ABA Model Rule 1.6 requires law firms to take reasonable measures to protect client information — the ABA has explicitly stated this includes cybersecurity. State bars in NY, CA, and FL have issued specific ethics opinions with additional obligations. Law firms are premium attack targets because they hold client privilege, trust account funds, and pre-deal M&A intelligence. An external attack surface assessment is the first step in demonstrating the "reasonable measures" the rules require.
The ABA's Explicit Cybersecurity Standard
The obligation is not buried in fine print. ABA Model Rule 1.1 requires competence — defined as the legal knowledge, skill, thoroughness, and preparation reasonably necessary for representation. The ABA has explicitly stated this includes keeping abreast of the benefits and risks of relevant technology. ABA Model Rule 1.6 requires lawyers to make reasonable efforts to prevent the unauthorized disclosure of, or unauthorized access to, information relating to client representation.
Together, these two rules create a cybersecurity duty that is unambiguous: a lawyer who cannot explain how client data is protected is not in compliance with the Rules of Professional Conduct.
ABA Formal Opinion 477R (issued 2012, revised 2017) makes this concrete. It specifically addresses the duty to use reasonable measures to secure electronic communications. "Reasonable" is fact-specific — it depends on the sensitivity of the information, the likelihood of disclosure if reasonable precautions are not taken, the cost of alternative safeguards, and the extent to which the safeguards adversely affect the lawyer's ability to represent clients.
The standard is flexible, but it requires demonstrable action. "We have not been breached yet" is not a defense. "We took no steps to assess our exposure" is an admission of unreasonableness. The consequences of an ethics violation are severe: formal reprimand, censure, suspension, or disbarment. Cybersecurity failures are now disciplinary matters, not just reputational ones.
State Bar Requirements: NY, CA, and FL
The ABA model rules are a floor. Several states have issued ethics opinions that go further, adding jurisdiction-specific obligations that practitioners in those states must meet in addition to the baseline ABA standard.
New York — NYSBA Opinion 1019 (2014) addresses cloud computing specifically, establishing that attorneys may use cloud storage for client files if they take reasonable steps to ensure the provider maintains adequate security. The opinion requires attorneys to investigate vendor security practices, confirm data ownership and portability, understand data location and jurisdiction, and have a plan for data retrieval if the vendor relationship ends. Supervision of the vendor is the attorney's responsibility — not the vendor's.
California — Cal. Bar Formal Opinion 2010-179 addressed metadata scrubbing and the broader duty of competence around electronic documents. California's Rules of Professional Conduct Rule 1.6 (confidentiality) and Rule 1.1 (competence) operate together in the same way as the ABA model. California's State Bar has also issued guidance on AI tools and their use with client data — an area that is evolving rapidly.
Florida — Florida Bar Opinion 14-1 directly addresses cloud storage requirements, concluding that attorneys may use cloud technology but must take reasonable steps to ensure client confidentiality is maintained. The opinion requires due diligence on vendor security, service agreements that ensure confidentiality, and ongoing monitoring of the cloud provider's practices.
| State | Key Opinion | Primary Focus | Vendor Supervision Required |
|---|---|---|---|
| New York | NYSBA Opinion 1019 (2014) | Cloud storage security, vendor due diligence | Yes — ongoing duty |
| California | Formal Opinion 2010-179 | Electronic documents, metadata, competence duty | Yes — reasonable steps |
| Florida | Bar Opinion 14-1 | Cloud storage, confidentiality requirements | Yes — ongoing monitoring |
Many other states model their opinions after the ABA guidance, but some — including Texas, Pennsylvania, and Illinois — have issued additional guidance on specific technologies. Attorneys practicing in multiple jurisdictions must satisfy the most demanding standard that applies.
Why Law Firms Are Premium Attack Targets
Law firms hold three categories of data that make them extraordinarily valuable to attackers — data that would be difficult or impossible to obtain by targeting the clients directly.
Privileged client communications. Trade secrets. Litigation strategy. Settlement negotiations. Regulatory exposure that hasn't been disclosed. When an attacker compromises a law firm, they get the most sensitive internal communications their clients have ever produced — communications that were specifically designed to be candid because they were protected by privilege.
Trust account funds. Law firms hold client funds in IOLTA trust accounts. They process wire transfers for real estate closings, settlement payments, and deal closings — often for tens of millions of dollars. Business email compromise attacks targeting law firm wire transfer instructions have resulted in some of the largest single-incident fraud losses in the profession's history.
M&A and deal intelligence. A firm advising on a pending acquisition holds: the offer price, the due diligence findings, the regulatory strategy, the timeline to announcement, and the post-close integration plan. Pre-announcement M&A intelligence is among the most valuable non-public information in existence. Insider trading based on breach of a law firm is not a theoretical risk — it has happened.
The core asymmetry that makes law firms attractive targets: a firm advising a Fortune 500 company may have equivalent access to that company's most sensitive information, but with a fraction of the security budget. Attackers understand this math. Breaching outside counsel is often easier than breaching the company itself — and yields the same intelligence.
Real Examples of Law Firm Breaches
Law firm breaches are systematically underreported. Privilege concerns, reputational risk, and the absence of mandatory disclosure requirements in many jurisdictions mean that most incidents never surface publicly. But the documented cases are instructive.
The FBI's 2023 Internet Crime Report explicitly identified law firms as one of the top targeted professional services sectors. The pattern across documented breaches is consistent: firms with elite client rosters and trusted access to sensitive data, operating with security practices that do not match the value of the data they hold.
What "Reasonable Measures" Looks Like in Practice
The ABA's "reasonable measures" standard requires demonstrable action proportionate to the sensitivity of the data and the likelihood of harm. For a law firm in 2026, the following are not optional baseline measures — they are the minimum floor of defensible practice.
Multi-factor authentication is not negotiable. The overwhelming majority of law firm account compromises — including BEC attacks targeting wire transfers — begin with compromised email credentials. MFA stops credential-based attacks cold. Any firm without MFA on all email and remote access is operating below the "reasonable measures" threshold in 2026.
Vendor agreements deserve special attention. NY Opinion 1019 and FL Opinion 14-1 both make clear that using a cloud vendor does not transfer the attorney's duty of confidentiality — it extends it. The attorney must investigate the vendor's security practices before engaging them, and maintain ongoing supervision. This includes case management software, cloud storage, e-discovery platforms, and any AI tools used with client data.
Incident response planning is the measure most frequently absent. An incident response plan defines who is notified when (general counsel, managing partner, malpractice insurer, potentially affected clients), who leads the investigation, and what forensics resources are retained. A plan that exists before an incident reduces both the legal exposure and the actual damage from a breach.
How Zero Delta Security Helps Law Firms
The ABA's "reasonable measures" standard requires knowing what's exposed before you can protect it. An external attack surface assessment starts there: mapping everything visible to an attacker from the internet, before an attacker finds it.
For law firms specifically, our assessment identifies:
- All internet-facing subdomains and web properties, including forgotten portals and client-facing applications
- Remote access entry points — VPN login pages, RDP exposures, Citrix gateways, practice management system portals
- Email security configuration (SPF, DKIM, DMARC) and susceptibility to spoofing and BEC attacks
- SSL/TLS certificate configurations, expired certificates, and weak cipher suites
- Exposed credentials and firm data in publicly known breach databases
- Security header configurations on all web-facing properties
The assessment report is designed to be useful in three specific contexts that law firms face: client security questionnaires (increasingly common from enterprise clients vetting outside counsel), malpractice insurance applications (carriers now ask specific security questions and base premiums on the answers), and bar compliance documentation (demonstrating to disciplinary authorities that reasonable measures were taken).
You cannot demonstrate reasonableness if you don't know what's exposed. The scan takes 60 seconds to initiate. The report gives you the documented evidence that you've looked.
See Your Firm's Exposure in Minutes
A free external scan takes 60 seconds and shows every internet-facing asset we can see from outside your perimeter. That's what an attacker sees before they target your clients.
Frequently Asked Questions
Yes. ABA Model Rule 1.6 requires lawyers to make reasonable efforts to prevent the unauthorized disclosure of client information. The ABA's 2012 formal opinion (Opinion 477R, updated 2017) specifically addresses cybersecurity, stating that lawyers must take competent and reasonable measures to safeguard client information stored or transmitted electronically. "Competent" under Model Rule 1.1 includes the legal knowledge, skill, thoroughness and preparation reasonably necessary — which the ABA has interpreted to include keeping abreast of relevant technology, including associated benefits and risks. Cybersecurity incompetence is an ethics violation.
Several states have issued specific ethics opinions beyond the ABA model rules. New York State Bar Association Opinion 1019 (2014) addresses cloud computing security requirements. California Bar Formal Opinion 2010-179 addresses metadata and security. Florida Bar Opinion 14-1 addresses cloud storage requirements. Beyond ethics opinions, state bar disciplinary authorities have cited inadequate cybersecurity in attorney discipline proceedings. Lawyers in heavily regulated states should review their state bar's technology ethics opinions in addition to the ABA guidance.
Law firms hold three categories of extraordinarily valuable data: (1) Privileged client communications — trade secrets, litigation strategy, settlement negotiations. (2) Trust account information — escrow funds, settlement payments, wire transfer details for real estate closings. (3) M&A and deal intelligence — pre-announcement transaction details, due diligence materials, regulatory filings. Attackers targeting a company often find it easier to breach the company's outside counsel, who may have weaker security but equivalent access to the same sensitive data. Law firms are an intelligence shortcut — you get the client's secrets without attacking the client's perimeter.
Law firm breaches are underreported (privilege concerns discourage disclosure), but documented cases include: the 2016 Mossack Fonseca breach (Panama Papers, 11.5 million documents leaked), the 2020 Grubman Shire Meiselas & Sacks ransomware attack (celebrity client data held for $42 million ransom), the 2021 Campbell Conroy & O'Neil breach (data for dozens of Fortune 500 clients compromised), and numerous smaller AmLaw 200 firms that experienced ransomware without public disclosure. The FBI's 2023 Internet Crime Report ranked law firms as one of the top targeted professional services sectors.
An external attack surface assessment maps everything visible to an attacker from the internet: subdomains, web applications, remote access portals (VPNs, RDP, Citrix), email configuration, SSL/TLS misconfigurations, and exposed credentials in breach databases. For law firms, this directly addresses the ABA's "reasonable measures" standard — you can't demonstrate reasonableness if you don't know what's exposed. The assessment report documents your security posture and shows clients, insurers, and (if needed) disciplinary authorities that you've taken proactive steps to protect client information.