Does Rule 1.18 apply to prospective clients?

Yes. Prospective-client information (Rule 1.18(b)) carries the same safeguarding duty as current-client information under 1.6(c).

← Playbooks · Email & identity

New-matter intake / conflicts-check phishing

The intake inbox is the least-locked-down mailbox in the firm — and it's where credential theft starts.

Credential theft aimed at the intake inbox, then bulk exfiltration of client PII and matter data. Underappreciated because intake is often the least-locked-down mailbox in the firm.

The first hour

What to do, in order.

01
Reset the intake account and require MFA.
02
Review forwarding rules and recent search activity in the mailbox.
03
Identify what intake data was accessible during the compromise window (name, contact, opposing party, matter type, dollar exposure).
04
Notify prospective and current clients whose intake data was in scope.

Key decisions

The questions you'll be asked.

Does Rule 1.18 apply to prospective clients?: Yes. Prospective-client information (Rule 1.18(b)) carries the same safeguarding duty as current-client information under 1.6(c).

Regulatory & ethical hooks

What the rules say.

ABA Model Rules 1.6, 1.18
State data-breach notification laws

Cited for orientation, not as legal advice. Your firm's ethics counsel and LPL carrier should be consulted on every specific incident.

Related playbooks

New-matter intake / conflicts-check phishing

What to do, in order.

The questions you'll be asked.

What the rules say.

Business email compromise — impersonation

Client portal / e-signature account takeover