Ask most attorneys whether they're compliant with New York's Rules of Professional Conduct regarding technology, and you'll get one of two answers: a confident "yes" based on nothing specific, or a pause followed by "I think so." Neither is reassuring — and neither would satisfy a grievance committee.
The New York State Bar Association has been unambiguous: attorneys have a professional duty to understand the technology they use to handle client matters, and to take reasonable steps to ensure that technology doesn't become a vehicle for unauthorized disclosure. What remains frustratingly vague is exactly what "reasonable" means in practice.
This article gives you a plain-English breakdown of where the Rules intersect with your IT infrastructure — and what you actually need to have in place.
Rule 1.6(c): The Technology Competence Obligation
Rule 1.6(c) of the NY Rules of Professional Conduct states that an attorney "shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." The 2022 amendments made clear this applies explicitly to electronic communications and stored data.
Comment 17 to Rule 1.6 goes further, noting that "reasonable precautions" include understanding the risks associated with the technology being used, and implementing measures "reasonable in light of the sensitivity of the information."
💡 What this means practically: A court filing with public information carries different protection requirements than a client's sealed settlement documents or ongoing M&A strategy. Your IT security must be calibrated to the sensitivity of what you actually handle — not just set to a generic baseline.
Rule 1.1: Competence Includes Technology
Rule 1.1 requires attorneys to provide competent representation, and Comment 8 states that competence includes "keeping abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology."
This is not a suggestion. The New York State Bar's formal opinions have repeatedly held that an attorney who delegates all technology decisions to non-legal staff — without maintaining meaningful oversight — risks a competence violation if a breach results from that technology.
You don't need to be an IT expert. But you do need to be able to ask the right questions of your IT provider, understand the answers, and make informed decisions. That's exactly the kind of strategic oversight a qualified MSP relationship should provide.
What Actually Counts as "Reasonable Efforts"
The NYSBA's formal opinions and the ABA's Model Rules guidance together paint a reasonably clear picture of what "reasonable" looks like for a small to mid-size law firm in 2025. Based on those standards and our experience serving Queens-area law firms, here's what the bar is currently set at:
Minimum "Reasonable Efforts" Standard for NY Law Firms
- Encryption of client files at rest and in transit — unencrypted email for sensitive matters is no longer considered reasonable
- Multi-factor authentication on all systems containing client data, including email, case management, and cloud storage
- Written data security policy reviewed at least annually
- Vendor due diligence — written agreements (BAAs or data processing agreements) with any third party who accesses client data
- Regular security training for all staff — the most common breach vector is employee error, not technical failure
- Documented incident response plan — including client notification procedures
- Access controls — former employees' access revoked immediately upon departure
Cloud Tools, Email, and the Metadata Problem
One area where Queens law firms consistently fall short is cloud storage and collaboration tools. Using a personal Dropbox, Gmail, or unmanaged Google Drive account for client matters is almost certainly not "reasonable" under current standards — these platforms don't provide the administrative controls, audit logs, or data processing agreements that professional obligations require.
Microsoft 365 Business Premium, properly configured with legal-grade security settings, is the current standard for law firm cloud environments. "Properly configured" is doing a lot of work in that sentence — a default Microsoft 365 setup out of the box does not meet the security standards the Rules require. It requires deliberate configuration by someone who understands both the technology and the compliance context.
The metadata problem is equally overlooked. Word documents, PDFs, and email attachments often contain embedded metadata — tracked changes, prior versions, author information, comment histories — that can inadvertently disclose privileged strategy. Managing metadata before document production is both a professional obligation and a technical process that requires the right tools configured correctly.
If There's a Breach: Your Notification Obligations
New York's SHIELD Act (Stop Hacks and Improve Electronic Data Security) applies to law firms just as it applies to any business that holds New Yorkers' private information. It requires "reasonable" administrative, technical, and physical safeguards — and notification to affected individuals in the event of a breach.
Separately, depending on the nature of the client matter involved, a breach may trigger ethical obligations to notify clients under Rule 1.4 (communication), and potentially to notify opposing parties, courts, or regulators depending on the matter type.
The attorneys who navigate breaches most successfully are those who already have a documented response plan — so that in the first chaotic hours after discovery, there's a clear protocol to follow rather than improvised decisions made under pressure.