When you read state breach notification statutes, they sound clean. Notify affected individuals within X days. Notify the state attorney general within Y days. In practice, the 30 days following a breach are messy, expensive, and exhausting. This is what they actually look like at a small firm.
Composite case: 4-person tax firm, 425 active clients across 6 states, breach affecting 180 clients whose Social Security numbers were exposed in a phishing-driven email compromise.
Day 1 to 3: discovery and assessment
Discovery happened on a Tuesday afternoon when the owner found unusual login activity in her email account. The forensic team confirmed by Friday that 180 client emails had been exposed, including W-2 attachments containing Social Security numbers.
Decisions in this window:
- Engage the breach coach and notify the cyber insurance carrier (already done by hour 4)
- Stop using the compromised email immediately
- Force MFA reset and password reset on all firm accounts
- Begin the affected-client list compilation
Day 4 to 7: the legal review
The breach coach engaged a privacy attorney specializing in state notification law. They mapped the 180 affected clients to their states of residence:
- California: 42 clients
- Texas: 38 clients
- Florida: 31 clients
- New York: 24 clients
- Illinois: 23 clients
- Georgia: 22 clients
Each state has its own notification statute. California requires notification within 45 days. New York requires within 30 days. Texas requires "without unreasonable delay" but in practice 60 days. Each state also has different requirements for what the notice must contain.
The attorney drafted 6 different notification letters tailored to each state's statutory requirements.
Day 8 to 14: the notification mechanics
The firm prepared the mailing.
- Letters printed and mailed via certified mail with return receipt (required in some states)
- Letters offered 12 months of credit monitoring through Experian (standard for breaches involving Social Security numbers)
- A dedicated phone line was set up to handle questions from affected clients
- A FAQ document was prepared for the firm to use when clients called
Costs in this window:
- Legal fees: about $12,000
- Notification mailing: $14 per affected client = $2,520
- Credit monitoring offer: $96 per client per year = up to $17,280 if every client enrolls (typically 30 to 60 percent enroll)
- Dedicated phone line setup: $300
Day 15 to 20: state attorney general filings
5 of the 6 affected states require attorney general notification when more than a threshold number of state residents are affected. Each state has different filing requirements.
California: web-based filing, 50-resident threshold. Filed.
New York: web-based filing, no threshold. Filed.
Texas: email-based filing, 250-resident threshold. Not required given the count.
Florida: email-based filing, 500-resident threshold. Not required.
Illinois: web-based filing, 500-resident threshold. Not required.
Georgia: no AG notification requirement.
The 2 required filings each took about 4 hours to prepare and submit. The attorney handled the substance; the firm provided supporting documentation.
Day 15 to 25: the client phone calls
When notifications hit, calls start. The firm received about 110 calls from the 180 affected clients over 10 days. Average call length was 8 minutes.
The most common questions:
- "What happened?" Answer the question without admitting liability.
- "What should I do?" Walk through the credit monitoring offer and steps to monitor their identity.
- "Are you still going to be my tax preparer?" Have a clear answer ready.
- "How did this happen?" Stay factual, avoid blame, do not speculate about what the attacker did with the data.
Total time spent on client calls: about 14 hours across the firm.
Day 20 to 30: the IRS notification and the longer tail
When client tax data is involved, the firm must notify the IRS Stakeholder Liaison and the relevant state tax agencies. The IRS Form 14039 (Identity Theft Affidavit) was filed by the firm on behalf of all 180 clients.
The state tax notifications varied. California, New York, and Illinois have data security incident reporting requirements for tax preparers. Each was filed.
Time spent on agency notifications: about 18 hours.
Day 30 and beyond: the operational impact
The firm continued to feel the breach for months.
- Credit monitoring enrollments came in over the first 60 days. About 40 percent enrolled.
- Some clients required follow-up support through the credit monitoring period.
- 11 clients left over the next 6 months. Most cited the breach indirectly.
- The firm replaced the email security configuration, rolled out tighter MFA, and added inbox rule monitoring.
- Cyber insurance renewal at the next cycle reflected a 35 percent premium increase, which cost the firm about $1,000 per year extra.
Final tally
- Forensics: $18,000
- Legal and breach coach: $14,000
- Notification and credit monitoring: $11,000 in year one
- Internal time: roughly 80 hours across 4 staff
- Lost clients: 11, representing about $9,000 in annual revenue
- Insurance reimbursement: covered most direct costs above the $5,000 deductible
- Out-of-pocket for the firm: about $7,000 plus the productivity hit
What this case demonstrates
A breach that exposes 180 clients across 6 states is not a single notification. It is 6 different notification regimes, 2 attorney general filings, IRS and state tax agency notifications, and 110 client phone calls. The legal cost dwarfs the technical cost.
The single biggest variable in the cost: how prepared the firm was when the breach hit. This firm had a current WISP, an incident response plan that named the breach coach, and an existing relationship with the cyber insurance carrier. Without those, the legal fees would have doubled and the operational impact would have stretched to 90 days instead of 30.
If your firm has no incident response plan, the time to write one is now, not in the first hour after discovery.
