Stolen or lost device with privileged data
A laptop in a hotel, a phone in a cab, a banker's box in a car. The question is whether you can prove it was encrypted.
Laptop, phone, tablet, USB, or a banker's box left in a car. The encryption-posture decision tree, the privilege-and-confidentiality overlay, and whether client notification is triggered. The 'can you prove encryption' gap is what most small firms get wrong.
The first hour
What to do, in order.
- 01
Remotely lock and wipe the device through MDM if available.
- 02
Pull the encryption attestation: BitLocker / FileVault / mobile-device status as of the last sync. Save the report.
- 03
Disable the user's session tokens (Microsoft 365 / Google Workspace / VPN / DMS).
- 04
File a police report — required by some state breach-notification laws and by most cyber policies.
Key decisions
The questions you'll be asked.
- Was it encrypted?
- Encryption with key not compromised is a safe harbor under most state breach-notification laws — but you must be able to prove it. A screenshot of 'BitLocker: On' from yesterday is the difference between notifying nobody and notifying everyone.
Regulatory & ethical hooks
What the rules say.
- ABA Model Rule 1.6(c)
- State data-breach notification laws (encryption safe harbor)
- HIPAA Security Rule (if the firm is a BA)
Cited for orientation, not as legal advice. Your firm's ethics counsel and LPL carrier should be consulted on every specific incident.