Grand Traverse-Leelanau-Antrim Bar Association

Seven Security Considerations for Lawyers

By: Michael Naughton

            Legal practices, as organizations that maintain sensitive data, must be mindful of security threats. The ABA Model Rules of Professional Conduct set forth the duties and responsibilities expected of lawyers. These include providing competent representation that requires legal knowledge, skill thoroughness and preparation.  The Model Rules also highlight the duty of a lawyer to not reveal information related to the representation of a client without client consent and should make reasonable efforts to prevent inadvertent/unauthorized disclosure of or access to information related to the representation of a client. Lastly, the Model Rules state that a lawyer shall store clients’ property, in connection with a representation, separate from the lawyer’s own property.

            ABA Formal Opinion 477R, published in 2017, confronted the transmission of information over the internet related to the representation of a client. In the Opinion, the committee recognized the sophistication of InfoSec threats and noted that some forms of electronic communication may be vulnerable. Pointing to Model Rule 1.6(c), the committee cited the following “reasonable efforts” determination factors:

  • ·         The sensitivity of the information,
  • ·         The likelihood of disclosure if additional safeguards are not employed,
  • ·         The cost of employing additional safeguards,
  • ·         The difficulty of implementing the safeguards, and
  • ·         The extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g. by making a device or important piece of software excessively difficult to use).

Consistent with this analysis, it was found that “particularly strong protective measures, like encryption, are warranted in some circumstances.” Considering information security and protecting client information, the opinion offered seven considerations for lawyers:

  • 1.    Understand the nature of the threat.
  • 2.    Understand how client confidential information is transmitted and where it is stored.
  • 3.    Understand and use reasonable electronic security measures.
  • 4.    Determine how electronic communications about clients matters should be protected.
  • 5.    Label client confidential information.
  • 6.    Train lawyers and nonlawyer assistants in technology and information security.
  • 7.      Conduct due diligence on vendors providing communication technology.

Accordingly, legal practices ranging from solo-practitioners to multi-national firms are mandated to maintain the confidentiality, integrity and availability of information related to the representation of clients. Lawyers must take appropriate steps to identify and defend against InfoSec events. Review of the Michigan and the ABA Model Rules of Professional Conduct provide models that can assist legal practitioners to consider the implications of security events and tactics to use within their businesses to mitigate problems.


     1.  See

                     2.  Id. at page 5.

                     3.  Id.

                     4.   Id., pages 6 – 10.

About the author: Michael C. Naughton is a co-Owner North Coast Legal, PLC. He is
the president-elect of the Grand Traverse Antrim Leelanau Bar Association and board
  member of TCNewTech, a technology-focused group in Traverse City. North Coast
 Legal, PLC is based in Traverse City, Michigan but represents clients across the


Powered by Wild Apricot Membership Software