Legal Firms &
Attorney Security

ABA Model Rule 1.6(c) requires lawyers to 'make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.' ABA Formal Opinion 477R (2017) clarified that this requires competent technology use and reasonable security measures — including MFA, encryption, and security awareness training — for client communications. ABA Formal Opinion 483 (2018) addressed data breach notification obligations. Ohio Rules of Professional Conduct mirror these obligations. The standard of 'reasonable' security has risen significantly with ABA guidance: basic antivirus and a firewall are no longer sufficient.

Business email compromise is a social engineering attack where fraudsters impersonate an attorney, client, or opposing party to redirect wire transfers or obtain confidential information. Law firms are high-value targets because they routinely handle large wire transfers (real estate closings, settlements, M&A transactions), hold IOLTA trust funds, and have billing relationships that make fraudulent invoice requests plausible. Average BEC loss for law firms exceeds $485,000 per incident. Securafy's email security stack includes BEC-specific detection, executive impersonation alerts, and DMARC enforcement — the controls that stop wire fraud before it reaches your accountant.

Cloud storage and practice management platforms are acceptable for attorney-client data if appropriate security measures are in place. ABA Opinion 477R provides guidance: the attorney must make reasonable efforts to ensure the cloud provider has adequate security, including encryption, access controls, and breach notification obligations. Preferred controls include: data encrypted at rest and in transit; MFA for all access to cloud-stored client data; contractual security and confidentiality obligations with the provider; and regular backup. Securafy evaluates cloud platforms for legal industry suitability and configures them to meet ABA security guidance.

Ohio Revised Code §1354 provides an affirmative defense against civil tort claims in data breach litigation for businesses — including law firms — that implement a written cybersecurity program aligned to a recognized framework (NIST CSF, ISO 27001, CIS Controls). If a breach occurs and clients sue, demonstrating a qualifying program shifts the burden of proof to the plaintiff. For law firms, which face both client litigation and bar disciplinary risk following a breach, Ohio Safe Harbor provides meaningful civil litigation protection. Securafy builds Safe Harbor-qualifying security programs for Ohio law firms explicitly to support this defense.

IOLTA trust account fraud typically involves compromising an attorney's email to intercept or redirect wire transfer instructions, or spoofing the attorney's domain to send fraudulent wiring instructions to clients. Securafy's protection includes: DMARC, SPF, and DKIM enforcement preventing domain spoofing; business email compromise (BEC) detection flagging impersonation attempts; MFA on all email and banking access; security awareness training covering wire fraud scenarios; and incident response planning that includes financial institution notification procedures. We have worked with Ohio bar association guidance on trust account protection and can document your controls for professional liability insurance purposes.