more than 10,000 people, the entity must also notify the major nationwide consumer reporting agencies of the timing, distribution, and content of the notices, without unreasonable delay, per the same statute. Few solo or small-firm breaches reach that threshold, but a firm using a shared practice-management platform or serving a large class-action-adjacent client base shouldn't assume it's automatically exempt.
The ethics clock: current clients, tied to discovery, no fixed day-count
The ethical duty discussed above runs on a different logic than the statute. Under ABA Formal Opinion 483, a lawyer must notify current clients — not the broader class of "data subjects" the statute protects, and not former clients — when a breach involves or creates a substantial likelihood of involving material client confidential information. There's no statutory day-count attached to this duty; instead, the obligation attaches at the point the lawyer reasonably believes the breach is material, and the notice itself must give the client enough information to make an informed decision about the representation. That distinction matters practically: a firm's mailing list of past clients from five years ago doesn't need an ethics notice under Opinion 483, even though those same individuals might still fall within the statute's broader notification class if their data was part of the breach.
The conditional clock: HIPAA, if it applies
If the firm or a client relationship makes it a HIPAA covered entity or business associate, a fourth timeline layers on top. Under 45 CFR 164.404, "a covered entity shall provide the notification required by paragraph (a) of this section without unreasonable delay and in no case later than 60 calendar days after discovery of a breach." HIPAA also requires notifying the Department of Health and Human Services within 60 days if the breach affects 500 or more individuals (or on an annual basis if fewer), and notifying prominent media outlets if the breach affects 500 or more residents of a single state or jurisdiction.
Laid side by side, the three frameworks look like this:
- Texas Chapter 521 — individuals: without unreasonable delay, no later than 60 days after determining a breach occurred
- Texas Chapter 521 — Attorney General (250+ Texas residents): as soon as practicable, no later than 30 days (shortened from 60 days by SB 768)
- Texas Chapter 521 — consumer reporting agencies (10,000+ affected): without unreasonable delay, notice of timing/distribution/content only
- TDRPC / ABA Opinion 483 — current clients: tied to discovery of a material breach, no fixed day-count, former clients excluded
- HIPAA (if applicable) — individuals and HHS: no later than 60 days after discovery; media notice required at 500+ affected in one jurisdiction
A firm that satisfies only the longest deadline on this list — the 60-day individual notice under Chapter 521 — can still miss the 30-day AG report or fail its separate, discovery-triggered duty to current clients. The three obligations need to be tracked and satisfied independently, not sequenced as if one filing covers the others.
What a Breach Response Plan Should Include
The duty of competence doesn't just require lawyers to respond reasonably once a breach is discovered — it requires the response to be fast and organized, which is nearly impossible to improvise in the middle of a live incident. ABA Formal Opinion 483 makes this explicit: lawyers should adopt a written incident response plan, decide on its procedures, and train staff on it before any breach occurs, not while one is unfolding. A plan built under pressure tends to skip steps that matter most, like preserving evidence or getting notification language right the first time.
A workable plan for a solo or small firm doesn't need to be long, but it needs to cover a specific set of stages. At minimum, it should address:
- Detection and internal reporting. A clear instruction for any staff member who suspects a breach — a phishing click, a lost laptop, an unusual login — to report it immediately to a designated person, with no ambiguity about who that person is.
- Initial assessment and scoping. A first-pass process to determine what systems and data may be affected, so the firm can quickly gauge whether client confidential information, personal information, or both are implicated.
- Legal hold and forensic preservation. Steps to preserve logs, images, and other evidence before systems are wiped or reimaged, since early remediation can inadvertently destroy the evidence needed to scope the breach accurately.
- Client communication protocol. A pre-approved approach for what gets communicated to affected clients, when, and by whom, consistent with the confidentiality and notification duties discussed above.
- Regulatory notification checklist. A reference to the specific deadlines and recipients that apply — the 60-day consumer and 30-day Attorney General windows under Texas law, along with any HIPAA or sector-specific triggers.
- Cyber insurance coordination. Confirmation of policy terms and a requirement to notify the carrier early, since many policies require insurer approval before engaging forensic vendors or breach counsel to preserve coverage.
- Post-incident remediation and review. A structured debrief after the incident closes, capturing what worked, what didn't, and what security gaps need to be closed.
Beyond the plan's structure, the State Bar of Texas incident response guidance emphasizes that these steps only work if they're tied to specific people. That means naming the incident response lead, along with up-to-date after-hours contact information for breach counsel, forensic experts, the firm's cyber insurer, and law enforcement where warranted. A plan that says "contact IT" without naming who that is, and how to reach them at 11 p.m. on a Saturday, isn't much of a plan.
The Texas Bar Practice guidance on data privacy and security frames incident response planning as one piece of a broader security posture: firms should also secure data at rest and in transit, vet vendors for security certifications such as SOC 2 or ISO 27001, and train staff handling sensitive records on frameworks like HIPAA and the Texas Medical Records Privacy Act where applicable. Some firms formalize all of this into a Written Information Security Program, or WISP — a single document describing the firm's administrative, technical, and physical safeguards. Texas doesn't require a WISP by name the way some other states and federal frameworks do, but Texas Security Authority's analysis notes that the "reasonable security procedures" standard in the state's Identity Theft Enforcement and Protection Act points in the same direction. A written WISP is a strong way to demonstrate that reasonableness after the fact, even though adopting one is a best practice rather than a Texas legal mandate.
Malpractice and Ethics Exposure
A mishandled breach exposes a firm to two distinct forms of liability, and Texas attorneys should be careful not to conflate them. The first is a civil malpractice claim grounded in the duty of competence — the theory being that a firm failed to take reasonable steps to safeguard client data, and that failure caused quantifiable harm. The second is a bar disciplinary proceeding grounded in the confidentiality rule, which turns on whether client confidential information was improperly disclosed, regardless of whether any client can prove damages from it.
These two exposures are analyzed under entirely different rules and different tribunals, and a single breach can trigger both at once. TDRPC 1.01 and 1.05 govern the disciplinary side, with confidentiality violated the moment protected information is improperly exposed — no showing of client-side financial harm required. Malpractice liability, by contrast, requires the plaintiff to prove duty, breach, causation, and actual damages, which is a substantially higher bar and one reason malpractice claims arising from breaches have been slower to materialize than disciplinary complaints or class actions.
Outside Texas, recent settlements show what that civil exposure can look like when a firm gets the response wrong. In November 2024, Florida firm Gunster, Yoakley & Stewart agreed to pay $8.5 million to settle a class action stemming from a 2022 breach that exposed the personal and health information of nearly 10,000 people. Plaintiffs alleged not just inadequate network security, but a failure to provide timely notice — the firm allegedly took nearly 18 months to disclose. Separately, Orrick, Herrington & Sutcliffe agreed to pay $8 million in 2024 over a March 2023 breach affecting more than 600,000 individuals, with plaintiffs again alleging that notification was delayed for months. Both cases center as much on the delay in disclosure as on the underlying security failure — the same timeline problem discussed earlier in this guide.
Neither Gunster nor Orrick is a Texas matter, and no reported Texas bar disciplinary action or Texas malpractice case specifically arising from a law firm data breach was identified in researching this article. That absence doesn't mean the risk is theoretical in Texas — the doctrinal elements are well established here, with TDRPC 1.01's competence duty and ordinary malpractice principles of causation and damages providing a clear path to liability. It means the case law testing that path against a Texas firm's specific facts hasn't yet been reported, and firms should not read the silence as safety.
The scale of the underlying risk argues against complacency either way. A 2024 industry survey found that up to 40% of law firms have experienced a security breach, and that the average cost of a data breach for a law firm has climbed to roughly $5.08 million — a 10% increase over the prior year. At that frequency and cost, a breach is not an edge case a small Texas firm can plan around; it is a mainstream risk that ordinary malpractice and disciplinary exposure already reach, even where a matching Texas precedent hasn't yet been published.
When to Engage Outside Breach Counsel — Actionable Next Steps
The exposure described above is largely avoidable, but only if the firm's first moves after discovering a breach are structured correctly. The single most consequential decision is who directs the forensic investigation — because that choice determines whether the resulting report can later be used against the firm in litigation or a bar complaint.
In In re Capital One Consumer Data Security Breach Litigation, a federal court compelled disclosure of a forensic report because the vendor's retainer predated the breach and functioned as an ordinary operational relationship, notwithstanding the company's attempt to re-route invoices through outside counsel after the incident. The lesson generalizes beyond Capital One: courts look at how the vendor relationship actually functioned, not how it was papered after the fact.
The more directly relevant precedent for Texas attorneys is Wengui v. Clark Hill, PLC — because the breached entity in that case was itself a law firm. The U.S. District Court for the District of Columbia held that neither attorney-client privilege nor work-product protection shielded the forensic vendor's report, because the report provided non-legal, technical remediation advice rather than legal advice. A law firm sat on the other side of that ruling and lost. Any firm that treats its own breach response the way it treats a routine IT support ticket is exposed to the same outcome.
Morrison Foerster's post-Wengui analysis lays out the corrective structure: use a standalone tri-party engagement agreement among breach counsel, the forensic vendor, and the firm, with the agreement and statement of work kept separate from any pre-existing relationship the firm has with an IT or security vendor. Outside breach counsel directs the investigation, defines its scope as legal advice, and retains the forensic firm under counsel's engagement — not the firm's ordinary vendor contract. That structural separation is what the Capital One and Wengui courts found missing.
Two other factors typically make outside counsel worth engaging in the first hours after discovery, rather than after the firm has tried to handle notification internally. Most cyber insurance policies condition coverage on using the insurer's designated panel of breach counsel, forensic vendors, and notification services — delayed carrier notice or use of a non-panel vendor can jeopardize reimbursement for the entire response. And because all fifty states maintain their own breach notification statutes with different triggering thresholds, timelines, and required notice content, a firm with clients across state lines is coordinating compliance obligations that shift depending on where each affected person resides — exactly the kind of multi-jurisdictional analysis outside breach counsel is built to manage.
The first 72 hours after discovering a breach set the trajectory for everything that follows, including whether the investigation stays privileged. A firm working through that window should move through the following steps in order:
- Call outside breach counsel first — before IT, before a broader internal investigation, and before any vendor is engaged to examine the incident.
- Notify the cyber insurance carrier immediately and confirm which panel counsel and forensic vendors the policy requires or approves.
- Engage the forensic investigator through breach counsel under a standalone tri-party agreement, kept separate from any existing IT or security vendor contract.
- Start a contemporaneous incident log — what was discovered, when, by whom, and what actions were taken — before memories fade or get reconstructed later.
- Hold off on public statements or client notifications until breach counsel and the forensic investigation have confirmed the scope of what was actually accessed or exfiltrated.
- Map notification obligations across every state where affected clients reside, since thresholds, timelines, and required notice content vary by jurisdiction.
Building a breach response plan or handling an active incident? Promise Legal helps Texas law firms navigate notification duties, ethics exposure, and outside counsel engagement.