When Data Security Becomes Ethical Duty: Navigating ABA Rule 1.6(c)

  • August 5, 2025
Navigating ABA Rule 1.6(c)

When Data Security Becomes Ethical Duty

View Related Course

The digital age has ushered in unprecedented cybersecurity risks for law firms. As firms increasingly rely on digital communication and data storage, the threat of unauthorized access, data breaches, and cyberattacks has become a pressing concern. Protecting client confidentiality is no longer merely a best practice—it is now a professional ethical duty under the American Bar Association (ABA) Model Rule 1.6(c). This rule requires lawyers to make reasonable efforts to prevent unauthorized access to or disclosure of client information.

With the ongoing evolution of cyber threats, the legal profession’s approach to safeguarding sensitive data must advance as well. This blog explores the ethical obligations attorneys face under ABA Model Rule 1.6(c), outlines what constitutes “reasonable efforts” in today’s cybersecurity landscape, and highlights practical steps law firms can take to stay compliant while protecting client trust.

What Does ABA Model Rule 1.6(c) Require?

As outlined in ABA Model Rule 1.6(c): “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” This mandate extends beyond the protection of physical files to include digital data such as emails, electronic documents, and metadata. The rule emphasizes that these efforts must be “reasonable”—a flexible, fact-specific standard that depends on the circumstances, including the sensitivity of the client information, the level of risk, and prevailing technological norms. Rather than prescribing specific procedures, the rule expects lawyers to implement precautionary measures appropriate to their practice. This ethical obligation reinforces a lawyer’s broader duty to protect client confidentiality in the digital age.

Interpreting “Reasonable Efforts”

According to ABA Formal Opinion 477R, issued in 2017, several key factors help determine what constitutes reasonable efforts:

  • The sensitivity and nature of the client information
  • The likelihood of disclosure or unauthorized access if safeguards are not employed
  • The cost of implementing additional security measures
  • The difficulty of implementing those measures
  • The potential impact of the security measures on the lawyer’s ability to represent the client effectively
Common Ethical Pitfalls

Many lawyers face ethical challenges due to cybersecurity oversights, such as:

  • Using unsecured public Wi-Fi networks to communicate or access client information, increasing the risk of unauthorized access
  • Sending sensitive information via unencrypted emails, potentially exposing confidential data
  • Failing to conduct proper due diligence on third-party vendors, creating security vulnerabilities
  • Lacking an incident response plan, leaving the firm unprepared to respond to cyberattacks
  • Failing to provide cybersecurity training and awareness, increasing the risk of human error
  • Neglecting to implement appropriate protective measures
  • Delaying the reporting of cybersecurity incidents, resulting in legal consequences and loss of client trust
Best Practices to Stay Compliant
  • Conduct Regular Cybersecurity Risk Assessments: Routinely evaluate the firm’s security risks, including vulnerabilities in systems, software, and employee practices, to ensure ongoing protection against threats.
  • Develop a Written Data Protection Policy: Establish and enforce a comprehensive policy that clearly defines confidentiality expectations, data handling procedures, and breach response protocols tailored to the firm’s practice.
  • Include Confidentiality and Cybersecurity Terms in Engagement Letters: Set clear client expectations by incorporating provisions on data protection measures, responsibilities, and limitations within engagement agreements.
  • Implement Technical Safeguards: Use strong passwords, multi-factor authentication (MFA), encryption for emails and data, and secure file-sharing platforms to protect client information.
  • Provide Regular Staff Training: Train all employees to understand the firm’s cybersecurity policies, recognize phishing and other threats, and follow best practices for protecting client data.
  • Prepare and Document an Incident Response Plan: Maintain a clear, written plan for responding to cybersecurity incidents, including steps for investigation, mitigation, and client notification.
  • Vet Third-Party Vendors: Conduct thorough due diligence and require contractual commitments to ensure that vendors handling client data meet appropriate cybersecurity standards.

Cybersecurity is now a core component of ethical legal practice. Lawyers must move beyond traditional methods of protecting client confidentiality and proactively implement robust cybersecurity measures to fulfill their professional obligations. Doing so not only ensures compliance with ABA Model Rule 1.6(c) but also preserves client trust and upholds the integrity of the legal profession. Law firms should conduct comprehensive, firm-wide reviews of their policies, training programs, and technical systems with an ethics-driven approach to safeguarding client data. This proactive stance reflects modern interpretations of attorney ethics and reinforces that protecting client information from cyber threats is both a legal imperative and a fundamental aspect of professional responsibility in 2025 and beyond.