Co-counsel, e-discovery, or vendor breach
Someone else holding your client's data has had the incident. Your residual duty doesn't end at their door.
A third party holding the firm's client data (e-discovery host, co-counsel, expert, transcription, cloud backup, litigation-funding platform) has the incident.
The first hour
What to do, in order.
- 01
Get the vendor's notice in writing with scope, timeline, and data classes affected.
- 02
Identify which clients' matters were in scope.
- 03
Confirm the vendor's contractual notification, indemnity, and cooperation obligations are being met.
- 04
Coordinate client notification with the vendor — never let the vendor notify your client first.
Key decisions
The questions you'll be asked.
- Who notifies the client — us or the vendor?
- The firm. The relationship is with the firm, not the vendor; the firm controls the message and timing.
Regulatory & ethical hooks
What the rules say.
- ABA Model Rule 5.3 — Non-lawyer assistance
- ABA Formal Opinion 483
- Vendor-specific contractual breach clauses (DPA, BAA)
Cited for orientation, not as legal advice. Your firm's ethics counsel and LPL carrier should be consulted on every specific incident.