We respect attorney-client confidentiality. No tracking pixels in our emails.
After a major legal AI vendor breach exposed confidential client data in 2025, law firms face urgent questions about vendor incident response obligations. Here is what to require.
2026/08/20
In early 2025, a mid-sized legal AI platform suffered a breach that exposed privileged communications from more than 200 law firm clients. The vendor waited eleven days before notifying affected firms. By then, opposing counsel in several active matters had already received tips that confidential strategy documents were circulating. State bar disciplinary boards opened investigations — not against the vendor, but against the attorneys whose client data had been compromised. The firms argued they could not have acted faster because they were never told. The bars were unmoved: an attorney's duty of competence includes vetting the security posture of every vendor who touches client data, and that duty does not pause while waiting for a vendor's press release.
That sequence of events is now the canonical cautionary tale in legal technology procurement circles. It reveals a structural problem: most law firm vendor contracts were written before AI tools became core to daily practice, and they carry incident response provisions drafted for generic SaaS outages — not for breaches that may implicate attorney-client privilege, work-product doctrine, and ethics rules simultaneously. This article explains what to require, how to evaluate vendor capabilities before signing, and what your obligations are after an incident occurs.
The ethical foundation here is straightforward but its application to AI vendors is underappreciated. ABA Model Rule 1.6(c) requires attorneys to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of client information. Comment 18 clarifies that this applies to the conduct of third parties, including vendors. When a legal AI platform processes your research queries, drafts your contracts, or analyzes your client documents, that vendor is handling information protected by Rule 1.6.
The practical consequence is that a vendor breach is your breach for ethics purposes. The question is not whether you knew about it — the question is whether you had the contractual mechanisms to know about it promptly and the procedural infrastructure to act.
Several state bars have now issued formal guidance on this point. California's State Bar issued Formal Opinion 2023-204, which explicitly addresses cloud-based legal services and holds that attorneys must conduct due diligence on vendor security practices before engagement and must have agreements ensuring prompt notification of security incidents. New York's Committee on Professional Ethics reached similar conclusions in Opinion 1196. The ABA's Standing Committee on Ethics and Professional Responsibility has signaled that a formal opinion specifically addressing AI vendors is forthcoming.
Meanwhile, GDPR and US state privacy laws create parallel notification obligations with their own timelines — 72 hours under GDPR Article 33, varying requirements under state laws. For firms with international clients or EU data subjects in their matters, these obligations layer on top of bar rules rather than replacing them.
The market has also shifted. Legal AI vendors who once resisted robust incident response contract terms are now more negotiable — partly because enterprise buyers are demanding it, and partly because the reputational cost of a poorly handled breach has become undeniable. But "more negotiable" does not mean the terms appear automatically. You have to ask.
A notification clause that says the vendor will notify you "promptly" following a breach is legally meaningless and practically useless. Prompt is whatever a vendor's lawyer argues it means. Your contract needs a specific number, and that number should be 72 hours from the point at which the vendor has reasonable grounds to believe a security incident has occurred — not 72 hours from when the vendor has completed its internal investigation and confirmed the full scope.
This distinction is critical. Investigations take weeks. If notification is triggered by completion of investigation, you will learn about incidents affecting your clients long after you should have started notifying those clients yourself. The clause should read something like: "Vendor shall notify Client within 72 hours of becoming aware of any actual or reasonably suspected unauthorized access to, disclosure of, or loss of Client Data, regardless of whether Vendor has completed an investigation into the nature or scope of such incident."
The clause should also specify notification method (email to designated security contact plus phone call if the incident involves more than a threshold volume of client records), what minimum information the initial notification must include (nature of incident, data types potentially affected, systems involved, immediate containment steps taken), and a timeline for subsequent updates (every 48 hours until resolution).
Without contractual forensics access, you will never know exactly what happened to your client data. Vendors have every incentive to conduct their own investigation, characterize the scope narrowly, and present you with a sanitized summary. That summary is insufficient for your own bar reporting obligations, for client notification decisions, and for any litigation that follows.
Your contract should give you — or your designated forensics firm — the right to independently review logs, access records, and conduct interviews relevant to any incident affecting your data. This is not standard. Many vendors push back on it. But the pushback is itself informative: a vendor unwilling to allow third-party forensic review has made a decision about whose interests it prioritizes in a crisis.
At minimum, require that the vendor preserve all relevant logs and incident data for at least 24 months and provide copies to you upon request within 10 business days of any incident.
The initial notification should be followed within 15 business days by a written breach scope assessment. This document should cover: what data was accessed and for how long; what systems were involved; what the attack vector was; what data of yours specifically was affected (with matter-level granularity if possible); what remediation steps have been taken and are planned; and whether law enforcement has been engaged.
If the vendor cannot produce this within 15 days, the contract should allow you to engage your own forensics firm at the vendor's expense.
Here is a condensed version of the core incident response clause that your technology counsel should adapt for your specific engagements:
"Security Incident Notification. Vendor shall notify Client's designated security contact by email and telephone within seventy-two (72) hours of Vendor becoming aware of any actual or reasonably suspected Security Incident involving Client Data. Such notification shall include: (a) a description of the nature of the incident; (b) the categories and approximate volume of Client Data involved; (c) the name and contact details of the data protection officer or equivalent; (d) the likely consequences of the Security Incident; and (e) the measures taken or proposed to address the Security Incident. Vendor shall provide written updates to Client every forty-eight (48) hours until the Security Incident is resolved. Client shall have the right, upon reasonable notice, to audit Vendor's security practices and to engage a qualified third-party forensics firm to conduct an independent investigation of any Security Incident affecting Client Data, the reasonable costs of which shall be borne by Vendor if the investigation confirms a breach of Vendor's obligations under this Agreement."
Before signing, ask each vendor for their written incident response plan. Not a summary — the actual document. Evaluate it for: whether it has been tested (ask for tabletop exercise records), whether it designates specific personnel with incident response authority, whether it covers the specific scenario of unauthorized access to client data (not just system downtime), and whether external notification timelines match your contractual requirements.
Ask how many security incidents the vendor has experienced in the past 24 months and how each was handled. Ask for references from other law firm clients who have gone through an incident with this vendor. A vendor who has never had an incident is not necessarily more trustworthy than one who has handled incidents well.
SOC 2 Type II reports cover specific trust service criteria over a defined audit period. Review the report yourself — or have your security team review it — rather than accepting the vendor's summary. Pay particular attention to exceptions noted by the auditor.
Consider how a firm with strong contractual protections navigated a vendor incident in 2025. A 40-attorney litigation boutique had negotiated a 72-hour notification clause, forensics access rights, and a mandatory breach scope assessment provision into its agreement with a legal AI research platform.
At 9 AM on a Tuesday, the vendor's security team detected anomalous data access patterns. By 3 PM they had confirmed that an external actor had accessed the platform environment. At 7 PM — ten hours after detection — the vendor called the firm's designated security contact and sent a formal notification email with the required initial information.
The firm's general counsel immediately activated their own incident response protocol: outside breach counsel was retained, cyber insurance carrier was notified, and a client impact assessment began using the matter list maintained by their practice management system. By the next morning, the firm had a list of 34 active matters whose research queries had potentially been in the affected environment.
Forensics access kicked in on day three. The firm's retained forensics firm worked alongside the vendor's team with direct log access. By day eight, they had confirmed that only query metadata — not the underlying documents or client-identifying information — had been exposed. That distinction mattered enormously for client notification decisions.
Clients were notified on day nine with a precise, factually accurate description of what had and had not been exposed. No disciplinary inquiries followed. The firm's insurance covered the forensics costs, and the vendor reimbursed the remainder per contract. The entire response took 12 days from detection to client notification — fast enough to satisfy bar obligations in every relevant jurisdiction.
When evaluating legal AI vendors for incident response capabilities, the following platforms have demonstrated relatively strong security postures and contractual flexibility:
Q: If the vendor breaches first, why is the bar investigating my firm and not the vendor?
A: Because vendors are not licensed attorneys and are not subject to bar discipline. Your ethical duty to protect client data does not transfer to the vendor — it requires you to choose vendors carefully and to have mechanisms in place to respond quickly when something goes wrong.
Q: Our existing vendor contract has a 30-day notification clause. Can we renegotiate mid-term?
A: Yes, but you will likely need to offer something in return, even if it is just reaffirming the contract term or upgrading your service tier. Frame it as a mutual benefit — the vendor avoids liability exposure from delayed notification just as much as you do.
Q: Does cyber insurance cover the costs of a vendor breach response?
A: Most legal malpractice and cyber insurance policies cover breach response costs including forensics, notification, and credit monitoring. But coverage depends heavily on whether you followed your own incident response plan and whether you had adequate vendor contracts. Insurers are increasingly asking about vendor IR terms during underwriting.
Q: What should our tabletop exercise with a vendor actually cover?
A: Walk through a realistic scenario: ransomware hits the vendor at 2 AM Friday, affecting your client data. Who calls whom, when, with what information? Who makes the client notification decision? Who drafts the notification? Test whether the vendor's 72-hour clock and your internal response protocol actually mesh in practice.
Q: Can we require vendors to carry specific cyber insurance minimums?
A: Yes, and you should. Requiring vendors to maintain cyber liability coverage of at least $5 million per occurrence, with you named as an additional insured for incidents involving your data, is a reasonable and increasingly common contractual requirement for legal AI vendors.
The ethical obligations that attach to law firm data do not stop at your firewall. Every legal AI vendor that processes client information is, from a bar rules perspective, an extension of your firm's data handling responsibilities. The contracts governing those relationships need to reflect that reality.
The minimum viable incident response contract package includes a 72-hour notification trigger (from awareness, not from investigation completion), forensics access rights, a mandatory breach scope assessment within 15 days, and vendor-borne costs for independent investigation when a breach is confirmed. These are not aspirational terms — they are the floor of what competent vendor contracting looks like in 2026.
Beyond contract language, evaluate vendors on their demonstrated incident response capability: written IR plans, tabletop exercise history, reference checks from firms who have been through incidents with that vendor. Vendor procurement is a competence question, not just a procurement question.
This article reflects independent editorial analysis. LawyerAI does not accept payment for editorial coverage. Tool scores are based on methodology described in Our 5-Dimension Methodology. Last reviewed: 2026-08-20.