The Scale of the Problem

Law firms are attractive targets for a specific set of reasons that attackers understand well:

•       Client files contain extraordinarily sensitive information — financial disclosures, litigation strategy, settlement terms, personal data, trade secrets, and privileged communications.

•       Many firms handle large financial transactions: trust account management, settlement disbursements, real estate closings, and M&A transactions.

•       The attorney-client privilege creates leverage in ransomware negotiations. Attackers know that an attorney cannot afford to have privileged client communications disclosed.

•       Smaller and mid-size firms — which constitute the majority of the Phoenix legal market — typically have significantly less IT infrastructure than their large-firm counterparts.

•       Billing and deadline pressure creates exactly the kind of time-stressed environment where phishing attacks succeed.

The FBI IC3 data consistently shows that professional services — a category dominated by legal and accounting — is among the highest-loss sectors in Arizona cybercrime reporting.

The ABA’s Position: This Is an Ethics Issue

The American Bar Association has been unambiguous. Cybersecurity is not merely an IT concern for attorneys — it is a matter of professional responsibility.

Model Rule 1.6: Confidentiality of Information

ABA Model Rule 1.6(c), adopted in 2012, requires that attorneys “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

The ABA has clarified that “reasonable efforts” is not a static standard — it is evaluated in light of current threats and available countermeasures. What was “reasonable” in 2015 may not be reasonable in 2025.

ABA Formal Opinion 483 (2018)

This opinion addressed an attorney’s obligations when a data breach has occurred. The ABA concluded that attorneys have an affirmative duty to:

1.     Monitor for and detect a data breach.

2.     Stop the breach and restore systems when possible.

3.     Determine what client information was or may have been accessed or disclosed.

4.     Notify affected clients when the breach involves material client information.

The practical implication: you cannot simply discover a breach, quietly remediate it, and move on. If client data was involved, you have a duty to notify. And if you lack the monitoring and detection capabilities to know whether client data was accessed, you are operating below the standard of reasonable care.

ABA Formal Opinion 477R (2017)

This opinion addressed secure client communications and concluded that attorneys must assess the sensitivity of client information and use security measures commensurate with that sensitivity. For highly sensitive matters, unencrypted email may not be sufficient. Secure client portals, encrypted communications, and access-controlled file sharing are not optional enhancements — they are components of the duty of competence.

Arizona State Bar Guidance

The State Bar of Arizona has aligned with ABA guidance on technology competence. ER 1.1 (Competence) includes a duty to maintain knowledge of relevant technology as part of competent representation. Arizona attorneys who have not taken reasonable steps to protect client data from foreseeable risks are potentially subject to bar discipline.

What “Reasonable” Security Looks Like for a Phoenix Law Firm

The standard is not perfection — it is reasonableness given the known threat environment and available countermeasures. Based on current guidance and industry practice, reasonable security for a Phoenix law firm includes:

•       Multi-factor authentication on all email and case management systems.

•       Encrypted storage for all client files, particularly on portable devices.

•       Secure client portal for document exchange (not email attachments for sensitive materials).

•       Regular security awareness training, specifically covering phishing and BEC attacks.

•       A written incident response plan that includes client notification procedures.

•       Tested data backups that can restore operations without paying a ransom.

•       Vendor due diligence for all cloud services that process client data.

Notably, most of these controls are not technically complex or prohibitively expensive for a mid-size Phoenix firm. They are, however, systematically absent in many firms we encounter.

The Practical Risk for Phoenix Attorneys

If your firm is hit by ransomware and client data is accessed or exposed:

5.     You have a duty to determine what was affected and notify affected clients.

6.     You may face bar discipline if reasonable precautions were not in place.

7.     Your malpractice carrier will investigate whether your security posture met the applicable standard of care.

8.     Opposing counsel in any active litigation may seek to exploit the breach.

9.     Client relationships — many built over years or decades — may not survive the disclosure.

The bar complaint risk alone should be sufficient to prompt action. But the combination of bar exposure, malpractice risk, client relationship damage, and operational disruption creates a risk picture that no Phoenix attorney should be comfortable ignoring.

AEGITz serves Phoenix law firms with IT and cybersecurity designed around legal-sector compliance obligations. Download our free Arizona Law Firm Cybersecurity & Ethics Compliance Guide, or contact us for a confidential security assessment.