Security and Ethics Compliance for Law Firms
How your IT decisions become ethical ones: ABA Rule 1.6, the duty of technology competence, cyber-insurance demands, and what you owe clients after a breach. Written by an attorney who runs an MSP.
Here is the uncomfortable part of running a firm in 2026: your technology decisions are now ethics decisions, and pretending otherwise does not lower your exposure. When you choose where client files are stored, who can access them, and how they are protected, you are making calls that your state bar can judge against the duties you took on when you were admitted. This page is about those duties and how your IT provider either helps you meet them or quietly leaves you exposed.
This is the security half of the managed IT buyer’s guide. If you are choosing a provider, read it alongside the evaluation scorecard, because a firm’s security posture is only as good as the people running it.
Your ethical duties are technical duties now
ABA Model Rule 1.6(c) says a lawyer must make reasonable efforts to prevent the unauthorized disclosure of client information. That was once about locked file cabinets and careful conversations. Comment 18 now applies it to how you transmit and store data electronically. Comment 8 to Rule 1.1 goes further and folds competence with relevant technology into your basic duty of competence. Most states have adopted both in some form.
Read together, these rules mean something concrete. If your backups sit unencrypted on a device anyone can reach, that is not just bad IT. It is a plausible failure of your duty to safeguard client confidences. If an attorney reuses a weak password and an account is taken over, the disclosure that follows is one you were supposed to make reasonable efforts to prevent. The word doing the work in the rule is reasonable, and reasonable keeps rising as threats and tools evolve. A provider who understands this frames your security around your obligations. One who does not just sells you products and leaves the judgment to you.
What reasonable security looks like for a firm
There is no certificate that makes a firm compliant, which frustrates people who want a checklist. What bars and carriers expect is a set of safeguards proportional to how sensitive your data is and how likely you are to be attacked. For a law firm, that bar is high, because you hold exactly the kind of information criminals want.
In practice, reasonable means multi-factor authentication on everything that touches client data, so a stolen password alone does not open the door. It means encryption in transit and at rest. It means monitoring that can actually detect an intrusion instead of discovering it months later. It means email security, because most attacks on firms start in the inbox. It means staff training, since your people are the surface attackers probe first. And it means a written incident response plan you have rehearsed, not a document nobody has opened. Many of these controls are things firms already own and have never turned on, which is why the Microsoft 365 security settings most firms miss is worth a look.
Cyber insurance is now setting the rules
Even if your bar’s expectations feel vague, your insurer’s are getting specific. Carriers have watched claims pile up and responded by demanding controls as a condition of coverage. Multi-factor authentication, endpoint detection and response, tested backups, email filtering, and documented access management show up on applications now, and answering them wrong has consequences.
Two traps catch firms here. The first is overstating your security to get a better rate, then having a claim denied because you did not actually have the control you claimed. The second is treating the questionnaire as paperwork instead of a to-do list. The smart move is to answer honestly and use the questionnaire as a map of what to implement, ideally with a provider who has filled out these forms before and can close the gaps first. This is one of the ways an MSP supports regulatory compliance for firms that pays for itself the day you file a claim.
What you owe clients when something goes wrong
Assume, for a moment, that prevention fails, because sometimes it does. Your obligations do not wait for you to feel ready. State breach-notification laws may require you to tell affected people within a set window. Your ethical duty to keep clients reasonably informed can require disclosure to the clients whose matters were touched. ABA Formal Opinion 483 speaks directly to notifying clients after a breach of their data. And your own engagement letters may carry promises you now have to honor.
The firms that come through a breach with their reputation intact are the ones that planned for it. They had an incident response plan naming who does what. They had counsel identified in advance. They had backups they could restore from, so a ransomware demand was a bad day instead of an extinction event. The protection strategies worth building before an incident are cheaper than the alternative by an order of magnitude, and I am not exaggerating that.
Turning duty into a provider requirement
All of this becomes a hiring test. When you evaluate an IT provider, their grasp of these duties should show up unprompted. Can they discuss Rule 1.6 without you teaching it to them? Do they build security into the base service instead of upselling it? Have they helped a firm through an insurance questionnaire or an actual incident?
If the answer to any of those is a blank look, keep interviewing. The scorecard for evaluating an MSP puts these into questions you can score. Or book a call and we will walk through where your firm stands against these duties right now, honestly, before anyone talks about a contract.
Frequently asked questions
Does ABA Rule 1.6 apply to a law firm's technology?
Yes. Model Rule 1.6(c) requires a lawyer to make reasonable efforts to prevent unauthorized disclosure of information relating to a client. Comment 18 ties that directly to how you store and transmit data, and Comment 8 to Rule 1.1 makes staying current on relevant technology part of your duty of competence. Your security choices are professional-responsibility choices, and most states have adopted a version of both rules.
What does a state bar expect a firm to do about cybersecurity?
Bars generally expect reasonable safeguards proportional to the sensitivity of the data and the risk. That means access controls, encryption, monitoring, staff training, and a plan for incidents, documented and actually followed. There is no single checklist that makes you compliant, which is why a provider who understands legal duties is worth more than one who just installs tools.
Does cyber insurance require specific security controls?
Increasingly, yes. Carriers now condition coverage on controls like multi-factor authentication, endpoint detection and response, tested backups, and email filtering. Firms have had claims denied because an application overstated their security. Answer those questionnaires accurately, and get help implementing what the carrier requires before you sign, not after a breach.
What are a firm's obligations to clients after a data breach?
You likely have duties on several fronts at once: state data-breach notification laws, your ethical duty to keep affected clients reasonably informed, and any contractual promises in engagement letters. ABA Formal Opinion 483 addresses the obligation to notify clients of a breach involving their information. Having counsel and a prepared incident response plan before an event is the difference between a controlled response and a scramble.