Cybersecurity is not just an IT problem for law firms. It is an ethics problem. ABA Model Rule 1.6, and its Florida equivalent Rule 4-1.6, creates a direct duty to protect client information from unauthorized disclosure. In 2026, fulfilling that duty requires understanding technology, not just delegating it to an IT provider and hoping for the best.
Florida Bar Recommendation 25-1 exists precisely because the Bar recognized that most Florida attorneys did not have a clear picture of what Rule 1.6 requires in a technology-driven practice. This article explains the ethical framework, what reasonable efforts means in concrete terms, how enforcement plays out after a breach, and what Florida attorneys need to do right now to be on the right side of this obligation.
A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).
A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Subsection (c) was added to Rule 1.6 in 2012, but its practical implications have evolved substantially as law firm technology environments have grown in complexity. What constituted reasonable efforts in 2012 — when most small firms ran local servers and sent documents by fax or email attachment — is materially different from what reasonable efforts means in 2026, when client data may exist in cloud storage, practice management platforms, AI drafting tools, mobile devices, and third-party vendor systems simultaneously.
Florida adopted the equivalent provision in Rule 4-1.6. The language tracks the ABA model rule closely. The operative standard is the same: reasonable efforts to prevent unauthorized access.
The phrase reasonable efforts is not defined in the rule text. It is a standard that courts, disciplinary bodies, and ethics committees interpret against the circumstances of each case. Comment 18 to ABA Model Rule 1.6 provides some guidance on the factors relevant to that determination:
The more sensitive the client data — health records, financial details, personal identifiers — the higher the standard for protective measures. A PI firm handling medical records faces a different baseline than a firm handling only commercial contract disputes.
What is the realistic probability that the information will be accessed without authorization? A firm using shared passwords and no MFA faces a materially higher likelihood of unauthorized access than one with enforced MFA and role-based access controls.
The rule accounts for proportionality. A 50-attorney firm has different resource capacity than a solo practitioner. Reasonable efforts for a solo attorney does not require enterprise-grade security operations — but it does require the basics that are now standard and low-cost.
The severity of the harm that would result from unauthorized disclosure is a factor. Client data that, if disclosed, could result in physical harm, financial ruin, or immigration consequences carries a heightened protection obligation.
The rule does not require security measures so burdensome that they make the practice of law impossible. But it does require that disruption to services not be used as a reason to avoid basic protective measures.
ABA Formal Opinion 483, issued in 2018, provides the most detailed guidance on what reasonable efforts looks like in a breach context. Every Florida attorney should be familiar with Opinion 483 as the operational standard for their cybersecurity obligations.
In practice, courts and disciplinary committees in 2026 are measuring reasonable efforts against a baseline that includes multi-factor authentication, email security controls, documented incident response planning, vendor oversight, and periodic security assessment. These are no longer advanced security practices — they are the minimum that any informed attorney in a technology-dependent practice is expected to have in place.
ABA Formal Opinion 483, titled Lawyers' Obligations After an Electronic Data Breach or Cyberattack, is the most important guidance document for understanding what Rule 1.6(c) requires in the breach context. It was issued in October 2018 and remains the primary reference point for how disciplinary bodies evaluate attorney conduct after a security incident.
Opinion 483 establishes several specific obligations worth understanding in full:
Opinion 483 states that lawyers have a duty to monitor their technology systems and be aware of cybersecurity vulnerabilities. This is not a passive obligation. Monitoring means having systems and processes in place that would detect a breach or unauthorized access, not simply hoping that nothing bad happens and finding out from a news report when it does. For most law firms, this requires either a managed security monitoring service or periodic security assessments that would surface indicators of compromise.
Upon discovering a breach, the attorney has a duty to take reasonable steps to stop the breach and restore systems to their normal operating state. Opinion 483 notes that this may require engaging outside experts. An attorney who discovers ransomware on firm systems and attempts to manage the incident without qualified assistance — and in doing so destroys forensic evidence or delays restoration — may be found to have failed this duty.
Opinion 483 establishes that attorneys have a duty to notify clients when their material information may have been compromised. The opinion connects this to ABA Model Rule 1.4, which requires a lawyer to keep clients reasonably informed. The notification obligation exists independent of any statutory breach notification requirement — meaning even if FIPA's 30-day deadline has not been triggered, the ethical duty to notify under Rule 1.4 may already apply.
Opinion 483 directly addresses the incident response plan. It states that having a plan in place before an incident occurs is part of satisfying the reasonable efforts standard. A firm that experiences a breach and is improvising its response because it has no documented plan is — by definition — failing the standard the ABA articulated seven years ago. Florida Bar Recommendation 25-1's March 2028 IRP deadline does not change the fact that the ethical obligation to have a plan predates the recommendation.
Understanding how Rule 1.6 cybersecurity violations are actually enforced helps clarify why the obligation is real, not theoretical. The following scenarios reflect how the combination of a breach and inadequate pre-breach security measures has resulted in professional consequences.
A six-attorney personal injury firm is hit with ransomware. The attacker gained access through a compromised staff email credential. The firm had no MFA enforced. The firm had no written incident response plan. The firm's IT provider was not able to restore from backups because no tested backup process existed. The firm paid the ransom. Client files were potentially exfiltrated before encryption.
The managing partner did not notify affected clients for 45 days, citing uncertainty about what was compromised. A former client discovered the breach through a news report and filed a Bar complaint.
The failure to enforce MFA, maintain tested backups, have a written IRP, and notify clients within a reasonable timeframe creates multiple Rule 1.6 and Rule 1.4 exposure points. Each is addressable through the Recommendation 25-1 compliance process.
A ten-attorney family law firm completed a cybersecurity maturity assessment eight months prior to a phishing-based breach. The assessment had identified email security gaps and MFA enforcement as priorities. The firm had implemented MFA on email and enabled DMARC enforcement. The firm had a written IRP that specified client notification within 30 days and identified the IT provider's after-hours contact for incident response. The breach was contained within 12 hours. Client notification went out on day 14.
The documented assessment, the evidence of remediation based on findings, the written IRP, and the timely notification create a defensible record that the firm made reasonable efforts. The breach occurred despite those efforts, not because of their absence.
The distinction between these two scenarios is not the breach itself — breaches happen to prepared and unprepared firms alike. The distinction is whether the firm can demonstrate it took reasonable efforts before the breach occurred. That demonstration requires documentation. And that documentation comes from completing the Recommendation 25-1 requirements.
ABA Model Rule 1.1 requires competent representation, and Comment 8 to that rule has established technology competence as a component of the competence standard. The Comment states that a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.
Florida adopted this standard in Rule 4-1.1. In practical terms, technology competence as it relates to client data security means understanding how the firm's technology handles client information, what the risks of that technology environment are, and what steps are necessary to mitigate those risks. An attorney who genuinely does not understand whether client files are encrypted, who can access them, and what would happen in the event of a breach is not meeting the technology competence standard.
This does not mean every attorney must become a cybersecurity expert. It means every attorney must understand enough about their firm's technology environment to recognize gaps, ask the right questions of their IT providers, and ensure that appropriate protective measures are in place. Completing a maturity assessment and reviewing the findings report is a practical way to satisfy this aspect of the competence obligation.
Many law firms delegate their technology management to an MSP or IT vendor and assume that delegation satisfies their security obligations. ABA Model Rule 5.3 addresses the supervision of non-lawyers providing services to the firm and is directly relevant here.
Rule 5.3 requires a partner or managing attorney to make reasonable efforts to ensure that the firm has measures in effect giving reasonable assurance that the non-lawyer's conduct is compatible with the professional obligations of the lawyer. In the cybersecurity context, this means that retaining an IT provider does not transfer the firm's data protection obligation to that provider. The firm remains responsible for ensuring the provider's conduct — including how it accesses, stores, and protects client data — is consistent with Rule 1.6.
Practical compliance with Rule 5.3 in the IT context includes reviewing the vendor's security posture (ideally through a SOC 2 Type II report), ensuring the vendor contract includes appropriate data protection, breach notification, and liability provisions, and periodically verifying that the vendor's practices remain adequate as the firm's environment and the threat landscape evolve.
The ethical obligations under Rule 1.6(c) and Rule 4-1.6 are not new. Recommendation 25-1 is the Florida Bar's published operationalization of those obligations. The following actions address both the ethical baseline and the recommendation requirements:
The Florida Bar Ethics Hotline: Attorneys with specific questions about how their professional responsibility obligations apply to a particular technology situation can contact the Florida Bar Ethics Hotline at 1-800-235-8619. The hotline provides guidance on professional conduct questions at no charge to Bar members. A cybersecurity advisor can help with the technical assessment and operational requirements. The ethical interpretation of how those requirements apply to a specific situation is a question for the Bar's ethics resources or qualified legal counsel.
First Step Technology LLC works with Florida law firms to complete the cybersecurity maturity assessment, data mapping survey, and incident response plan development required by Recommendation 25-1 — the practical steps that demonstrate reasonable efforts under Rule 1.6.
Schedule a Consultation