Practice-management or document-management vendor compromise
Clio, NetDocuments, iManage, or your DMS vendor has the incident. The firm is still responsible to the client.
When the vendor — Clio, MyCase, PracticePanther, Smokeball, CosmoLex, NetDocuments, iManage, Worldox, ProLaw, Tabs3-class — is breached, what the firm does operationally and what it does ethically. The firm is still responsible to the client for safeguarding the data even when the vendor had the incident.
The first hour
What to do, in order.
- 01
Pull the vendor's incident notice, status page, and customer security bulletin. Save copies.
- 02
Open a ticket and request: confirmation of whether the firm's tenant was in scope, what data classes were affected, and the vendor's forensic timeline.
- 03
Identify which clients' matters live in the affected system; do not notify yet — facts first.
- 04
Trigger the firm's own incident response process even though the vendor is doing theirs.
Key decisions
The questions you'll be asked.
- Is the vendor's notice sufficient for the firm's own clients?
- Almost never. The vendor notifies the firm; the firm notifies the client. The Opinion 483 duty is the firm's, not the vendor's.
Regulatory & ethical hooks
What the rules say.
- ABA Formal Opinion 483
- ABA Model Rule 5.3 — Responsibilities regarding non-lawyer assistance (incl. vendors)
- State data-breach notification laws
- HIPAA Business Associate rules (if the firm is a BA)
Cited for orientation, not as legal advice. Your firm's ethics counsel and LPL carrier should be consulted on every specific incident.