ABA obligations, State Bar requirements, and the technical controls that satisfy them
Unlock full access
Part 1: The Ethics Framework
ER 1.1 — Competence
Arizona’s Ethical Rule 1.1 requires that a lawyer provide competent representation, including “thorough preparation” using the “legal knowledge, skill, thoroughness and preparation reasonably necessary.” Comment 8 to Model Rule 1.1 (adopted by reference) explicitly addresses technology:
"To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology..."
The Arizona State Bar has interpreted this to include an affirmative duty to understand the technology tools used in legal practice, including their security implications. An attorney who uses cloud storage, email, or practice management software without understanding the associated data risks may fall short of this standard.
ER 1.6 — Confidentiality of Information
ABA Model Rule 1.6(c), adopted in Arizona, requires that attorneys “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
The word “reasonable” is critical. It is not a static standard. The ABA Ethics Committee has clarified that what constitutes reasonable efforts must be evaluated against:
• The sensitivity of the information involved
• The likelihood of disclosure absent additional safeguards
• The cost of additional safeguards
• The difficulty of implementing safeguards
• The extent to which the safeguards adversely affect the lawyer’s ability to represent clients
In 2025, with ransomware attacks against Arizona law firms at elevated levels and cyber insurance carriers explicitly requiring multi-factor authentication and other basic controls, failing to implement these controls would be difficult to characterize as “reasonable” under ER 1.6.
ABA Formal Opinion 483 (2018): Post-Breach Obligations
This opinion established that when a data breach may have compromised client information, an attorney has affirmative duties to:
1. Stop the breach to the extent possible and preserve evidence.
2. Determine what client information was potentially accessed or disclosed.
3. Notify affected clients where the breach involves material client information or where the client needs to take protective action.
4. Consider whether to notify non-clients whose information was involved.
Critically, the opinion noted that an attorney cannot fulfill the duty to notify clients whose information may have been compromised if they lack the monitoring and logging capabilities to determine what was accessed. This means that having no security monitoring is itself an ethics issue — it renders the notification duty impossible to fulfill.
ABA Formal Opinion 477R (2017): Secure Client Communications
This opinion addressed the security of electronic client communications and concluded that attorneys must assess the sensitivity of client information and use security measures commensurate with that sensitivity.
For routine, non-sensitive matters, standard email may be acceptable. For:
• Settlement negotiations involving specific financial terms
• Litigation strategy discussions
• Materials covered by attorney-client privilege that the client has a significant interest in protecting
• Highly regulated data (healthcare, financial, immigration status)
...the opinion suggests that attorneys should consider secure client portals, encrypted communications, or other measures beyond standard email.
Arizona-Specific Considerations
The State Bar of Arizona has not issued formal opinions that conflict with the ABA framework above. Arizona practitioners should also be aware of:
• Arizona’s data breach notification law (ARS § 18-552): Breach of personal information requires notification within 45 days. Attorneys are subject to this law as data holders, independent of ethics rules.
• Trust account exposure: Law firm trust accounts are a specific ransomware target. Wire transfer fraud directed at trust accounts creates both financial liability and ethics exposure.
• Malpractice insurance implications: Arizona legal malpractice carriers are beginning to ask cybersecurity questions on renewal applications. Inadequate security can affect coverage and premiums.
Part 2: The Technical Controls That Satisfy the Obligations
The ethics framework above creates specific obligations. The following technical controls map to those obligations.
Obligation | Technical Control | Implementation Notes |
Prevent unauthorized access (ER 1.6) | Multi-factor authentication on all systems | Required on email, practice management, document storage, remote access. No exceptions. |
Protect sensitive communications (Op. 477R) | Secure client portal for sensitive document exchange | Client-facing portal with authentication; do not use email for sensitive materials |
Detect unauthorized access (Op. 483) | Security monitoring and alerting | SIEM or managed EDR that generates alerts for unusual access patterns |
Preserve breach evidence (Op. 483) | Logging and audit trails | System logs retained for minimum 90 days; email logs retained longer |
Restore operations post-breach | Tested, isolated backup | Immutable off-site backup; restoration tested quarterly |
Protect privileged communications in transit | Email encryption / TLS enforcement | TLS required for all outbound email; encrypted portal for client communications |
Protect physical access | Endpoint encryption | Full-disk encryption on all laptops; MDM on mobile devices |
Prevent unauthorized access to trust accounts | MFA on banking + payment verification protocol | Dual authorization for trust disbursements; call-back verification for payee changes |
Part 3: Law Firm-Specific Security Checklist
CLIENT DATA PROTECTION
□ ☐ Client files stored in access-controlled system — not everyone can access every matter
□ ☐ Secure client portal deployed for document exchange on sensitive matters
□ ☐ Email encryption or TLS enforcement for external communications
□ ☐ Client intake forms do not collect more information than necessary
□ ☐ Retention and destruction policy documented for client files
TRUST ACCOUNT SECURITY
□ ☐ Multi-factor authentication on IOLTA and trust account portals
□ ☐ Dual authorization required for all trust disbursements above threshold
□ ☐ Call-back verification protocol for changes to payee banking information
□ ☐ Trust account reconciliation performed at minimum monthly
□ ☐ Finance staff trained specifically on wire fraud targeting law firms
PRIVILEGED COMMUNICATION CONTROLS
□ ☐ Matter-sensitive communications use secure portal, not standard email
□ ☐ Litigation files with strategy memos require access logging
□ ☐ Settlement documentation handled through access-controlled, auditable system
□ ☐ External co-counsel file sharing uses authenticated, access-controlled platform
CONFLICT AND ACCESS MANAGEMENT
□ ☐ Conflict check system is access-controlled and audit-logged
□ ☐ Staff see only matters they are assigned to (matter-level access control)
□ ☐ Access reviewed when staff change roles or leave the firm
□ ☐ Former employee access revoked same day as departure
INCIDENT RESPONSE (ETHICS-SPECIFIC)
□ ☐ Incident response plan includes client notification decision tree
□ ☐ Outside breach counsel identified in advance
□ ☐ Arizona ARS § 18-552 compliance procedure documented (45-day notification)
□ ☐ Cyber insurance policy reviewed — covers legal professional services
□ ☐ State Bar notification procedure researched and documented
AEGITz serves Phoenix law firms with IT and security services built around legal ethics compliance. For a confidential assessment of your firm’s current posture against the ABA and Arizona Bar obligations, contact us at aegitz.com.
