ABA Rule 1.6: The Cybersecurity Obligation Every Denver Law Firm Must Meet

Every law firm in Denver has an ethical obligation to protect client confidentiality. ABA Model Rule 1.6, combined with Formal Opinion 477R, makes it clear that this obligation extends to cybersecurity.

What ABA Rule 1.6 Requires

Rule 1.6(c) states that lawyers must make “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” ABA Formal Opinion 477R clarifies that this includes electronic communications and data storage.

What Reasonable Efforts Looks Like Today

Email Encryption

Sending client communications over unencrypted email is increasingly difficult to defend as reasonable. At minimum, firms should use TLS encryption for email in transit and consider end-to-end encryption for sensitive communications.

Multi-Factor Authentication

A single password protecting access to client files is not reasonable when MFA is readily available and inexpensive. Every system containing client data should require a second form of authentication.

Endpoint Protection

Traditional antivirus is not sufficient. Endpoint detection and response tools provide the level of protection that the current threat environment demands. Ransomware attacks on law firms increased significantly in the past year.

Data Backup and Recovery

If ransomware encrypts your client files and you have no backup, you face an impossible choice between paying a ransom and losing client data. Regular, tested backups with offsite or cloud storage are a baseline requirement.

Security Awareness Training

Phishing remains the number one attack vector for law firms. Training staff to recognize and report phishing attempts is both inexpensive and effective.

The Cost of Getting It Wrong

The average cost of a data breach for a law firm is $5.9 million. Beyond the direct financial impact, a breach triggers mandatory client notification, potential malpractice liability, bar disciplinary proceedings, and lasting reputational damage. Sixty percent of small firms that experience a significant breach close within six months.

Colorado Privacy Act Adds Another Layer

Beyond ABA requirements, Denver law firms must also consider the Colorado Privacy Act, which imposes data protection obligations on businesses that handle personal data.

Cyber Insurance Is Not a Substitute

Cyber insurance is important, but carriers are tightening requirements. Many now require documented security assessments, MFA implementation, and endpoint protection as conditions of coverage.

Get a Free ABA Compliance Assessment

Technology Response Team works with Denver law firms to implement the cybersecurity controls that ABA Rule 1.6 requires. Our free assessment identifies gaps in your current setup and provides a clear, prioritized remediation plan.

Call: (720) 782-2145