The confidentiality obligation has a technical dimension
Attorneys have always had a duty of confidentiality. What has changed is that fulfilling that duty now requires understanding technology. The same client files that used to sit in a locked filing cabinet now live on cloud servers, travel through email systems, and are accessed from home networks and mobile devices. The obligation is the same. The attack surface is vastly larger.
Bar associations across the country have issued formal ethics opinions making clear that competence — one of the foundational duties of every attorney — includes understanding the technology used to handle client matters and taking reasonable steps to protect client data.
What the ABA says
ABA Model Rule 1.1 requires competence, which includes keeping up with relevant technology. ABA Model Rule 1.6 requires reasonable efforts to prevent unauthorized disclosure of client information.
The ABA's Formal Opinion 477R addressed this directly: lawyers must take competent and reasonable measures to safeguard information relating to clients against unauthorized access. The opinion specifically addresses cloud storage, email encryption, and the need to assess the security practices of technology vendors.
This is not aspirational guidance. It is a professional obligation with disciplinary consequences.
State-level requirements
Most state bars have adopted versions of the ABA model rules, and many have issued their own ethics opinions on cybersecurity. Florida, New York, California, and Texas have all published guidance specifically addressing attorney obligations around data security.
Florida Bar Opinion 14-1, for example, addresses cloud computing and requires attorneys using cloud services to take reasonable precautions including understanding the security practices of cloud vendors, encrypting confidential data, and having a plan for what happens if a vendor experiences a breach.
The trend is consistent across jurisdictions: reasonable security is required, what constitutes reasonable is evolving upward, and ignorance of technology is not a defense.
What cyber insurance requires from law firms
Cyber insurance for law firms has become both more important and more demanding to obtain. Following several high-profile law firm breaches and ransomware attacks, underwriters have tightened requirements significantly.
The questions on cyber insurance applications for law firms now typically include:
- Do you use multi-factor authentication for email access?
- Do you use MFA for remote access to firm systems?
- Do you conduct annual security awareness training?
- Do you have an incident response plan?
- Do you back up client data, and are backups stored offline or air-gapped?
- Do you conduct vulnerability scanning of your external systems?
- Do you have a process for vetting the security of third-party vendors who handle client data?
Insurers are also running external scans of law firm domains before setting terms. A firm with missing email authentication, exposed services, or a poor SecurityScorecard score will pay more for coverage or may be declined.
The specific risks law firms face
Email is the primary attack vector
Business email compromise (BEC) attacks targeting law firms have resulted in wire fraud losses in the millions. Attackers monitor email accounts, learn the timing of real estate closings or settlement payments, and impersonate attorneys or title companies to redirect funds. DMARC enforcement, MFA on email, and employee training are the core defenses.
Client portals and document sharing
Many firms use web-based client portals for document sharing. These portals are external-facing applications that need to be kept updated, tested for vulnerabilities, and protected with strong authentication. An insecure client portal is a direct path to client data.
Remote access
The shift to remote work expanded the attack surface dramatically. RDP and VPN access points exposed without proper controls are among the most common ransomware entry points. Firms should require MFA for all remote access and ensure remote access services are not exposed directly to the internet.
Third-party vendors
Practice management software, document management systems, billing platforms, and e-discovery vendors all handle client data. A breach at any of these vendors can expose your clients' information. Vendor security assessments — understanding what security controls your vendors have in place — are increasingly a bar obligation and an insurance requirement.
What reasonable security looks like in practice
The standard is not perfection. It is reasonableness given the size of the firm, the sensitivity of the data, and the current threat environment. A solo practitioner is not held to the same standard as a 500-lawyer firm.
That said, certain baseline controls are now considered standard for any law firm:
- Multi-factor authentication on all accounts that access client data
- Email encryption for sensitive communications
- SPF, DKIM, and DMARC configured to prevent domain spoofing
- Regular security awareness training for all staff
- Documented incident response procedures
- Tested data backups stored separately from primary systems
- Vulnerability scanning of internet-facing systems
None of these are exotic. All of them are achievable by firms of any size.
Run a free external security scan at kasperashield.com to see where your firm stands and what needs attention.
