What is Reasonable Under the ABA’s New Cybersecurity Obligations for Law Firms?

The American Bar Association (ABA) recently issued a major new ethical statement, Formal Opinion 477, which clarifies law firms’ cybersecurity obligations. The Opinion updates prior ABA statements such as the 2012 Model Rules.

In the past five years since the Model Rules were issued, law firms have become coveted targets for cybercriminals, and law firms’ breaches have become front-page news. Law firms of all sizes are increasingly relying on a new breed of technical companies that have developed special tools and services for protecting the uniquely valuable data of law firms and their clients.

The ABA’s lengthy Opinion has two especially significant aspects: i) using “reasonable measures” to assess and mitigate risks; and ii) making “reasonable efforts” to manage vendors. The Opinion rejects requirements for specific security measures, and instead adopts a “reasonable” standards approach to deal with complex technical issues. Therefore, it is important that law firms and technical companies work together to update and improve cybersecurity practices, and decide which services and tools are most suitable for meeting a variety of challenges in law firms.

Risk Assessment & Mitigation

As stated in the Opinion, law firms are now required to create and maintain their own “reasonable measures” and “fact-based analysis” to assess and mitigate risks.

The Opinion focuses on the following considerations:

  • understand the nature of the threat;
  • understand how client confidential information is transmitted and where it is stored;
  • understand and use reasonable electronic security measures;
  • determine how electronic communications about clients’ matters should be protected;
  • label client confidential information; and
  • train lawyers and non-lawyer personnel in technology and information security.

The legal profession is increasingly turning to outside cybersecurity or technology companies, such as Braintrace, Inc., which can provide tools to allow law firms to:

  • leverage machine learning, artificial intelligence and big data analytics to detect and stop attackers before they cause harm;
  • reduce the performance impact from security products on attorney computers and devices;
  • increase the effectiveness of blocking these attacks on existing security investments;
  • reduce the additional financial investment necessary for security services while maximizing risk reduction efforts of every service; and
  • simplify and secure the user-experience for accessing firm resources.

As technology becomes more advanced, bandwidth more available, central processing unit (CPU) power cheaper, and public key infrastructure (PKI) systems more ubiquitous, law firms should realize the benefits of end-to-end encryption in certain products, such as cloud technology.

Vendor Management

The ABA’s Opinion also focuses on law firms’ obligations to make “reasonable efforts” to manage vendors. Law firms typically advise their clients to engage in proper vendor management techniques such as performing due diligence on the vendor’s cybersecurity systems and policies. Law firms should heed their own advice, including reviewing their vendor contracts. In particular, it is important to avoid the following common mistakes in contracts:

  • Failing to ensure that the Master Agreement (MSA), Service Level Agreement (SLA) and Statement of Work (SOW) are all consistent;
  • Failing to define the parameters and performance metrics of the system;
  • Failing to specifically allocate the respective obligations of the parties; and
  • Failing to include an appropriate dispute resolution process.

Some vendors, like Braintrace, Inc., can provide automated vendor management tools that reduce the amount of work necessary to monitor third-party vendors that are providing critical services for the firm, or they can utilize services provided to them by their managed security providers. These services can, for example, assess the greatest risks from external hackers by passively auditing the vendor’s IT systems in several critical areas:

  • Patching and system configuration;
  • Vulnerability management;
  • Website security;
  • Email security; and
  • Dark Web research and analysis.


It is more important than ever for law firms to find proven technical partners to mitigate and remediate cybersecurity attacks. Recently, such an attack shut down the computer systems of a large global law firm; and such attacks have in the past crippled firms of all sizes in all parts of the world. It is with greater urgency that law firms and their technical partners are putting extra efforts into cyber protection.

Paul Gupta , Partner at Reed Smith LLP, writes about what is reasonable under American Bar Association’s ethical statement on cybersecurity obligations for law firms. Braintrace helped interpret ABA’s statement with Paul.