Ransomware mid-litigation
The document-management system is encrypted and a motion is due at noon. The court will not move the deadline because you were hacked.
Document-management, practice-management, and e-filing access are encrypted while a motion is due. Continuity of docket, calendar, and client communication runs in parallel with the security response.
The first hour
What to do, in order.
- 01
Isolate infected endpoints from the network; do not power them off if a forensic image may be needed.
- 02
Stand up an offline copy of the docket and the next 14 days of calendar from the last good backup or paralegal notes.
- 03
For every deadline in the next 72 hours, decide: paper file, motion for extension citing the incident, or co-counsel cover.
- 04
Notify the firm's cyber-insurance carrier — most policies require pre-approval of forensic, legal, and negotiation counsel.
- 05
Do not pay, do not communicate with the threat actor, until counsel and the carrier are aligned.
Key decisions
The questions you'll be asked.
- Do we tell the court?
- Yes, where a deadline is at risk. A short, factual notice to chambers protects credibility and supports an extension motion. Coordinate with the carrier's breach counsel on wording.
- Do we pay the ransom?
- A business decision made with the carrier, breach counsel, and OFAC-screening counsel — not the IT team. Paying does not satisfy notification duties.
Regulatory & ethical hooks
What the rules say.
- ABA Model Rule 1.1, Comment 8 — Technology competence
- ABA Formal Opinion 483 — Post-breach duties
- State data-breach notification laws
- OFAC ransomware advisory (sanctions exposure)
Cited for orientation, not as legal advice. Your firm's ethics counsel and LPL carrier should be consulted on every specific incident.