Cyber insurance, LPL, and bar-counsel response
Once the dust settles, the duties start. ABA Opinion 483 has no safe harbor.
ABA Formal Opinion 483 client-notification workflow (current and former clients; no safe harbor), state data-breach laws, the cyber/LPL claim workflow, and the documentation that determines whether the claim is paid.
The first hour
What to do, in order.
- 01
Open the cyber-insurance claim and the LPL notice — many policies require notice within days of discovery, regardless of whether a claim has been asserted.
- 02
Compile the current-client list AND the former-client list whose information may be affected (Opinion 483 reaches both).
- 03
Map state breach-notification timelines for every state where an affected resident lives. Several states require 30- or 45-day notice; a handful require AG notice.
- 04
Preserve the incident timeline, forensic findings, and decisions — claim payment turns on documentation.
Key decisions
The questions you'll be asked.
- Do former clients need notice?
- Yes, where their information was affected. Opinion 483 explicitly extends to former clients. There is no safe harbor for not finding out.
- Do we self-report to the bar?
- Generally no automatic self-report unless a state rule or the facts require it. Consult ethics counsel; document the analysis.
Regulatory & ethical hooks
What the rules say.
- ABA Formal Opinion 483
- ABA Model Rules 1.4, 1.6
- All 50 states + DC data-breach notification laws
- Cyber / LPL policy notification clauses
Cited for orientation, not as legal advice. Your firm's ethics counsel and LPL carrier should be consulted on every specific incident.