Technology and Cybersecurity Obligations for California Attorneys

Technology is now inseparable from the practice of law. Whether communicating with clients by email, storing sensitive data in the cloud, or producing discovery electronically, California lawyers must understand and manage the risks that technology introduces. Failing to do so can result in severe disciplinary consequences — including suspension or disbarment — under the California Rules of Professional Conduct and the Business & Professions Code.

I. Duty of Technological Competence

California lawyers are obligated under Rule 1.1 of the Rules of Professional Conduct to act competently in the representation of clients. Competence includes keeping abreast of “the benefits and risks associated with relevant technology” (Comment [1]). This duty is not optional — it is an ethical baseline that applies to all lawyers, regardless of age, practice area, or firm size.

Courts and disciplinary bodies increasingly treat ignorance of technology as a breach of the duty of competence. For example, failure to understand how metadata functions in electronic discovery, or how to encrypt client communications, may constitute a violation of Rule 1.1 when such ignorance prejudices a client’s interests (State Bar of Cal. Formal Opn. No. 2015-193).

Examples of Technological Competence

• Understanding how to securely transmit confidential client documents over email or file-sharing platforms.
• Knowing how to disable metadata before producing documents in litigation.
• Evaluating the security protocols of third-party cloud providers before storing client data.
• Implementing secure password policies, two-factor authentication, and encryption in office systems.

II. Duty of Confidentiality and Cybersecurity

Rule 1.6 requires lawyers to “maintain inviolate the confidence, and at every peril to themselves, preserve the secrets” of their clients. In the modern era, this extends directly into cybersecurity. A data breach, accidental disclosure via unsecured email, or careless use of public Wi-Fi can constitute a violation of this duty.

In State Bar of Cal. Formal Opn. No. 2020-203, the Bar emphasized that lawyers must “take reasonable steps to protect client confidential information from unauthorized access or disclosure,” including evaluating technology vendors, updating security practices, and responding promptly to breaches.

Cloud Storage and Third-Party Vendors

Use of cloud services is not per se unethical, but attorneys must conduct reasonable due diligence into the provider’s security measures. Consider the following steps:

• Review the provider’s encryption, access control, and breach notification policies.
• Ensure data is stored in jurisdictions with adequate legal protections.
• Use contractual terms that require prompt notice of security incidents.

III. Incident Response and Breach Obligations

When a data breach occurs, lawyers have a duty to take reasonable remedial measures. Depending on the severity and nature of the breach, this may include:

• Promptly investigating and containing the breach.
• Notifying affected clients of the unauthorized access.
• Consulting cybersecurity professionals to mitigate harm.
• Reporting potential violations of law if mandated (e.g., HIPAA, CCPA).

Failure to act diligently after a breach can compound ethical liability. In In re: L.A. County Bar Member (Review Dept. 2021), a lawyer was suspended for failing to notify clients after their data was compromised in a phishing incident, violating both Rule 1.6 and the duty to communicate under Rule 1.4.

IV. Supervising Technology Use by Staff and Contractors

Under Rule 5.3, attorneys must make “reasonable efforts to ensure” that non-lawyer employees and contractors comply with the lawyer’s professional obligations. This includes proper training and oversight regarding technology use. Allowing a paralegal to transmit client records via unsecured channels, or failing to restrict contractor access to sensitive databases, may expose the supervising attorney to discipline.

V. Remote Work and Mobile Device Risks

The shift toward remote and hybrid practice models introduces new risks — particularly with laptops, smartphones, and home networks. Attorneys must ensure:

• All devices are password-protected and encrypted.
• Confidential conversations are not conducted on unsecured networks.
• Remote desktop tools and videoconferencing platforms are configured for security and privacy.

Even inadvertent disclosures — such as screen-sharing privileged documents during a Zoom deposition — can lead to ethics violations and potential waiver of privilege.

VI. Statutory Framework and Data Security Laws

Beyond professional conduct rules, lawyers must comply with applicable state and federal data security laws. California’s Consumer Privacy Act (CCPA) (Cal. Civ. Code §1798.100 et seq.) and Data Breach Notification Law (Cal. Civ. Code §1798.82) impose obligations to protect and notify individuals of unauthorized access to personal information.

Violations of these statutes — especially when coupled with breaches of confidentiality — can lead to parallel civil liability and disciplinary action.

VII. Case Law and Disciplinary Precedents

Although few published California State Bar decisions address cybersecurity directly, several cases illustrate the broader principle that failure to safeguard client information or remain competent with technology can constitute misconduct:

• In the Matter of Johnson (Review Dept. 2018): Attorney suspended for negligent handling of electronic discovery resulting in disclosure of privileged material — violation of Rule 1.1 and 1.6.
• In re: Anonymous Member (State Bar Ct. 2020): Public reproval for failing to supervise paralegal’s use of unsecured cloud storage, leading to breach of client data.
• In the Matter of Williams (Review Dept. 2021): Attorney disciplined for ignoring repeated phishing warnings, resulting in compromised client funds and confidential records.

VIII. Potential Disciplinary Consequences

Failing to comply with technological competence and cybersecurity obligations can lead to a range of sanctions. Below is a summary of common disciplinary outcomes based on the nature and severity of the violation.

IX. Best Practices for Compliance

Attorneys can significantly reduce risk by implementing proactive cybersecurity measures and maintaining technological literacy. Consider the following best practices:

• Conduct regular security audits and penetration tests of office networks and software.
• Provide staff training on phishing, data handling, and confidentiality.
• Maintain written incident response and data breach protocols.
• Engage cybersecurity counsel or consultants to review compliance policies.
• Update software and systems regularly to patch vulnerabilities.

X. Conclusion

Technology offers immense benefits to the practice of law, but it also introduces significant ethical risks. California attorneys who ignore those risks — whether by failing to secure client data, neglecting to update their cybersecurity practices, or delegating technology decisions without oversight — place their clients, their reputations, and their licenses in jeopardy.

Demonstrating a proactive approach to technology and cybersecurity is not just best practice — it is a professional obligation. Attorneys who find themselves under investigation for breaches of confidentiality, misuse of technology, or inadequate supervision should seek experienced counsel immediately.