Incident playbooks for law firms.

A spoofed email changed the wire instructions on a settlement or closing. Money has moved. The next 72 hours are the whole game.

Opposing counsel, the client, or a vendor isn't who they appear to be. A new mailbox rule is quietly forwarding privileged threads.

The document-management system is encrypted and a motion is due at noon. The court will not move the deadline because you were hacked.

Clio, NetDocuments, iManage, or your DMS vendor has the incident. The firm is still responsible to the client.

A laptop in a hotel, a phone in a cab, a banker's box in a car. The question is whether you can prove it was encrypted.

The lawyer who left took the client list. Or staff snooped in a high-profile matter.

Stolen client credentials on the firm portal or DocuSign. The attacker may now be the client, for purposes of redirecting a disbursement.

The intake inbox is the least-locked-down mailbox in the firm — and it's where credential theft starts.

PACER or state e-filing credentials are in the wrong hands. Fraudulent filings or sealed-matter surveillance are now possible.

Someone else holding your client's data has had the incident. Your residual duty doesn't end at their door.

Once the dust settles, the duties start. ABA Opinion 483 has no safe harbor.

A major client sent a security addendum the firm can't meet. The engagement is now at risk.