The First 72 Hours: What Really Happens When a Law Firm Gets Breached

The Call Nobody Wants

It's 11:47pm on a Friday. A managing partner's name lights up your phone.

"Something's wrong. The system's locked us out. There's a message on the screen demanding Bitcoin."

In that moment, everything changes.

I've taken that call more times than I'd like to count. And in almost every case, the difference between a manageable incident and a catastrophic one comes down to what happens in the next 72 hours.

Not the next week. Not when the insurance company finally assigns a response team. The next **72 hours.**

The Uncomfortable Reality

Most law firms have an incident response plan. It exists in a SharePoint folder somewhere, approved by the partnership three years ago, written by someone who's since moved on.

But here's what that plan probably doesn't tell you:

Hour 1: Who actually makes decisions when the managing partner is unreachable, email is down, and the IT manager is panicking?

Hour 4: Your cyber insurer's breach hotline goes to voicemail outside US business hours. Now what?

Hour 12: Clients are calling. Their matters are inaccessible. What do you tell them — and who's authorised to say it?

Hour 24: A journalist emails asking for comment on "reports of a cyber incident at your firm." How did they find out?

Hour 48: The OAIC notification clock is ticking. Do you even know when it started?

Hour 72: The ransom deadline passes. The attackers publish the first batch of client data on their leak site.

This isn't hypothetical. This is the reality I've seen play out at firms across Australia.

Why Law Firms Are Different

Incident response frameworks designed for corporates don't translate cleanly to legal practice. Law firms face unique pressures:

Client privilege at stake. When attackers exfiltrate data, they're not just stealing business records — they're potentially compromising legally privileged communications. The ethical obligations are immediate and complex.

Matter deadlines don't pause. Courts don't grant adjournments because your DMS is encrypted. Settlements don't wait. Discovery deadlines don't care about your ransomware problem.

Partnership decision-making. In a crisis, you need clear authority and fast decisions. Partnership structures often create ambiguity about who can make binding commitments — especially around ransom payments or public statements.

Regulatory complexity. Beyond the OAIC, law firms may have obligations to legal professional bodies, clients with their own breach notification requirements, and potentially multiple jurisdictions if you handle cross-border matters.

Reputational sensitivity. In a profession built on trust and discretion, a public breach can devastate client relationships in ways that other industries don't experience.

The Firms That Recover

After two decades in this field, I can tell you exactly what separates the firms that recover quickly from those that spiral into crisis:

They've answered the hard questions before the crisis hits.

Not in a 47-page policy document. In practical, tested procedures that people can actually execute at 2am when everything is on fire.

They know:
- Who has authority to make decisions (and who's the backup, and the backup's backup)
- How to communicate when email and phones might be compromised
- What clients need to be told, when, and by whom
- How to preserve evidence while still recovering operations
- Where the insurance policy actually is (and what it actually covers)
- When notification obligations are triggered and to whom

They've rehearsed.

A tabletop exercise isn't a luxury — it's how you discover that your "incident response plan" assumes resources you don't have, timelines that aren't realistic, and decision-makers who aren't actually available.

The firms that recover fastest have practiced making decisions under pressure. They've identified the gaps in their plans before attackers did.

The 72-Hour Framework

Based on incidents I've responded to across the Australian legal sector, I've developed a framework specifically for law firms. It's built around the critical decision points that occur in the first three days:

Hours 0-4: Contain and Confirm
- Confirm the incident is real (not a false alarm or test)
- Activate your response team and establish communications
- Begin containment actions to prevent spread
- Preserve evidence (critical for insurance and potential prosecution)
- Initial contact with cyber insurer

Hours 4-24: Assess and Mobilise
- Scope the incident: what systems, what data, what clients affected?
- Engage external response resources if needed
- Begin regulatory notification assessment
- Develop initial client communication strategy
- Establish operational workarounds for critical matters

Hours 24-48: Communicate and Decide
- Execute client notifications (prioritised by risk and relationship)
- Make ransom payment decision (if applicable)
- Regulatory notifications as required
- Media/public communication if needed
- Recovery planning begins in parallel

Hours 48-72: Stabilise and Recover
- Continue recovery operations
- Complete mandatory notifications
- Client matter triage and workaround implementation
- Evidence preservation for insurance/legal purposes
- Begin post-incident documentation

Each phase has specific actions, decision points, and templates that I've refined through actual incident response.

What Most Firms Get Wrong

Waiting for insurance. Your cyber policy is valuable, but insurers operate on their timeline, not yours. Waiting 12-24 hours for an insurer to assign a response team while your systems burn is a costly mistake. You need your own first-response capability.

Treating IT as the response team. Your IT team (or MSP) are critical for technical recovery, but incident response requires legal, communications, client management, and executive decision-making. IT alone cannot manage a breach.

Focusing on technical recovery before evidence preservation. The natural instinct is to "get things working again." But actions taken in the first hours can destroy evidence needed for insurance claims, regulatory investigations, or prosecution. You need to balance recovery with preservation.

Assuming backups will save you. Modern ransomware groups exfiltrate data before encrypting. Even with perfect backups, you still face data breach notification obligations, client communications, and potential publication of stolen files. Backups solve one problem, not all of them.

Underestimating notification timelines. The OAIC's "as soon as practicable" standard doesn't mean "when we've finished investigating." It means when you have reasonable grounds to believe a breach has occurred. That's often much earlier than firms realise.

Building Your 72-Hour Capability

You don't need a massive budget or a dedicated security team. You need clarity and preparation.

Start with the decision tree. Map out who decides what in a crisis. Get partnership agreement on authority levels for incident response decisions — including the uncomfortable ones like ransom payments.

Build your contact list now. Insurer breach hotline, external legal counsel, forensic response provider, PR/communications support, key client contacts. Have these ready before you need them.

Test your backups under pressure. Not "are backups running" but "can we actually restore critical systems within 24 hours under incident conditions?"

Run a tabletop. A 2-hour scenario exercise with your leadership team will reveal more gaps than any policy document. Do it annually at minimum.

Know your notification obligations. Different client types, different regulators, different timelines. Map these out before you're trying to figure it out during a crisis.

The Toolkit

I've compiled everything I've learned from responding to incidents across the Australian legal sector into a practical resource: the 72-Hour Cyber Crisis Response Toolkit.

It includes:- Hour-by-hour response checklists
- Decision trees for common scenarios
- Authority and escalation templates
- Client communication templates
- Regulatory notification guidance and timelines
- Key contact templates
- Tabletop exercise scenarios

This isn't a policy document to file away. It's a practical playbook designed to be used under pressure.