Is cybersecurity legally required for lawyers?

Yes. ABA Model Rule 1.1 Comment 8 requires lawyers to understand the benefits and risks of technology relevant to their practice. Rule 1.6(c) requires reasonable efforts to prevent unauthorized access to client information. Most state bars have adopted both provisions. This means lawyers have an ethical obligation to implement cybersecurity protections for client data.

Which states have adopted the ABA technology competence requirement?

As of 2026, 42 states have adopted Comment 8 to Model Rule 1.1, which includes the duty of technology competence. The remaining states have similar obligations under their own ethics rules or advisory opinions. California, New York, Florida, Texas, and Illinois are all among the states that have adopted it.

What are 'reasonable efforts' under Rule 1.6 for cybersecurity?

Reasonable efforts are determined by the sensitivity of the information, the likelihood of disclosure if safeguards aren't used, the cost of additional safeguards, the difficulty of implementation, and the extent to which the safeguards adversely affect the lawyer's ability to represent clients. For most firms, this means encryption, access controls, MFA, vendor oversight, and staff training.

April 8, 2026|8 min read

ABA Cybersecurity Requirements for Law Firms: What Rules 1.1 and 1.6 Actually Require

Lawyers have an ethical obligation to protect client data. This isn't new — but what it means in practice has changed. The ABA Model Rules now explicitly require technology competence, and 42 states have adopted that requirement.

Here's what the rules actually say, what disciplinary authorities are looking for, and what a small or mid-size firm needs to do.

Rule 1.1 Comment 8: technology competence

Model Rule 1.1 requires competent representation. In 2012, the ABA added Comment 8, which states that competence includes "keeping abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology."

This doesn't mean every lawyer needs to be an IT expert. It means you need to understand the technology you use well enough to protect client data. If you're storing client files in a cloud platform, you should know whether that platform encrypts data, who has access, and what happens if there's a breach.

Rule 1.6(c): reasonable efforts to protect client information

Rule 1.6(c) states: "A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."

What counts as "reasonable" depends on five factors from ABA Formal Opinion 477R:

The sensitivity of the information
The likelihood of disclosure if additional safeguards aren't used
The cost of additional safeguards
The difficulty of implementing the safeguards
The extent to which safeguards adversely affect the lawyer's ability to represent clients

For most firms, reasonable efforts means: encrypted email for sensitive communications, MFA on all accounts, access controls limiting who can see what, vendor agreements with cloud providers, and annual cybersecurity training for staff.

Rules 5.1 through 5.3: supervision obligations

Partners and supervising lawyers have obligations under Rules 5.1 (responsibilities of partners and supervisory lawyers), 5.2 (subordinate lawyers), and 5.3 (nonlawyer assistants). These extend to cybersecurity: if a paralegal clicks a phishing link because the firm never provided security training, the supervising attorney may bear responsibility.

Firms using outsourced IT, virtual assistants, or contract document reviewers need to ensure those individuals are operating under appropriate security controls.

State adoption and enforcement

42 states have adopted Comment 8. Others have issued ethics opinions reaching the same conclusion. In practice, every U.S. lawyer is subject to some form of technology competence obligation.

Disciplinary actions for cybersecurity failures are still rare, but they're increasing. More commonly, data breaches lead to malpractice claims and client complaints that trigger bar investigations. The question the bar asks: "Did you take reasonable steps?" If you can't point to a written security program, the answer is going to be uncomfortable.

What a small firm should actually do

Enable MFA on everything — email, cloud storage, practice management. This blocks the majority of credential attacks.
Encrypt client communications — don't send sensitive documents over unencrypted email. Use a secure portal or encrypted email service.
Write it down — create a basic information security policy covering data handling, access controls, and incident response. It doesn't need to be long.
Train your staff — annual cybersecurity awareness training. Document that it happened.
Review your vendors — know where client data lives and what security the vendor provides. Get it in writing.
Have an incident response plan — know who to call and what to do when something goes wrong. State bar notification requirements vary.

How BlackSheep helps

BlackSheep includes the ABA Cybersecurity Ethics framework alongside 23 other compliance frameworks. Policy templates, vendor tracking, training documentation, and incident response — all in one platform at $249/month.

Get compliant with ABA cybersecurity requirements

Policies, training, vendor oversight, and incident response. $249/mo.

Start Free Trial