Data Privacy and Your Clients' Information — An Attorney's 2026 Guide

What ABA Model Rule 1.6(c) Actually Requires in 2026

The duty of confidentiality under ABA Model Rule 1.6(c) is short — "A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." The comment tells you the rule is fact-specific; it doesn't tell you which controls satisfy it.

ABA Formal Opinion 477R (2017) and Formal Opinion 483 (2018, on breach response) translate the standard into operational terms. Encrypted email when the matter warrants it. MFA on cloud-based practice management. Vendor diligence on cloud storage. A written incident response plan. These aren't aspirations anymore — they're the floor.

Here's the thing — the rule is a reasonableness standard, not a strict liability standard. If your firm uses Clio with MFA, encrypts laptops with FileVault or BitLocker, has a written backup policy, and trains staff on phishing, you've cleared the bar. The fact pattern that produces a bar complaint is the firm that has none of those, gets breached, and can't show any effort. Don't be that firm.

State Breach-Notification Laws — The 45-State Patchwork

45 states, DC, Puerto Rico, the US Virgin Islands, and Guam have breach-notification statutes. NCSL maintains the canonical tracker. Each statute defines personal information, sets a notification window (typically 30–90 days), and identifies whom to notify — the affected individuals, the state AG, sometimes credit bureaus.

California's law — Civil Code §1798.82 — covers an expansive definition of personal information including biometric and geolocation data. New York's SHIELD Act is similarly broad. Texas's Bus. & Com. Code §521.053 requires notice without unreasonable delay.

If you practice across state lines — which most modern solos do — assume the most restrictive state's rule controls. A breach affecting 5 clients in Massachusetts plus 2 in California triggers both 201 CMR 17.00 and the California rule. Don't try to thread the needle.

CCPA, CPRA, GDPR — When Privacy Statutes Reach Your Firm

The California Consumer Privacy Act (CCPA), as amended by the CPRA in 2023, applies to for-profit businesses meeting a revenue or data-volume threshold. Most solo and small firms fall below the threshold — but the CCPA's private right of action for data breaches reaches any business holding California-resident data, with `$100–$750` in statutory damages per incident, per consumer, under Civil Code §1798.150.

The math gets unfriendly fast — 500 affected clients × $750 = $375,000 in statutory exposure, before plaintiff attorney's fees. Class-action treatment is available.

GDPR reaches you if you process the data of EU residents — and the Schrems II decision in 2020 limited US data transfers without a valid mechanism. Most US solos don't take EU clients, but if you do international work, an EU representative under GDPR Art. 27 may be required.

AI and Generative Tools — The Privacy Question Most Attorneys Get Wrong

ChatGPT, Claude, Gemini, Copilot — they're useful, and they're also data processors. When you paste a client memo into a chat window, that data crosses into the vendor's system. Whether the vendor retains it, trains on it, or routes it through subprocessors depends on the product tier and the contract.

OpenAI's enterprise data privacy commitments and Anthropic's commercial Terms of Service both promise no-training on API data and zero-retention on enterprise-tier conversations. The consumer tiers — ChatGPT Free, Claude.ai Free — do train on inputs unless you opt out. The Bar Association of San Francisco AI ethics opinion and the Florida Bar Opinion 24-1 both warn that generative AI use must be vetted for confidentiality.

This is why Made For Law strips PII from every AI call before it leaves the server. Names, email addresses, phone numbers, addresses, SSNs — sanitized server-side. Only anonymized parameters (state, case type, dollar amount) reach the LLM. It's a Terms of Service commitment, not just a marketing claim. If you're evaluating AI tools for client work, ask the vendor exactly this question — what PII reaches the model, and what's the retention policy?

Cloud Practice Management — The Vendor Diligence Checklist

Clio, MyCase, PracticePanther, Smokeball, Filevine — the major cloud PM systems all carry SOC 2 Type II reports, AES-256 encryption, and ABA-vetted ToS. Clio's security overview is a useful baseline reference; the others publish similar documents.

The diligence questions you should be asking, per ABA Formal Opinion 498 on virtual practice — (1) Where is the data stored? (2) Who has access? (3) How is the data encrypted at rest and in transit? (4) What's the breach-notification commitment? (5) Is there a Business Associate Agreement if any matters touch HIPAA? (6) What happens to the data on termination?

Most solo attorneys skip the vendor questionnaire because the brand-name vendors are presumed safe. Mostly they are — but the long tail of practice tools (intake forms, document automation, e-signature, time tracking) often have weaker controls. The ILTA Tech Survey is the best practice-tech benchmarking source.

MFA, Encryption, and the Baseline Stack

Three controls move the most risk for the least money. First — multi-factor authentication on every account: email, practice management, cloud storage, bank, court e-filing portals. Microsoft research puts MFA's account-takeover prevention rate above 99%. Use an authenticator app or hardware key, not SMS.

Second — disk encryption on every device that touches client data. FileVault (Mac) and BitLocker (Windows) are free and built in. A stolen laptop with an unencrypted drive is a per-se breach in most states. The Massachusetts 201 CMR 17.00 standard specifically requires encryption of portable devices.

Third — email encryption when warranted. Not every email needs encryption; ABA Opinion 477R clarified that unencrypted email is generally acceptable for routine matters. But settlement numbers, medical records, trust account details — those warrant a secure portal or encrypted-email tool like Virtru or Egress. Most cloud PM systems include a secure-message function.

The Incident Response Plan Most Solo Firms Don't Have

ABA TechReport 2024 survey data shows only 26% of solos and 42% of 2–9 attorney firms have a written incident response plan. That's the single highest-leverage compliance gap in small practice — and it's free to fix.

A working plan covers six pages, not sixty. (1) Who do you call first — your IT vendor, your cyber-liability insurer, your malpractice carrier? (2) Who has authority to authorize ransomware payment or breach notification? (3) What's the evidence-preservation protocol? (4) Which clients get notified, in what order? (5) What's the script for the call to the AG's office? (6) What's the post-incident review checklist?

Templates exist. The Center for Internet Security incident response template is a clean starting point; so is the FBI's Internet Crime Complaint Center (IC3) reporting checklist for the post-incident federal report. Run a 30-minute tabletop with your staff once a year — that's the difference between a controlled response and a panicked one.

Cyber Liability Insurance — What to Buy and What to Skip

Cyber liability for solo firms typically runs $500–$2,500 per year for $1M in coverage. The American Bar Association's cyber insurance overview and broker comparisons from Lawyers Mutual are useful reference points.

Coverage to insist on — (1) first-party costs (forensics, breach notification, credit monitoring), (2) third-party liability (client claims, regulatory fines where insurable), (3) business interruption, (4) ransomware extortion (with sub-limits), (5) social engineering / wire fraud. Coverage to scrutinize — exclusions for unencrypted devices, exclusions for unpatched systems, exclusions for prior-acts.

Honestly — the policy is the cheaper half of the equation. The expensive half is the response. A breach without insurance can run $50,000–$500,000 for a small firm; with insurance, your out-of-pocket is typically the retention plus copay on extra services.

Client Engagement Letters and Privacy Disclosures

Your engagement letter is the cleanest place to set client expectations on data handling. Include a short paragraph on — where client data is stored (cloud PM vendor, named), how communication is secured (encrypted email or secure portal for sensitive content), what happens to the file on termination (retention period, destruction policy), and whether you use AI-assisted tools.

The ABA Center for Professional Responsibility model engagement letter library has templates. State bar templates often go further — the California State Bar Sample Fee Agreement is the most-cited example.

If you use AI for research, drafting, or intake — disclose it. The trend across state bar ethics opinions (Florida 24-1, California Practical Guidance 2024, New York City Bar Formal Opinion 2024-5) is toward requiring or strongly encouraging client disclosure of generative-AI use.

Practical Next Steps for a Solo or Small Firm

Five moves close ~80% of the compliance gap. First, audit your accounts and turn on MFA everywhere. Second, encrypt every laptop, every phone, every external drive. Third, write a 6-page incident response plan and run a 30-minute tabletop with staff. Fourth, review your cloud PM contract for the BAA / DPA terms and confirm SOC 2 status. Fifth, buy cyber liability with a $1M minimum.

Add to the practice — annual phishing training, quarterly password rotation on shared accounts, written vendor approval before any new tool gets client data, and an AI disclosure clause in your engagement letter. None of these require a CISO or a security consultant; they require a Saturday morning.

If you're considering Made For Law's embeddable lead-capture calculators — every Made For Law calc strips PII server-side before any AI call. Your client's name, email, and phone never reach the model. That's the kind of vendor question you should be asking every tool in your stack.

Disclaimer

Made For Law is not a law firm and does not provide legal or compliance advice. Data privacy law is rapidly evolving and varies by jurisdiction — verify state breach-notification rules, ABA opinions, and applicable federal statutes with current sources before relying on this guide. For specific compliance questions, consult a qualified privacy attorney or ethics counsel in your jurisdiction.