For most of the legal profession’s history, an attorney could be excellent at the law and indifferent to the machines on the desk. That era is over. The duty of competence — the most basic obligation a lawyer owes a client — is now widely understood to include competence with the technology used to practice law and to protect client information. An attorney doesn’t have to become an engineer. But willful ignorance of technology is no longer a safe place to stand.
This shift is captured in the American Bar Association’s Model Rules, whose comment on competence makes clear that staying abreast of changes in the law and its practice includes “the benefits and risks associated with relevant technology.” A substantial majority of states have since adopted some version of this duty.
Every business wants to avoid a data breach. For a law firm, the stakes are categorically different. The duty of confidentiality requires lawyers to make reasonable efforts to prevent the unauthorized disclosure of client information. A breach of a law firm’s systems isn’t just an IT incident — it can be an ethics violation, a malpractice exposure, and an irreversible breach of client trust, all at once. Privileged communications, once exposed, cannot be made privileged again.
That’s why technology competence and confidentiality are really the same duty viewed from two angles. You can’t protect what you don’t understand well enough to ask the right questions about.
The duty doesn’t demand perfection, and it doesn’t demand that you personally configure a firewall. It demands reasonable efforts. In practice, that means being able to answer — or having a trusted partner who can answer — questions like these:
Where does our client data actually live? On laptops? In email? In a cloud document system? You can’t protect data you can’t locate.
Who can access it, and how? Reasonable access controls and multi-factor authentication are now table stakes, not luxuries.
Is it encrypted? Client data should be protected both on your devices and as it travels — especially email, which is where confidentiality most often quietly fails.
Have we vetted our vendors? The cloud services and software your firm relies on become part of your confidentiality posture. Reasonable diligence means knowing how they protect your data.
What happens if something goes wrong? A written incident response plan turns a crisis into a procedure.
Are our people trained? The most sophisticated defenses are undone by one staff member clicking one convincing phishing email. Ongoing awareness training is part of competence.
Here’s the reassuring part: the duty of technology competence does not require every attorney to become a security expert. It requires reasonable efforts — and engaging a competent technology partner is itself one of the most reasonable efforts a firm can make. The expectation is that you take the protection of client information seriously and act on it, not that you personally understand every technical detail.
What a good partner provides is twofold: the safeguards themselves, and the documentation that shows you’ve taken reasonable measures. If the question is ever asked — by a client, an insurer, or in the worst case a disciplinary inquiry — the answer is already prepared.
Want to know whether your firm is meeting the standard? Schedule a call and we’ll give you a clear, plain-English picture of where you stand.
This article is general information, not legal advice. Consult your jurisdiction’s rules of professional conduct and qualified counsel regarding your specific obligations.