Ethics, Cybersecurity & Client Data
The IT Risks Law Firms Can't Ignore โ Without Risking Their License
Most attorneys think of ethics compliance as courtroom behavior, conflict checking, and fee agreements. But the ABA and state bar associations have been clear for years: cybersecurity is an ethical obligation. And most law firms are not meeting it.
The ABA issued Formal Opinion 477R confirming that attorneys have an ethical duty to understand and implement technology safeguards. Ignorance of IT risk is no longer a defense.
What ABA Model Rule 1.1 Really Means for Technology
ABA Model Rule 1.1 requires attorneys to provide competent representation โ which includes 'the legal knowledge, skill, thoroughness and preparation reasonably necessary.' In 2012, a comment to Rule 1.1 was amended to explicitly include technology competence: 'a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.' This isn't a suggestion. It's a professional obligation.
What ABA Model Rule 1.6 Means for Your IT Infrastructure
Rule 1.6 requires attorneys to make 'reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.' The key word is 'reasonable.' What's reasonable in 2024? Multi-factor authentication. Encrypted communications. Proper access controls. Regular security assessments. If your firm doesn't have these, you may not be meeting the 'reasonable efforts' standard.
The 6 Ethical Obligations That Create IT Requirements
Competence (Rule 1.1)
Attorneys must understand the technology they use to practice law โ including its risks.
Confidentiality (Rule 1.6)
Client communications must be protected with 'reasonable safeguards' โ which now includes encryption and secure transmission.
Communication (Rule 1.4)
If a breach exposes client data, attorneys may have a duty to promptly inform affected clients.
Supervision (Rule 5.1/5.3)
Partners must supervise staff and non-attorney personnel โ including their technology use and security practices.
Candor (Rule 3.3)
If a breach affects evidence or case materials, attorneys may have disclosure obligations to courts.
Fee Agreements (Rule 1.5)
Some courts have found that billing clients for reckless data handling raises fee reasonableness questions.
The Ethics Enforcement Reality
IT Practices That May Violate Your Ethical Obligations
Violates Rule 1.6's confidentiality requirements in most jurisdictions.
Fails the 'reasonable efforts' standard under Rule 1.6.
BYOD without MDM creates confidentiality exposure under Rule 1.6.
Supervision failures under Rules 5.1 and 5.3.
Courts and bar associations look for documented security practices.
Rules 1.6 and 5.3 require attorneys to evaluate vendor security.
"Cybersecurity is no longer purely a business risk for law firms. It is a professional responsibility issue."
โ ABA Standing Committee on Ethics and Professional Responsibility
The IT Security Practices That Satisfy Your Ethical Obligations
The Question Your Next Bar Complaint Will Ask
If a client files a bar complaint after a breach, the ethics investigator will ask: 'What reasonable efforts did this attorney make to protect client data?' They will look for documentation. They will ask about your security practices. They will ask whether you understood the technology risks. 'I trusted my IT guy' is not an answer that will satisfy the investigators. The obligation to understand and implement reasonable cybersecurity falls on you personally โ not just on your technology team.