How law firms can reduce liability when sensitive client data Is breached

Why courts scrutinize how law firms store and protect sensitive data

When a law firm suffers a data breach, its liability does not depend only on the incident itself. Courts also examine how the firm stored the pilfered sensitive information and whether it can show that it used reasonable, documented security controls to protect what was taken.  

The class action complaint filed against Pillsbury Winthrop Shaw Pittman LLP shows how plaintiffs frame their allegations when they believe a firm failed to protect Social Security numbers, financial account details, dates of birth, and other high-risk identifiers.

According to the Nov. 18 complaint, attackers accessed sensitive data during an intrusion in April 2025, and the firm notified affected individuals months later. The length of time it took the firm to notify victims, combined with the sensitivity of the information stored on the firm’s network, shapes the severity of the potential negligence the lawsuit brings into question.

“Courts evaluating law-firm breaches look for reasonableness, documentation, and proof that the firm took proactive steps commensurate with the volume and sensitivity of the information it holds,” said Jacey Kaps, a cybersecurity litigator with RumbergerKirk.

“Law firms can protect themselves from the type of claims raised in this lawsuit by demonstrating that they treat client and matter-related information by strictly limiting access to sensitive data such as Social Security numbers and financial account details, encrypting data at rest and in transit, aggressively managing vulnerabilities in their networks and remote-access tools, and maintaining a tested incident-response plan that ensures rapid detection and timely notification if something goes wrong.”  

What the legal complaint alleges about the breach

According to the complaint, Pillsbury is an international law firm that, like most firms of its size, sits on a large amount of sensitive personal information tied to its client work and operations. The filing alleges that a cyberattack in April 2025 led to unauthorized access to part of the firm’s network and that the data accessed included names, Social Security numbers, dates of birth, home addresses, and financial account information. It further alleges that individuals were not notified until months after the intrusion, once the firm’s investigation was complete.  

The plaintiff’s theory is that the firm should have had stronger preventive controls in place, including tighter internal access to those data elements and more robust encryption, and that the combination of the security posture and the notification timeline supports the negligence and related claims in the case.

Why access restrictions and encryption matter in breach litigation

Courts examining law firm breaches often look for evidence that the firm limited which employees and systems could view sensitive data. That includes role-based permissions, network segmentation, and detailed access logs for data types like personally identifiable information (PII), which includes Social Security numbers. If a firm cannot show that it restricted access, plaintiffs argue that the firm failed to exercise reasonable care.

Encryption plays a similar role. When sensitive material is properly encrypted and keys are well controlled, plaintiffs have a much harder time proving the exposure created an actionable risk of identity theft. Without encryption, they claim the data was accessible in a usable form. That distinction shapes many breach cases.

Kaps’ point reflects that reality. Encryption at both rest and transit is one of the clearest ways to show that a firm recognizes the sensitivity of the information it manages.

How vulnerability management influences negligence claims

Another major thread in breach litigation is how well a firm maintained the systems hosting the stolen data. Vulnerability scanning, patching, and assessments are not simply technical best practices;: they are evidence of security diligence. If a firm cannot document that it maintained these controls, plaintiffs position the breach as foreseeable and avoidable.

The complaint against Pillsbury frames the intrusion as foreseeable because attacks on organizations that hold large volumes of sensitive personal information have been rising in recent years, and law firms fall squarely within that trend.  

Why law firms are prime targets for cyberattacks

The American Bar Association’s 2022 Legal Technology Survey Report found that 27 percent of law firms had experienced a data breach, up from 22 percent the prior year. The report also noted increased ransomware targeting of firms of all sizes and highlighted that firms’ concentration of sensitive client information makes them appealing attack targets.

Similarly, a 2023 analysis by the United States’ Cybersecurity and Infrastructure Security Agency (CISA) identified professional services and legal services as among the most frequently targeted sectors for ransomware attacks in the United States.

The Department of Justice has echoed this pattern. In public guidance summarizing recent prosecutions, the DOJ noted that law firms remain high-value targets because of the confidential and monetizable information they hold and highlighted several cases involving intrusions into Am Law 100 firms (the 100 largest law firms in the US by revenue) dating back to 2016.

When plaintiffs use that framing, they are setting up the argument that the firm should have done more based on well-known risks.

Incident response and delayed notification: A common litigation focus

Even when an attack is not reasonably preventable, the way a firm responds after detecting suspicious activity influences its liability. Courts look at the time it took to detect the issue, the depth of the investigation, and the point at which the firm notified affected individuals.

The complaint argues that Pillsbury detected unauthorized access months before sending notices. Whether a court finds that timeline reasonable will depend on the facts, including what the investigation uncovered and when. But it is a common focus in breach cases, because plaintiffs often link notification delays directly with alleged harm.

Kaps’s quoted guidance underscores the importance of rapid detection, accurate assessment, and timely notice. Firms need a response plan that has clear escalation paths, documented decision points, and procedures for keeping affected individuals informed once sensitive data may have been exposed.

What courts look for when evaluating law firm breaches

In breach cases involving professional services, like legal counsel, courts typically look for three things: reasonableness, documentation, and proportionality.

Reasonableness relates to whether the firm’s security posture aligns with the sensitivity and volume of the data. Documentation relates to whether the firm can prove what it actually did. Proportionality relates to whether the firm’s security controls scale with its size and the complexity of its practice areas.

Kaps’s guidance aligns with this framework. Firms should be prepared to demonstrate that they limited internal access to the data, encrypted it, managed vulnerabilities, and maintained a functioning incident-response plan. These measures track closely with federal guidance and state data-protection statutes, which require safeguarding sensitive information and providing timely breach notices.

Practical lessons for law firms handling sensitive client or matter data

Most law firms in the United States maintain the same categories of sensitive data at issue in this lawsuit. Client onboarding records, litigation files, and transactional documents often contain PII that can create long-term harm if misused.

The practical lessons are straightforward. Limiting access to sensitive fields is essential. Encryption for high-risk data is an expectation, not a luxury. Vulnerability management must be continuous and well- documented. Incident-response plans need real-world practice and clear communication protocols. And every step needs a paper trail that can withstand scrutiny in court.

Checklist for law firms strengthening breach-prevention practices

Access control ‍

• Apply least-privilege permissions across systems that store sensitive personal data. Where possible, migrate to a Zero Trust architecture that assumes all entities, even trusted, internal, authenticated users and systems, need to be assessed every time they access data.
• Logically or physically segment data repositories so only authorized users can reach them. The more granular permissions are applied to individual data resources, the better.
• Log and routinely review access attempts to high-risk or sensitive data. This will enable security teams to configure alerts against suspicious behavior and provide an audit trail if an investigation needs to happen.

Data security

• Encrypt sensitive data both at rest and in transit. This means ensuring your endpoints use the latest encryption standards (like TLSv1.3, for one), BitLocker or other hard drive encryption is enabled, and data backups (including offsite and tape backups) are encrypted. If any of the encryption methods use a separate secrets manager or separately managed encryption keys, implement a KMS to prevent attackers from using stale, previously compromised keys.
• Require multi-factor authentication (MFA) for all remote access and provide security awareness training on its use. MFA can still be compromised if a user is duped into handing over their credentials or one-time authentication code to a scammer.
• Keep confidential client data on segmented, monitored servers, following the guidelines of an established security framework, if possible. Applying extra protection and visibility doesn’t just prevent compromise, but also demonstrates to courts the care taken to keep things secure.

Vulnerability and patch management

• Perform regular vulnerability scans against all endpoints. Properly configured, authenticated scans can reveal not only missing security patches, but misconfigured, exploitable security settings as well.
• Document patch cycles and remediation steps. Patching routines are already an operational and auditing necessity. Having them formally documented willcan be a lifesaver in court.
• Periodically conduct independent assessments of systems handling sensitive data. External expertise and perspective can help identify any security gaps that internal teams might not be aware of.

Incident response

• Maintain a defined incident-response plan and practice routinely. Third-party services are available for hire that can coordinate and execute tabletop exercises that will put your plan to the test.
• Establish a formal incident communications plan that explains to your team how to engage affected customers. Assign and document responsibilities for your communication team members, including legal counsel and HR..
• Document findings, decisions, communications, and notifications during every incident using predefined templates and workflows.

Handled this way, a breach is still a real event but the firm is in a significantly stronger position to show that it acted responsibly with the client and matter information under its care.

Hardening checklist for ThreatLocker customers

Access Control

• Use Allowlisting policies to block all application and process executables by default and apply Ringfencing to those that have been approved and explicitly allowed. This prevents permitted applications from being abused, such as laterally moving to sensitive data stores for which they have no legitimate business reason to access.
• Enforce Elevation Control to achieve Just-in-Time access against every attempt made to run an application as administrator. Instantly approve or deny every incoming elevation request.
• Storage Control policies limit who can access files, folders, storage devices, and network shares down to the most granular conditions. Expiration limits on policies ensure access is automatically revoked.

Data security

• Prevent configuration creep from outdating your hardened local security settings with Config Manager. Settings will be automatically maintained without administrative intervention on any endpoint with ThreatLocker installed.
• Achieve network segmentation with the dynamic ACLs of Network Control. Logical access boundaries can be defined along the same lines as your ThreatLocker computer groups and Organizations.

Vulnerability and patch management

• Highlight insecure or misconfigured security settings with Defense Against Configurations (DAC). Included health report metrics are displayed alongside a checklist of how to bring each security finding back into compliance, and against which relevant security framework.
• Patch Management does exactly as the name implies: manages and applies software patches without requiring a separate, dedicated solution. Patches are tested and maintained by ThreatLocker, ensuring they’re safe to automatically apply.

Incident response

• Use Detect policies as a fully functional endpoint detection and response (EDR) solution to automatically alert, monitor, and act against suspicious endpoint behavior against dozens of configurable conditions. Extend those policies into M365 tenants with integration built right into the ThreatLocker web portal.
• Take confidence in the centralized logging of the Unified Audit to investigate anomalies such as unapproved software executions. Generate regular review reports for auditing and compliance evidence.

FAQs

What makes law firms high-value targets for cyberattacks?
Law firms store confidential information including legal strategy, financial data, personally identifiable information, and sensitive corporate files. Attackers view this as high-value leverage for extortion or resale.

Why is delayed breach notification a major issue in litigation?
Courts evaluate whether delayed notification prevented victims from taking timely protective steps and whether the delay suggests inadequate incident response planning.

How does encryption influence law firm breach liability?
If sensitive data is encrypted and keys are secured, plaintiffs struggle to show misuse or risk of identity theft. Lack of encryption often strengthens negligence claims.

What internal controls do courts expect law firms to document?
Least-privilege access, encryption, patching records, vulnerability assessments, and a tested incident-response plan.

How does ThreatLocker help reduce breach exposure for law firms?
By enforcing Zero Trust controls that limit access, block unauthorized applications, segment networks, and document endpoint activity for investigation.