ABA Model Rule 1.6 and Cybersecurity: What the Duty of Confidentiality Requires of Attorneys

Law Firms · Legal Ethics · Confidentiality Duty

Most attorneys treat cybersecurity as an IT problem. Model Rule 1.6 has quietly turned it into an ethics problem. Since the 2012 amendment, the duty of confidentiality has carried an explicit clause requiring lawyers to make reasonable efforts to prevent the unauthorized disclosure of client information. Four ABA ethics opinions now define what that means. This is the practical reading: what Rule 1.6(c) requires, the five-factor test that decides how far you must go, the control set that satisfies it, and what the rule demands the day after a breach.

Key Takeaways

• Cybersecurity is an ethics obligation, not an IT preference. ABA Model Rule 1.6(c), added in the 2012 Ethics 20/20 amendments, states that a lawyer "shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." Most state bars have adopted the same language or its substance.
• The standard is reasonable efforts, not a guarantee. A breach is not automatically an ethics violation. The violation is failing to take the precautions a competent lawyer would have taken given the facts. Comment [18] to Rule 1.6 lists five factors that decide how much is enough.
• Four ABA Formal Opinions now operationalize the duty: 477R on securing client communications, 483 on obligations after a breach, 498 on virtual practice, and the technology-competence language in Comment [8] to Rule 1.1. Together they convert a one-sentence rule into a concrete program.
• Opinion 483 is the one most firms have not read. It imposes affirmative duties to monitor for, stop, and remediate a breach, and to notify current clients when their confidential information is compromised. Rule 1.4 supplies the notice obligation; Rule 1.6 supplies the prevention obligation.
• The duty extends to everyone who touches the data. Rules 5.1 and 5.3 make partners responsible for associates, paralegals, contract attorneys, and outside vendors, including the cloud platform that stores your matters.
• A defensible position for a small-to-midsize firm is not expensive, but it is specific. The 90-day path at the end of this article costs a fraction of a single malpractice deductible and produces the written record that turns a future bar inquiry from an investigation into a closed file.

For most of the modern history of the profession, Rule 1.6 was a rule about what a lawyer must not say. It prohibited the voluntary disclosure of information relating to a representation. The duty was about the lawyer's own conduct: do not gossip about the matter, do not reveal a client confidence to gain advantage, do not discuss the case in an elevator. The rule assumed that the threat to confidentiality was the lawyer's own mouth.

In August 2012, the ABA House of Delegates adopted a set of amendments developed by the Commission on Ethics 20/20. The Commission had spent three years studying how technology and a globalized practice had changed the profession. One of its conclusions was that the confidentiality rule no longer matched the threat model. The biggest risk to a client confidence in a modern practice is not the lawyer talking. It is an intruder reading the firm's file server, a paralegal forwarding a document to the wrong address, a stolen laptop, or a vendor with a misconfigured cloud bucket. The 2012 amendments added a new subsection to address exactly that:

Three words in that sentence carry the entire weight of the obligation, and each one deserves a moment.

"Reasonable efforts." The rule does not require a perfect defense, and it does not make the lawyer a guarantor of the data. It requires the level of care a competent practitioner would apply. This is the same standard that governs every other professional judgment a lawyer makes. A breach, on its own, is not proof of a violation. A breach that follows a failure to take precautions a reasonable lawyer would have taken is a different matter. The question a bar disciplinary body asks is not "were you breached," it is "what had you done before the breach, and was it reasonable."

"Unauthorized access." The amendment deliberately reaches access, not just disclosure. An intruder who copies a folder of client files has not been told anything by the lawyer, and under the pre-2012 rule it was possible to argue the lawyer had not "disclosed" anything. The amendment closes that gap. If a third party obtains client information because the firm did not guard it, the lawyer's duty is implicated regardless of whether the lawyer ever spoke.

"Inadvertent." The duty covers accidents, not just attacks. The misdirected email, the document left in a shared printer tray, the cloud link set to "anyone with the link," the laptop on the back seat of a car. The most common confidentiality failure in a law firm is not a sophisticated intrusion. It is a tired associate at 9 p.m. autocompleting the wrong name in the To field. Rule 1.6(c) reaches that, and the comments make clear it expects firms to design against it.

The same 2012 package amended Comment [8] to Rule 1.1, the competence rule. The amended comment states that to maintain competence a lawyer "should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology." This is the much-quoted duty of technology competence. It has been adopted in substance by the large majority of states. Read together, the two amendments say something simple and demanding: understanding the technology your practice runs on is now part of being a competent lawyer, and protecting the client information that technology holds is now part of the duty of confidentiality.

None of this is exotic. It is the profession applying a familiar idea, the standard of reasonable care, to a part of practice that did not exist when the rules were first written. The discomfort many attorneys feel is not about the legal concept. It is about the subject matter. The next section removes most of that discomfort by showing that the rule already tells you how to think about it.

If "reasonable efforts" were left undefined, the rule would be unworkable. It is not left undefined. Comment [18] to Rule 1.6 supplies a five-factor test. It is the single most useful paragraph in the entire confidentiality rule for a practicing lawyer trying to decide how much security a given matter requires, and most attorneys have never read it. The comment tells you that whether a lawyer's efforts are reasonable is determined by weighing these factors:

• The sensitivity of the information. A routine scheduling email and a sealed settlement term sheet are not the same data. The duty scales with what is at stake if the information escapes. Trade secrets, merger terms, criminal exposure, custody allegations, immigration status, and health information all sit at the high-sensitivity end.
• The likelihood of disclosure if additional safeguards are not employed. How exposed is the information without the extra control? A document sitting only on an encrypted internal server is in a different posture from the same document attached to plain email crossing several mail servers.
• The cost of employing additional safeguards. The rule openly acknowledges that security costs money and that cost is a legitimate factor. It does not say cost is an excuse. It says cost is one weight on the scale. An inexpensive, high-impact control is hard to justify skipping.
• The difficulty of implementing the safeguards. A control that a small firm genuinely cannot operate is weighed differently from one that is a single setting in software the firm already owns. As tools get easier, this factor protects firms less and less.
• The extent to which the safeguards adversely affect the lawyer's ability to represent the client. Security that makes a device or system so cumbersome that the representation suffers is itself a problem. A control that blocks the lawyer from doing the work is not a reasonable control.

Read those five together and a structure appears. The first two factors push the duty up: more sensitive information and more exposure mean more is required. The last three pull it down: real cost, real difficulty, and real interference with the representation can justify a lighter touch. Reasonable efforts is the point where those forces balance for the matter in front of you.

Two practical consequences follow from reading the test honestly. First, the duty is matter-specific, not firm-specific. The same firm can correctly conclude that a routine letter goes by plain email and that a sealed settlement term sheet does not. Opinion 477R, discussed next, says this directly. Second, the cost and difficulty factors protect firms less every year. When a control was expensive and hard to run, the third and fourth factors carried real weight. When the same control is a free setting inside software the firm already pays for, those factors collapse, and skipping the control becomes very hard to defend. Multi-factor authentication is the clearest example. A decade ago a firm could argue it was burdensome. Today it is a checkbox, and a bar reviewer knows it.

Rule 1.6(c) is one sentence. The ABA Standing Committee on Ethics and Professional Responsibility has spent the years since the amendment turning that sentence into a usable standard through a series of Formal Opinions. Four of them, read together, are the working manual. A firm that has read all four and acted on them is in a fundamentally different position from a firm that has read none, regardless of how much each firm spends on software.

The technology-competence comment. Comment [8] to Rule 1.1 is where the obligation begins. It does not require a lawyer to become a technologist. It requires the lawyer to understand enough about the benefits and risks of the technology the practice depends on to make informed decisions, or to get help from someone who does. A partner who cannot say where the firm's client files are stored, who can reach them, or what happens if a laptop is lost has a competence gap, not just a security gap.

Formal Opinion 477R (2017), Securing Communication of Protected Client Information. This is the opinion that answers the encrypted-email question. Its conclusion is nuanced and worth stating precisely. A lawyer may, as a general matter, use unencrypted email for routine communications with a client. But the lawyer must assess, matter by matter, whether the sensitivity of the information and the circumstances of the transmission call for heightened security such as encryption. The opinion is the application of the Comment [18] factors to the specific act of sending a message. It also makes the obvious point that the analysis can change inside a single representation: an early scheduling email and a later transmission of sensitive discovery are not the same decision.

Formal Opinion 483 (2018), Lawyers' Obligations After an Electronic Data Breach or Cyberattack. This is the opinion most firms have never read, and it is the one most likely to surface in a disciplinary context, because it governs the moment when something has already gone wrong. Opinion 483 reads Rule 1.6 together with Rules 1.1, 1.4, 5.1, 5.3 and 1.15 and draws out a set of affirmative duties. A lawyer must act competently to monitor for a breach. When a breach is detected, the lawyer must act reasonably and promptly to stop it and to restore the affected systems. And the lawyer must notify current clients whose confidential information was or may have been compromised, with enough detail for the client to make informed decisions. Section Six walks through this in operational order.

Formal Opinion 498 (2021), Virtual Practice. Issued after the profession moved a large share of its work out of the office, this opinion applies the same duty to the home office, the personal laptop, the residential wireless network, the videoconference, and the always-listening smart speaker on the kitchen counter. Its message is that the duty travels with the work. A firm cannot meet Rule 1.6 inside the office and ignore it on the dining table where an associate now drafts pleadings three days a week.

Notice the supporting cast in Opinion 483: Rules 5.1 and 5.3. Rule 5.1 makes partners and supervising lawyers responsible for the conduct of other lawyers in the firm. Rule 5.3 extends that responsibility to nonlawyer assistants, and the ABA has made clear that "nonlawyer assistance" includes outside vendors such as cloud storage and practice-management providers. The duty cannot be delegated away by signing a contract with an IT company. A firm may, and usually should, hire that help. The firm remains responsible for choosing a competent vendor, understanding what the vendor does, and confirming that the arrangement protects client information. That is the through-line of all four authorities, and the next section turns it into a concrete control set.

The rule does not name controls, and that is deliberate. Controls change; the standard of care does not. But "apply professional judgment" is cold comfort to a managing partner who wants to know what to actually do on Monday. The table below is the control set we would expect a competent firm to have in place, mapped to the rule it satisfies and the Comment [18] factor that makes skipping it hard to justify. None of these is exotic. Most are settings inside software the firm already pays for.

A firm does not need to deploy all ten controls in a week, and it does not need the most expensive product in any category. It needs to be able to show, in writing, that it considered each one, decided what to do, and did it. A reasonable-efforts review is satisfied by a thoughtful, documented, implemented program. It is not satisfied by the most costly tools bought in a panic and left unconfigured.

The baseline control set in Section Four is the floor. For some matters and some clients, the reasonable-efforts test points higher. Two questions decide whether a given matter calls for more than the baseline: how sensitive is the information, and has anything outside the rules raised the bar. The second question matters because client contracts and outside regulation frequently impose security obligations that are stricter than the ethics rules, and once a firm has agreed to them, they become part of the standard the firm is held to.

The external-obligation branch is the one firms underestimate. A growing share of corporate clients now send their outside counsel a set of outside counsel guidelines or a security addendum that specifies encryption, breach-notice timelines, access controls, and sometimes the right to audit the firm. When a firm signs that document, it has agreed to a standard, and a failure to meet it is both a contract breach and, very often, evidence in any later ethics analysis that the firm knew the matter called for more. Regulated client data behaves the same way. A firm holding protected health information for a healthcare client may be a business associate under HIPAA. A firm handling the personal data of European residents may sit within the reach of the GDPR. A firm advising on government contracts may inherit federal information-handling requirements. None of these replaces Rule 1.6. They stack on top of it, and the firm owes the strictest applicable standard.

The discipline that ties this section together is documentation. When a matter calls for heightened handling, a short note in the matter file recording the decision and its reason is worth far more than its two minutes of effort. It converts a judgment call into a defensible, contemporaneous record. If a question ever arises, the difference between "we thought about this and here is what we decided" and "we never considered it" is the difference between a closed inquiry and an open one.

Rule 1.6(c) is about prevention. The moment prevention fails, a second body of duty takes over, and it is the part of the standard a firm is most likely to handle badly under pressure. Formal Opinion 483 is the operating manual for that moment. Its duties run in a sequence, and the sequence matters, because a firm that improvises will usually skip the step that later turns out to be the one the bar cared about. The timeline below is that sequence.

Monitor. Opinion 483 treats the ability to detect a breach as part of the ongoing duty, not as something a firm thinks about afterward. A firm that has no way to know whether it has been breached cannot meet the later steps, because it never starts the clock. This is the ethics-rule basis for endpoint detection and for keeping and reviewing logs.

Stop and contain. Once a breach is detected, the firm must act reasonably and promptly to halt it. In practice this means isolating affected machines, disabling compromised accounts, and resisting the strong temptation to wipe and rebuild before anyone has recorded what happened. Containment and evidence preservation are not in tension if the firm has decided in advance how to do both.

Investigate and restore. The firm must make a reasonable effort to determine what information was affected and which clients are implicated, and then restore operations from trusted backups. This is where the backup control from Section Four stops being a line item and becomes the thing that decides whether the firm recovers in days or negotiates with criminals. A firm that cannot restore has a confidentiality problem and an availability problem at the same time.

Notify affected current clients. This is the step that firms most want to skip and least can. Opinion 483 concludes that when a breach involves, or substantially likely involves, the confidential information of a current client, the lawyer has a duty under Rule 1.4 to inform that client. The notice must carry enough information for the client to make an informed decision about the representation and about protecting its own interests. The opinion is more cautious about a firm's duty to former clients, leaving more of that to other law, but it is clear about current clients in active matters.

There is one more reason to plan the breach response before it is needed. A firm that handles a breach competently, contains it quickly, restores from backups, and notifies clients candidly will usually keep those clients and close any bar inquiry without a finding. A firm that hides the breach, delays notice, or cannot say what happened converts a security incident into an ethics case. The breach is rarely the thing that ends a firm. The cover-up, the silence, or the visible absence of any plan is.

Across the law firm engagements we have run, the same five misconceptions show up again and again. Each one feels reasonable from inside the firm and looks indefensible from the outside.

The correction for all five is the same: a deliberate, written, implemented program built in a sensible order. For a small-to-midsize firm starting from a low baseline, ninety days is enough.

The total cost of this path for a firm of ten to forty attorneys is modest, often a small fraction of a single malpractice deductible, and a large part of it is configuration of software the firm already owns rather than new spending. What the ninety days produces is two things at once: a genuine reduction in the risk of the incident that would actually hurt the firm, and the contemporaneous written record that converts a future bar inquiry, malpractice question, or client security review from an open-ended investigation into a short, closed file. That second asset is the one firms forget to value until the day they need it.

A reasonable-efforts review for your firm

Turn Rule 1.6 from an open question into a closed file.

We run fixed-fee security reviews for law firms against the exact standard in this article: the Comment [18] factors, the four ABA opinions, and the control set a bar reviewer or a malpractice carrier expects to see. You get a written assessment, a prioritized 90-day plan, and the documented record that proves reasonable efforts. If your firm is already in good shape, we will tell you that on the call.