ABA Rule 1.6(c): What “Reasonable Efforts” Actually Means for Cybersecurity in 2026

Model Rule 1.6(c) is one of the shortest and most frequently cited sections of the ABA Model Rules of Professional Conduct. In 27 words, it requires that “a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” What it does not tell you is what “reasonable efforts” means when the threat is ransomware, a business email compromise, or a misconfigured OneDrive folder shared with the wrong client.

This post unpacks the standard as it stands today, explains what ABA Formal Opinions 477R and 483 added to it, and gives you a practical framework you can use to document compliance — whether you are a solo practitioner, a five-lawyer firm, or an in-house lawyer responsible for a small legal department.

What Rule 1.6(c) actually says — and the Comment [18] factors

The text of 1.6(c) is intentionally technology-neutral. It does not name a product, a protocol, or a minimum encryption standard. The interpretive work happens in Comment [18], which lists five factors that determine whether a particular safeguard is “reasonable”:

1. The sensitivity of the information
2. The likelihood of disclosure if additional safeguards are not employed
3. The cost of employing additional safeguards
4. The difficulty of implementing the safeguards
5. The extent to which the safeguards adversely affect the lawyer’s ability to represent clients

Comment [18] is a balancing test, not a checklist. A solo attorney handling a single real estate closing and a 40-lawyer firm defending a patent suit arrive at different answers — but both arrive by weighing the same five factors. The rule explicitly contemplates that a higher standard may apply when client confidentiality is especially sensitive, and that special circumstances may justify additional precautions the client has instructed the lawyer to take.

The practical implication: if someone later asks whether you exercised reasonable efforts, the question is not “did you buy the most expensive tool available?” It is “did you consider these five factors and make defensible decisions?” That distinction matters, because the former is impossible to prove and the latter is just documentation.

Formal Opinion 477R (2017): the communication question

For roughly two decades, lawyers treated unencrypted email as presumptively acceptable for confidential client communications, based on ABA Formal Opinion 99-413 (1999). Formal Opinion 477R updated that guidance. It did not impose a categorical encryption requirement, but it made clear that the 1999 assumption of reasonable expectation of privacy in email no longer holds automatically. 477R instructs lawyers to assess each communication individually and to consider stronger protections — including encrypted email and secure client portals — when the information warrants them.

The opinion walks through the same Comment [18] factors but applies them specifically to the transmission of information. A few practical takeaways that follow from 477R’s analysis:

• Routine scheduling messages probably do not require encryption.
• Settlement discussions, deal terms, financial records, medical information, trade secrets, and privileged communications probably do.
• Even for routine messages, the underlying mail system should be configured to resist spoofing and interception — which in practice means SPF, DKIM, DMARC, TLS enforcement, and authenticated transport between mail servers.
• If you use a secure client portal, you should know how it handles authentication, session expiration, and access logging.

477R is worth reading in full. It is 11 pages, cites every relevant prior opinion, and gives you exactly the vocabulary you need to document your own analysis.

Formal Opinion 483 (2018): what happens after a breach

Where 477R addresses prevention, Formal Opinion 483 addresses the other half of the problem: what a lawyer’s ethical obligations look like after an electronic data breach or cyberattack. It builds on both Rule 1.1 (competence, via Comment [8]) and Rule 1.6(c).

The opinion frames three distinct duties:

Monitoring. Lawyers have an affirmative duty to monitor for a data breach. You cannot take the position that you satisfied your obligations if you never looked. For most small firms, this means ensuring audit logging is enabled and reviewed — and that someone is responsible for reviewing it.

Stopping and restoring. Once a breach is identified or reasonably suspected, the lawyer must act to stop it, restore systems, and determine what was accessed. The opinion explicitly acknowledges that most lawyers will need outside expertise here, and that engaging qualified help is itself part of reasonable efforts.

Notifying clients. If material client information was compromised — or may have been — the lawyer has a duty to notify affected current clients under Rule 1.4. The opinion is careful to note that this obligation runs to current clients; the duty to former clients is governed by Rule 1.9 and may also be triggered by state data breach notification laws.

Opinion 483 is the reason “we had a ransomware incident but did not tell anyone” is not a defensible position. Whether or not a breach triggers external reporting under state law, it almost always triggers Rule 1.4 notification to affected clients.

State bar guidance is the other half of the standard

The Model Rules are persuasive, not binding. Every state has adopted some version of Rule 1.6, and many state bars have issued their own opinions applying the rule to specific technologies. A few representative examples:

• California has addressed unsecured Wi-Fi, cloud storage, and data transfer to third-party vendors in a series of formal opinions. Its guidance generally tracks the ABA approach but is more specific about vendor due diligence.
• New York (State Bar Opinion 842) addressed cloud-based document storage, concluding that lawyers may use such services provided they exercise reasonable care — which includes reviewing terms of service and understanding the provider’s security practices.
• Florida, Texas, Illinois, and others have published their own opinions. The details differ, but the common thread is that reasonable efforts include vendor diligence, written policies, and periodic reassessment as technology and threats change.

If you practice in more than one jurisdiction, you are responsible for the most protective version of the rule that applies to you. In practice this rarely changes the technical controls you implement — it usually just affects documentation and notification timelines.

Documenting “reasonable efforts” so you can prove them

The hardest part of Rule 1.6(c) compliance is not implementing the technical controls. It is being able to prove, years later, that you did. A short written security policy accomplishes this better than any specific tool. At minimum, document:

• The data you hold. Categories of client information, typical sensitivity, where each category is stored.
• The controls in place. Identity and access (MFA, Conditional Access, admin roles), email protection, document controls, audit logging, backup and recovery, endpoint protection, vendor list with security diligence notes.
• Your review cadence. How often you revisit the policy (at least annually is the defensible minimum).
• Incident response basics. Who gets called, in what order, if you suspect a breach. Which clients get notified under Rule 1.4, and under what circumstances.
• Training. What everyone at the firm is expected to know about phishing, password hygiene, and reporting suspected incidents.

This does not need to be a 40-page document. A two- to four-page written policy, reviewed annually, signed by the managing attorney, and kept in the firm’s records is enough for most small practices to demonstrate that they considered the Comment [18] factors in good faith.

If you want a concrete technical starting point — the actual configuration changes that satisfy most of the above for a firm running on Microsoft 365 — see our companion post: Microsoft 365 Security for Law Firms: A 12-Point Configuration Checklist.

What this means for your practice

Rule 1.6(c) compliance is not about achieving zero risk. The rule itself concedes that perfect security is not the standard. It is about making deliberate, defensible, documented decisions that balance sensitivity, cost, and client impact — and being able to show your work.

For most solo and small firms running on Microsoft 365, the gap between default configuration and a defensible 1.6(c) posture is a dozen settings, a two-page written policy, and a documented annual review. None of that requires buying a new platform. It requires spending an afternoon understanding what you already have.

This post is general information about the ABA Model Rules and is not legal advice. Your obligations depend on the rules and formal opinions that apply in your jurisdiction. Consult your state bar’s published opinions and, where appropriate, an ethics counsel.