Columns

Cybersecurity and the lawyer’s duty: Client protection in the digital age

January 2026

by Alecia Chandler | Michigan Bar Journal

Every day, law firms are targeted by cyber threats. Small firms are tar-geted more frequently, not because they are doing anything wrong, but because attackers assume their defenses are easier to breach. However, even for larger firms with sophisticated cybersecurity sys-tems, it’s not a question of if your firm will be targeted, but when.¹

The Michigan Supreme Court, in its Comment to Michigan Rule of Professional Conduct (MRPC) 1.1 Competence, has determined that lawyers should understand the technology used in the practice of law to ensure competent representation. This includes a basic understanding of cybersecurity to ensure client data is protected.

The State Bar of Michigan has issued Cybersecurity FAQs² which addresses the topics in this article and additional cybersecurity issues about which all members should be aware.

THE ETHICAL FRAMEWORK

MRPC 1.6 requires lawyers to maintain client confidentiality. This duty extends far beyond attorney–client privilege and encompass-es all “information gained in the professional relationship that the client has requested be held inviolate or the disclosure of which would be embarrassing or would be likely to be detrimental to the client.”³ In the absence of the client’s informed consent, lawyers must keep all such information a secret.

MRPC 1.1 requires that lawyers provide competent representation. This duty encompasses maintaining appropriate technological competence in representing our clients. Comment 8 to MRPC 1.1

explains that maintaining competence requires understanding “the benefits and risks associated with relevant technology.”

MRPC 1.3, covering the duty of diligence, goes beyond requiring lawyers to act diligently in moving clients’ cases forward by requir-ing lawyers to diligently safeguard client information and respond promptly to security breaches.

These duties of competence and diligence as laid out in MRPC 1.1 and 1.3 operate alongside common law obligations, contractual agreements with clients, and, in some industries, regulatory data security requirements.

THE THREAT LANDSCAPE

Cybersecurity threats are constant and diverse. Phishing emails trick lawyers and staff into clicking malicious links or sharing pass-words. Ransomware encrypts entire systems until payment is made. Compromised email systems allow cybercriminals to impersonate lawyers during settlement negotiations and divert wire transfers. Lawyers should be aware of possible threats to their clients data by staying informed on the everchanging landscape of cyber threats.

COMMUNICATING WITH CLIENTS SECURELY

The first step in ensuring proper cybersecurity starts with how we communicate with clients. ABA Formal Opinion 477R discusses a lawyer’s ethical obligation to protect client information transmitted over the internet.⁴ Lawyers must take reasonable steps to ensure communication, whether through email, text, or client portals, is secure. One of the simplest ways to manage this duty is to utilize encrypted email.⁵ Lawyers can use encryption tools built into many email platforms or through dedicated secure email services to protect client communications, attachments, and sensitive data.

For lawyers, using encrypted email is a practical safeguard and can be an ethical obligation. For example, routine communications such as scheduling emails may not require encryption. Whereas sensitive matters and information the client has requested remain confidential ethically require additional precautions such as encryption.

PREVENTIVE SAFEGUARDS

The Federal Trade Commission’s Protecting Personal Information: A Guide for Business offers a helpful framework for all organizations handling sensitive data. It advises businesses to protect the personal information they keep, properly dispose of data that is no longer needed, encrypt information stored on networks, understand their networks’ vulnerabilities, and implement policies to address security problems.⁶

For law firms, reasonable safeguards include:

Strong unique passwords and multi-factor authentication;
Firewalls and up-to-date antivirus tools;
Prompt software updates and security patches;
Encryption of laptops, smartphones, and portable drives;
Cloud services that offer user-controlled encryption.

SUPERVISION AND VENDOR MANAGEMENT

A lawyer’s ethical obligations extend to those we supervise and those with whom we contract. Under MRPC 5.1, supervising lawyers must ensure that all lawyers in the firm comply with professional obligations. MRPC 5.3 extends this duty to nonlawyer staff, contractors, and vendors.

In Protecting Personal Information: A Guide for Business, the FTC emphasizes the critical role of staff training in safeguarding sensitive data.⁷ The guide highlights that an information security program is only as effective as its least vigilant staff member. Therefore, it is essential to provide employees with security awareness training and schedule regular refreshers. Specialized training should be given to employees, affiliates, or service providers who have hands-on responsibility for carrying out the information security program. This ensures that they are equipped to handle emerging threats and implement effective countermeasures.⁸

The FTC also offers resources to assist businesses in training their staff. For instance, the Start with Security guide provides an online tutorial designed to help train employees on cybersecurity best practices.⁹ Additionally, the FTC’s website features publications that address specific data security challenges, along with news releases and blog posts that keep businesses informed about the latest threats and countermeasures.¹⁰ By utilizing these resources, law firms can ensure that their employees are well-prepared to protect personal information and respond effectively to potential security incidents.

For vendors, the duty is a little different. Instead, lawyers must ask pointed questions of IT consultants, cloud providers, and e-discovery vendors. For example: How do you secure data? Do you encrypt? What is your breach response plan?

REAL WORLD RISKS

A recent case illustrates real-world cybersecurity risks.¹¹ In Whalen v. Gunster, Yoakley & Stewart, P.A., filed in the Thirteenth Judicial Circuit Court of Florida, plaintiffs’ complaint alleges that Gunster’s inadequate cybersecurity measures led to a data breach, compromising the personal and health information of approximately 9,550 individuals.¹² The plaintiffs asserted claims including negligence, negligence per se, breach of implied contract, breach of fiduciary duty, unjust enrichment, and violations of the Florida Deceptive and Unfair Trade Practices Act. Gunster denied all allegations and maintained that the breach resulted from a sophisticated cyberattack beyond their control.¹³ The individuals whose data was impacted were clients, witnesses, opposing parties, and others for which the firm held confidential information. On March 6, 2025, the court granted preliminary approval of a settlement agreement between the parties. The settlement includes a payment of $8.5 million and offers affected individuals’ reimbursements up to $35,000 and three years of credit monitoring services.¹⁴

RECORD RETENTION POLICIES AND DATA SECURITY

When a cybersecurity incident occurs, the lawyer may be required to notify every person and entity whose confidential information is exposed. Reducing the amount of confidential data reduces the exposure of client confidential information and, in the event of an attack, limits the number of people who must be notified.

Every lawyer is required to have a record retention plan.¹⁵ Part of that plan includes timelines for destruction of client files. Lawyers should promptly and confidentially dispose of this information to limit exposure in the event of a cybersecurity incident as it limits the amount of data that can be exposed.

WHEN A CYBERATTACK HAPPENS

Despite best efforts, cybersecurity incidents occur. When they do, several ethical duties converge. MRPC 1.3 requires prompt investigation, containment, and mitigation. MRPC 1.1 may require consulting outside cybersecurity experts.¹⁶ MRPC 1.4 requires notifying clients when a material breach occurs.

Whether notice is required depends on the circumstances. ABA Formal Opinion 483 outlines a lawyer’s duty to notify in the event of a cybersecurity incident.¹⁷ Additionally, regarding ransom payments, the ethical issue is not whether payment is allowed, but whether payment is necessary to uphold the duty to protect client data.

Additionally, lawyers have an obligation to comply with relevant data breach notification laws, which may mandate informing affected individuals, the Attorney General, or the Federal Trade Commission.¹⁸ Being familiar with the requirements that apply to the type of confidential information the law firm maintains in advance is an essential component of competent legal practice.

OTHER DUTIES DURING BREACH RESPONSE

Additional ethical duties may arise during and after a breach: MRPC 5.1 and 5.3 require supervision of lawyers, staff, and vendors in breach response efforts. MRPC 1.15 requires safeguarding client property, including trust funds that may be at risk in a cyberattack or wire fraud.

MRPC 3.3 and 3.4 govern candor and fairness in litigation if a breach affects discovery obligations, lawyers must disclose it appropriately.

ABA Formal Opinion 483 emphasizes that, following a breach, lawyers must act competently, communicate with clients, and take remedial measures to protect confidentiality.¹⁹

PLANNING FOR INCIDENTS

The best defense is preparation. Every firm, regardless of size, should have a written incident response plan that identifies the firm’s internal response coordinator, external cybersecurity and forensic vendors, insurance information, and communication protocols for clients and regulators.

The plan should be reviewed regularly and updated to address new technologies and threats. Documenting your response demonstrates diligence and competence.

CONCLUSION

Safeguarding client data is an extension of safeguarding the client. It is a fundamental aspect of a lawyer’s professional responsibilities, demanding both proactive measures and a swift, effective response when cybersecurity incidents occur. By anticipating risks, setting clear expectations with clients, overseeing staff and vendors, and acting promptly during incidents, lawyers protect client trust and preserve the integrity of the profession.

“Ethical Perspective” is a regular column providing the drafter’s opinion regarding the application of the Michigan Rules of Professional Conduct. It is not legal advice. To contribute an article, please contact SBM Ethics at ethics@michbar.org.

ENDNOTES

1. Ries, Cybersecurity for Attorneys: Addressing the Legal and Ethical Duties, State Bar of Michigan (Nov 14, 2019) https://www.michbar.org/file/opinions/ethics/cybersecurity.pdf (all websites accessed Nov 06, 2025); Ries, Safeguarding Client Data: Attorneys’ Legal and Ethical Duties, State Bar of Michigan (Nov 2019) https://www.michbar.org/file/opinions/ethics/safeguarding_data.pdf.

2. Cybersecurity—Frequently Asked Questions, State Bar of Michigan https://www.michbar.org/opinions/ethics/cybersecurityFAQs (updated Sept 2023).

3. MRPC 1.6.

4. ABA Formal Opinion 477R: Securing communication of protected client information, American Bar Association (June 2017) https://www.americanbar.org/news/abanews/publications/youraba/2017/june-2017/aba-formal-opinion-477r--securing-communication-of-protected-cli/.

5. Encrypted email is a method of securing electronic communication so that only the intended recipient can read the message. It works by converting the content of an email into code during transmission and storage, protecting it from interception or unauthorized access. Even if the message is intercepted, encryption ensures that the information remains unreadable without the correct decryption key.

6. See also Cybersecurity, supra n 2.

7. Protecting Personal Information: A Guide for Business, Federal Trade Commission (Oct 2016) https://www.ftc.gov/business-guidance/resources/protecting-personal-information-guide-business.

8. FTC Safeguards Rule: What Your Business Needs to Know, Federal Trade Commission (Dec 2024) https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know?utm_source=chatgpt.com.

9. Start with Security: A Guide for Business, Federal Trade Commission (Aug 2023) https://www.ftc.gov/business-guidance/resources/start-security-guide-business.

10. See News and Events, Federal Trade Commission https://www.ftc.gov/news-events.

11. Langham, Law Firm Settles Data Breach Lawsuit: A Warning for Legal Professionals, Maryland State Bar Association (Nov 15, 2024) https://www.msba.org/site/site/content/News-and-Publications/News/General-News/Law_Firm_Settles_Data_ Breach_Lawsuit_A_Warning_for_Legal_Professionals.aspx.

12. Whalen v Gunster, Class Action Settlement Agreement and Release filed in the 13th Judicial Circuit Court Florida, 2025 (Case No. 25-CA-000550) https://www.classaction.org/media/whalen-et-al-v-gunster-yoakley-and-steward-settlement-agreement.pdf.

13. GYS Data Breach Class Action Settlement Frequently Asked Questions https://gysdatabreachsettlement.com/frequently-asked-questions.aspx?utm_source=chatgpt.com.

14. Whalen v Gunster, Agreed Final Approval Order and Judgment of the 13th Judicial Circuit Court of Florida, issued Aug 13, 2025 (Case No. 25-CA-000550) https://mediacontentpublish.com/media/6068431/eee51d0c-52e2-40ba-bfb0-f857c72158ef_ proposed_conformed.pdf.

15. State Bar of Michigan, Ethics Opinion R-12 (Sept 27, 1991) https://www.michbar.org/opinions/ethics/numbered_opinions/r-012.

16. Competence doesn’t mean doing it all ourselves, it means knowing when to seek help.

17. Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, American Bar Association, Formal Opinion 483 (Oct 17, 2018) https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/ethics-opinions/aba-formal-op-483.pdf.

18. See MCL 445.63; MCL 445.72.

19. Lawyers’ Obligations, supra n 17.

Alecia Chandler is the professional responsibility programs director at the State Bar of Michigan.