If you practice law in Florida, you’ve probably heard about Rule 4-1.6 — the duty of confidentiality. What you may not have absorbed yet is what subsection (e) added: an explicit requirement to make “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
That sentence isn’t symbolic. It means the Florida Bar can now discipline an attorney for security practices, not just for actual disclosures. And the Bar has been steadily building case law around what “reasonable” means in 2026.
What “Reasonable Efforts” Actually Looks Like
The Florida Bar Ethics Opinion 14-1 (and subsequent guidance) has clarified that “reasonable” is a sliding scale based on the sensitivity of the matter and the resources of the firm. A solo practitioner handling traffic tickets has a different bar than a 50-attorney firm handling M&A.
That said, certain controls have become baseline expectations across all firm sizes:
- Encrypted email or secure portal for any client communication containing privileged content
- Multi-factor authentication on email, document management, and case management systems
- Endpoint encryption on all devices that access client matter data
- Cybersecurity training for the attorney and staff (annual minimum)
- Incident response plan — what you do if a device is lost or stolen, or if there’s a breach
- Vendor due diligence on cloud services that touch client data
Don’t write what you don’t do
A cybersecurity policy that says “we use multi-factor authentication” creates Bar liability if MFA isn’t actually enabled. The Bar treats discrepancies between written policy and actual practice as worse than having no policy at all.
The Privilege Problem
The bigger risk for law firms isn’t usually a Bar complaint — it’s privilege. If your client’s privileged communications are exposed because of inadequate security, you’ve created a breach of duty AND potentially destroyed the privilege for that matter. Opposing counsel will absolutely try to use that.
This is why we treat law firm IT differently from CPA firm IT or clinic IT. The compliance frameworks overlap, but the privilege question raises the stakes. A reportable breach at a law firm can mean privilege waiver, malpractice exposure, AND a Bar complaint — all from the same incident.
Documenting “Reasonable Efforts”
The Bar doesn’t require a specific format, but in our experience, firms that get into trouble usually can’t produce documentation. Here’s what a defensible record looks like:
- A written cybersecurity policy reviewed annually, signed by the managing attorney
- An asset inventory showing every system that holds client data and how it’s secured
- Training records with completion dates and topics covered
- Vendor agreements that include data protection terms
- Incident response runbook with current contact info
If a Bar inquiry shows up, you produce these documents. If a malpractice insurer asks, you produce these documents. If a client’s GC wants to vet your firm before referring you a major engagement, you produce these documents. The same paperwork solves multiple problems.
