Compliance
What ABA Model Rule 1.6, Formal Opinion 477R, and Formal Opinion 483 actually require of law firms in 2026 — reasonable efforts, breach response duties, supervisory obligations, and where most firms get it wrong.
Most managing partners we meet have a cyber insurance policy and a one-page IT policy in the firm handbook. Almost none can produce, on demand, the documentation that would show a state bar, a court, or a cyber underwriter that the firm is currently meeting its duties under ABA Model Rule 1.6, Formal Opinion 477R, and Formal Opinion 483.
That is not a moral failure. It is structural. The Model Rules describe duties, not controls. Formal Opinions add interpretive weight but do not hand a firm an operational checklist. The translation into MFA, endpoint detection, vendor agreements, and incident response is left to the firm.
This guide is our attempt at that translation. We walk through what MR 1.6, FO 477R, FO 483, and the supervisory rules actually require, where small and mid-size firms fall short, and what a defensible 90-day path looks like.
A note up front: we operate the technical safeguards side. We are not lawyers and not your ethics counsel. The managing partner remains the ethics decision-maker, and substantive ethics questions go to bar counsel.
The single most important sentence for law firm cybersecurity sits in MR 1.6(c):
"A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."
Two things matter immediately. The rule is not limited to confidential or privileged information — it covers any information "relating to the representation," a much broader category than most non-lawyers assume. And it requires "reasonable efforts," not perfection. A breach is not, by itself, an ethics violation. A breach in a firm that took no reasonable steps to prevent it almost certainly is.
Comment [18] to MR 1.6 is where the standard becomes operational. It directs lawyers to weigh:
This is a sliding standard. A five-attorney firm handling routine landlord-tenant work and a fifty-attorney firm handling cross-border M&A are held to the same duty but to materially different operational expectations. Both, in 2026, are required to deploy MFA on email; the cost is trivial, the benefit is enormous, and there is no defensible "difficulty" argument left.
The five-factor test is also the test a state bar applies backwards after a breach. The question is not whether you stopped the attack. The question is whether your safeguards, viewed before the attack, were reasonable given the sensitivity of the information and the cost of doing better. Documenting that analysis matters as much as performing it.
FO 477R was issued by the ABA Standing Committee on Ethics and Professional Responsibility in 2017 and revised in May 2022. It is the email and messaging opinion, and the one most often misread.
The opinion confirms that ordinary email remains presumptively acceptable for routine client communication. It does not require lawyers to encrypt every message. What it does require is a fact-specific reasonableness analysis, performed by the lawyer, for each matter and channel. When sensitivity rises, FO 477R directs lawyers to consider "particularly strong protective measures" — encrypted email, secure client portals, secure file transfer, stronger authentication.
Routine collections, real estate, uncontested probate, simple wills. Standard mailbox on Microsoft 365 or Google Workspace, MFA enforced, normal data handling. Ordinary email is presumptively reasonable.
Mid-market M&A, commercial litigation with proprietary financials, patent prosecution, trade-secret matters. Sensitivity is high. We expect encrypted client portals for document exchange, restricted access to the matter folder inside the document management system, MFA across every system, and documented data handling expectations with co-counsel and experts.
Criminal defense, family law involving minors or domestic violence, immigration with protected populations, whistleblower and qui tam. Sensitivity is at the top of the scale. The analysis pushes toward encrypted communications by default, portal exchange rather than email attachments, restricted internal access, and active monitoring of identity threats on the firm's mailboxes. The cost-of-safeguards factor in Comment [18] is hard to argue when the consequence of disclosure is personal harm to the client.
FO 477R does not hand a firm a single answer. It hands the firm a method.
FO 483 was issued in 2018 and is the breach-response counterpart to FO 477R. It tells lawyers what their duties look like after an electronic data breach or cyberattack, grounding those duties in MR 1.1 (competence), MR 1.4 (communication), MR 1.6 (confidentiality), MR 5.1 (lawyer supervision), and MR 5.3 (nonlawyer supervision) — and adding an explicit notification duty.
The headline duty: when a breach affects the material confidential information of current clients, the lawyer must notify those clients promptly, with enough detail for them to make informed decisions about the continued representation. The duty extends to former clients only when the lawyer knows the breach affects them.
FO 483 also clarifies that the duty of competence under MR 1.1 includes the competence to identify a breach in the first place. A firm with no monitoring, no detection, no logging, and no incident response capacity will struggle to argue it acted competently — not because the rules require any specific tool, but because the firm cannot meet duties it has no way to discover are triggered.
In real engagements, the sequence we run with firm leadership and outside breach counsel looks like this:
We run steps 1, 2, and 5 with you and your breach counsel. Steps 3 and 4 belong to the lawyer; we do not write client notices.
Comment [8] to MR 1.1 was added by the ABA in 2012 and now reads, in part, that competence requires a lawyer to "keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology."
This is the rule that ended the "I'm not a tech person" defense in law firm ethics. More than 40 state bars have adopted some version of it. A small minority have not formally adopted the comment language, but the underlying duty of competence applies in every jurisdiction, and state bar opinions almost uniformly read technology competence into MR 1.1 even where the comment is not adopted verbatim.
In practical terms: a managing partner who does not know whether MFA is enforced on the firm's mailboxes, whether the document management system has audit logging, or whether the e-discovery vendor has been reviewed for security posture, has a competence problem.
MR 5.1 covers partners' and managing lawyers' responsibilities to ensure that other lawyers in the firm conduct themselves consistently with the rules of professional conduct. MR 5.3 extends that supervisory duty to nonlawyer assistants — paralegals, IT staff, and, critically, outside vendors.
This is where most firms quietly fail. The MSP holds privileged credentials across the document management system, the practice management system, the firm's productivity tenant, and every endpoint — more direct access to client information than most associates have. And nobody at the firm has ever reviewed the MSP's security posture, asked for a SOC 2 report, or signed a written agreement defining data handling expectations.
MR 5.3 does not allow that. The supervisory duty is "reasonable efforts to ensure" that nonlawyer conduct is compatible with the lawyer's professional obligations. At minimum that requires a written agreement covering data handling and breach notification, a documented review of the vendor's security posture refreshed on a defined cadence, a clear understanding of what the vendor's access actually permits, and a defined incident notification path back to firm leadership.
The same logic applies to e-discovery vendors, court reporters with electronic case files, expert witnesses with matter materials on personal laptops, and any cloud platform handling client data.
State bars have layered guidance on top of the Model Rules. We speak in general terms here because the specifics shift year over year; confirm with bar counsel for your jurisdiction.
The New York State Bar Association has issued ethics opinions reinforcing the duty to use reasonable care with electronic communications, with Opinion 1019 frequently cited for remote access and cloud computing guidance. California layers consumer-privacy law (CCPA and successors) on top of professional responsibility rules; a California firm holding personal information of its clients' employees or counterparties can find itself with statutory obligations running alongside ethics duties. Texas, Florida, Illinois, and Washington state bars have each issued opinions reinforcing technology competence and reasonable safeguards. Several states require written information security programs (WISPs) of any business holding personal information of state residents, law firms included.
The pattern is consistent: the duty under MR 1.6 is being read with increasing specificity, and operational expectations have risen significantly since 2017.
This is the floor we expect to see when assessing a small or mid-size firm against the Model Rules and Formal Opinions. Not every firm needs every item, and Comment [18] permits a sliding scale — but a firm missing several of these in 2026 will have a hard time arguing reasonableness:
A firm with those controls and current documentation is not breach-proof. It is, however, in a defensible posture under MR 1.6, FO 477R, FO 483, and almost every state bar's overlay guidance.
None of this is exotic. All of it is fixable.
A managing partner who has paid premiums for years often assumes the policy covers the duty. It does not.
Cyber insurance covers financial consequences — forensic investigation, breach counsel, notification costs, regulatory response, business interruption, sometimes ransom payments. It does not cover the ethical duty under MR 1.6 to make reasonable efforts to prevent unauthorized disclosure. A firm that experiences a breach due to absent MFA, no endpoint detection, and an unreviewed MSP can collect insurance and still face state bar discipline for the underlying failure of safeguards.
The intersection cuts the other way too. Underwriters in 2026 expect MFA, EDR, training, incident response plans, and vendor oversight as a condition of coverage. The same controls that satisfy MR 1.6 satisfy the underwriter. Our cyber insurance readiness guide walks through that side of the question.
For a small or mid-size firm with a managing partner who actually owns this, defensible alignment to MR 1.6, FO 477R, FO 483, and the supervisory rules fits inside a quarter.
Days 1–30: technical floor and access audit. Enforce MFA across Microsoft 365 or Google Workspace, the document management system, and the practice management system. Deploy 24/7 managed detection and response on every endpoint with client data. Deploy identity threat detection on the cloud productivity suite — this is where attorney account takeover and wire fraud start. Audit permissions and eliminate shared credentials.
Days 31–60: written program and vendor review. Write the information security plan in plain language. Write the incident response plan with a clear decision tree and named owners. Build the vendor inventory — every MSP, cloud provider, e-discovery vendor, court reporter, and expert with electronic case files. Begin vendor security reviews; refresh or sign written agreements covering data handling and breach notification.
Days 61–90: training, testing, and portal rollout. Launch managed security awareness training and phishing simulation for every staff member. Run an incident response tabletop with firm leadership and breach counsel. Roll out encrypted client portals for the matter types where FO 477R's reasonableness analysis pushes past ordinary email. Document everything in a single folder — risk assessment, information security plan, incident response plan, training records, vendor agreements, audit logs.
For a structured starting point, our self-assessment tool walks through the same framework. If your firm sits inside our law firms practice area, we run this 90-day path as a packaged engagement.
We want to be precise about our role, because law firms are increasingly sold "ethics compliance" as a packaged product, and it is not.
We operate the technical safeguards: Huntress Managed EDR across every endpoint that touches client information, Managed ITDR on the firm's Microsoft 365 or Google Workspace tenant, Managed Security Awareness Training and phishing simulation, vulnerability management, log review, and the technical evidence package supporting the firm's audit controls and reasonable-efforts story under MR 1.6. We can also help build the data inventory, structure the risk assessment, run the tabletop, and pressure-test the incident response plan.
What we are not: your ethics counsel, your breach counsel, or the drafter of client notifications. The managing partner remains the ethics decision-maker, and substantive ethics questions go to bar counsel. We provide the technical evidence package. The partner provides the judgment.
If you are a managing partner recognizing that your firm does not have MFA across every system, has never reviewed its MSP, has no current information security plan, or has no incident response plan tested in the last 12 months — you are not unusual. You are, however, sitting on the fact pattern that bar discipline and malpractice cases get built on.
The right next step is an honest 60-minute review of where the firm stands against MR 1.6, FO 477R, FO 483, and the supervisory rules, followed by a written plan with named owners and dates. We offer that as a fixed-scope engagement with no expectation that you sign anything afterward.
Send us your current information security documentation and we will tell you honestly whether it would hold up to a bar inquiry, an underwriter's renewal question, or a partner's deposition. The worst time to find out is during an incident.
Last updated
May 14, 2026. We refresh this content as the threat landscape and tools evolve.
FAQ
Model Rule 1.6(c) requires a lawyer to make reasonable efforts to prevent inadvertent or unauthorized disclosure of, or access to, client information. Comment [18] sets a five-factor sliding scale: sensitivity of the information, likelihood of disclosure absent safeguards, cost of the safeguards, difficulty of implementing them, and the extent to which the safeguards adversely affect representation. It is not a fixed checklist; a five-attorney firm handling routine matters and a fifty-attorney firm doing M&A are held to materially different operational standards, but both are held to the same duty.
FO 477R does not name MFA by exact title, but it requires lawyers to perform a reasonableness analysis on the communication channel and matter sensitivity. For ordinary, low-sensitivity communications, standard email is generally adequate. For matters involving particularly sensitive information — M&A deal documents, criminal defense strategy, IP filings, family matters with minors — the opinion expects 'particularly strong protective measures.' In 2026, on Microsoft 365 and Google Workspace, MFA on the mailbox is the floor of what any cyber underwriter or expert witness will accept as reasonable.
FO 483 imposes an affirmative duty under Model Rule 1.4 to notify current clients when a breach affects their material confidential information, with sufficient detail for the client to make informed decisions about ongoing representation. The duty extends to former clients only when the lawyer knows that the breach materially affects their information. This is in addition to — not in place of — state data breach notification laws.
Generally no for routine, non-sensitive communications. FO 477R reaffirms that ordinary email is presumed adequate as a default. The reasonableness analysis shifts as the matter becomes more sensitive, the data more attractive to attackers, or the client more security-conscious. For high-sensitivity matters we recommend documenting either client consent to ordinary email or the decision to route through an encrypted portal, on a matter-by-matter basis.
The Model Rules do not mandate encryption by name. They mandate reasonable efforts to prevent unauthorized access. In 2026 practice, full-disk encryption on laptops, encryption in transit for email and document exchange, and encrypted backups are the practical floor of 'reasonable' — to the point that an unencrypted firm laptop holding client data is the kind of fact pattern a plaintiff's expert or a state bar can build a discipline case around without much effort.
MR 5.1 and 5.3 require partners and managing lawyers to make reasonable efforts to ensure that lawyers and nonlawyers — including outside vendors — conduct themselves consistently with the lawyer's professional obligations. That extends to cloud providers, e-discovery vendors, court reporters, and managed IT providers. In practice, this means a written agreement covering data handling, a documented review of the vendor's security posture, and ongoing oversight. 'We hired an MSP' is not a delegation of the ethical duty; it is an extension of it.
Comment [8] to MR 1.1, added in 2012, requires a lawyer to keep abreast of changes in the law and its practice, including 'the benefits and risks associated with relevant technology.' More than 40 state bars have adopted some version of it. A handful have not formally adopted the comment language, but the duty of competence itself applies in every jurisdiction, and state bar opinions almost uniformly read technology competence into MR 1.1 even where the comment is not adopted verbatim.
No. Cyber insurance can transfer the financial consequences of a breach — forensics, notification, legal defense, regulatory response — but it cannot transfer the underlying ethical duty under MR 1.6 to make reasonable efforts to prevent unauthorized disclosure. A firm that treats its policy as a substitute for MFA, EDR, training, and vendor oversight has bought financial coverage for a discipline problem it has not solved. Underwriters increasingly require those controls as a condition of coverage anyway.
Related reading
What dental cyber insurance actually covers in 2026, the underwriting questionnaire controls that move premiums, and how to pass the application without overspending.
Read articleWhat law firm cyber insurance actually covers in 2026, the underwriting questionnaire controls that move premiums, and how to pass the application without overspending.
Read articleWhat the HIPAA Security Rule actually requires of dental practices in 2026 — risk analysis, administrative safeguards, MFA, encryption, breach response, and where most practices get it wrong.
Read article