Legal Ethics

ABA Ethics & Technology Competence

The Model Rules don't just govern how you argue in court — they govern how you store a client's PDF, how you send an email, and what happens when your file server is breached.

The Short Version

In 2012, the American Bar Association updated Model Rule 1.1 Comment 8 to explicitly require attorneys to maintain competence in "the benefits and risks associated with relevant technology." A majority of US jurisdictions, including Florida, have since adopted some form of this duty of technology competence. Specifics vary by state — check your own bar's current rules.

It means that not knowing how your IT works is no longer a defense. If your firm gets breached, loses client data, or sends privileged information over an insecure channel, the ethics violation falls on you — not your IT vendor.

Who This Applies To

Attorneys practicing in US jurisdictions that have adopted the duty of technology competence — which, as of this writing, is the majority:

  • Solo practitioners — the rule applies regardless of firm size
  • Small and boutique firms
  • Large firms with IT departments (partners still bear personal responsibility)
  • Of counsel, contract attorneys, and retired attorneys handling any client work
  • Paralegals and legal staff — supervised under Rule 5.3, meaning their conduct reflects on you

What the Rules and Opinions Require

The ABA has issued formal opinions clarifying the technology duties under the Model Rules:

  • Model Rule 1.1 (Competence): Keep current with relevant technology and its risks
  • Model Rule 1.6 (Confidentiality): Make reasonable efforts to prevent unauthorized disclosure of client information
  • Formal Opinion 477R (2017): Unencrypted email may no longer meet the "reasonable efforts" standard, particularly for highly sensitive matters
  • Formal Opinion 483 (2018): Addresses an attorney's obligations to notify current clients when a data breach is material to their representation — framing breach notification as an ethics issue, not just a statutory one
  • Formal Opinion 498 (2021): Remote work and cloud services require specific due diligence

Translated into IT terms, your firm needs:

  • Encryption: Email encryption for sensitive matters, full-disk encryption on every laptop
  • Access control: Matter-based access — staff only see files relevant to their work
  • Secure file sharing: Not Dropbox personal, not Gmail. Law-firm-grade secure transfer
  • Vendor vetting: Cloud providers reviewed for security posture, contracts reviewed for confidentiality
  • Incident response plan: Written, tested, and ready before a breach happens
  • Document retention: Defensible deletion and preservation policies
  • Training: Staff who understand phishing, proper use of shared drives, and what not to send by email

What Happens When You Don't Comply?

Ethics violations in the technology space carry consequences your malpractice policy may not cover:

  • Bar complaints: State bar disciplinary proceedings, publicly reported
  • Sanctions: Private or public reprimand, suspension, or disbarment for serious violations
  • Malpractice liability: Separate from bar discipline — clients can sue for damages
  • Fee disgorgement: In some cases, courts have ordered return of fees earned on matters where confidentiality was materially compromised
  • Client loss: One public breach ends corporate client relationships permanently
  • Notification costs: State breach notification laws overlap — multi-state notification is expensive

How Digital Armor Helps

We treat law firms as what they are: regulated professionals with ethics obligations that reach into the server room. Our approach:

  • Encrypted email and secure client file exchange
  • Matter-based access controls on document management systems
  • Full-disk encryption on every firm laptop
  • Multi-factor authentication on email, practice management, and remote access
  • Phishing-resistant training tailored to legal staff
  • Vendor due diligence documentation — so you can answer client security questionnaires
  • Incident response plan written specifically for bar notification requirements
  • Audit logs that support defensible deletion and preservation

Could Your Firm Survive a Bar Complaint About Technology?

Not the ones about billing or conflicts — the ones about data handling, email, and breach response. The assessment takes a look at exactly the areas the bar is increasingly focused on.

Book Your Assessment