ABA Rule 1.6: The Cybersecurity Obligation Every Denver Law Firm Must Meet

Every law firm in Denver has an ethical obligation to protect client confidentiality. ABA Model Rule 1.6, combined with Formal Opinion 477R, makes it clear that this obligation extends to cybersecurity.

What ABA Rule 1.6 Requires

Rule 1.6(c) states that lawyers must make “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” ABA Formal Opinion 477R clarifies that this includes electronic communications and data storage.

What Reasonable Efforts Looks Like Today

Email Encryption

Sending client communications over unencrypted email is increasingly difficult to defend as reasonable. At minimum, firms should use TLS encryption for email in transit and consider end-to-end encryption for sensitive communications.

Multi-Factor Authentication

A single password protecting access to client files is not reasonable when MFA is readily available and inexpensive. Every system containing client data should require a second form of authentication.

Endpoint Protection

Traditional antivirus is not sufficient. Endpoint detection and response tools provide the level of protection that the current threat environment demands. Ransomware attacks on law firms increased significantly in the past year.

Data Backup and Recovery

If ransomware encrypts your client files and you have no backup, you face an impossible choice between paying a ransom and losing client data. Regular, tested backups with offsite or cloud storage are a baseline requirement.

Security Awareness Training

Phishing remains the number one attack vector for law firms. Training staff to recognize and report phishing attempts is both inexpensive and effective.

The Cost of Getting It Wrong

The average cost of a data breach for a law firm is $5.9 million. Beyond the direct financial impact, a breach triggers mandatory client notification, potential malpractice liability, bar disciplinary proceedings, and lasting reputational damage. Sixty percent of small firms that experience a significant breach close within six months.

Colorado Privacy Act Adds Another Layer

Beyond ABA requirements, Denver law firms must also consider the Colorado Privacy Act, which imposes data protection obligations on businesses that handle personal data.

Cyber Insurance Is Not a Substitute

Cyber insurance is important, but carriers are tightening requirements. Many now require documented security assessments, MFA implementation, and endpoint protection as conditions of coverage.

Get a Free ABA Compliance Assessment

Technology Response Team works with Denver law firms to implement the cybersecurity controls that ABA Rule 1.6 requires. Our free assessment identifies gaps in your current setup and provides a clear, prioritized remediation plan.

Call: (720) 782-2145

For deeper support, explore TRT’s managed IT services, cybersecurity services, and local Denver IT support. South Florida organizations can also review our Jupiter IT services.

What this means for growing businesses

ABA Rule 1.6: The Cybersecurity Obligation Every Denver Law Firm Must Meet is not just a technical topic. For a small or mid-sized business, it affects downtime, security risk, employee productivity, client confidence, and the ability to grow without constantly reacting to technology problems. TRT sees this most often when a company has enough technology to depend on every day, but not enough process around support, documentation, backups, cybersecurity, and strategic planning.

A stronger approach starts with visibility. Business owners should know which systems are critical, who supports them, how quickly they can be restored, and where security gaps exist. Industry research from IBM and Verizon continues to show that human error, weak access controls, and delayed detection are common contributors to security incidents. The practical lesson is simple: prevention, monitoring, and response planning matter more than buying one more tool.

Practical next steps

• Document the systems your team cannot operate without.
• Review backup and recovery expectations before an outage happens.
• Confirm that MFA, endpoint protection, patching, and email security are consistently enforced.
• Build a simple escalation path so employees know how to report issues quickly.
• Schedule a recurring technology review instead of waiting for something to break.

Technology Response Team supports 55+ clients from offices in Denver, Louisville, and Jupiter, with managed IT, cybersecurity, compliance, cloud, and help desk services. If this article describes problems your team is already feeling, schedule a free IT assessment with Technology Response Team.

FAQ

How often should a business review its IT environment?

At minimum, review core systems, security controls, backups, and vendor responsibilities once per quarter. Fast-growing companies should review them more often.

What is the first sign that IT support is falling behind?

The first sign is usually repeated disruption: recurring tickets, slow response times, poor documentation, or employees creating workarounds because systems are unreliable.

Can managed IT help with cybersecurity and compliance?

Yes. A mature managed IT provider should help with monitoring, patching, access control, backup planning, security awareness, compliance readiness, and response planning.