The American Bar Association's Model Rules of Professional Conduct — specifically Rules 1.1 (Competence) and 1.6 (Confidentiality) — create cybersecurity obligations for every attorney. Ohio's Rules of Professional Conduct mirror these obligations. For Ohio law firms of any size, a data breach involving client confidential information is not just a technology problem. It is an ethics problem with potential bar discipline, malpractice exposure, and client loss consequences.
ABA Model Rule 1.1 Comment 8 states that attorneys must maintain competence in relevant technology — including understanding "the benefits and risks associated with relevant technology." Ohio courts and bar authorities have interpreted this to include cybersecurity awareness: an attorney who stores client confidential information on unencrypted systems, uses unsecured email, or fails to select a competent IT vendor may be in violation of the competence requirement.
ABA Model Rule 1.6(c) requires attorneys to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." The key term is reasonable efforts — which courts and bar authorities evaluate based on the sensitivity of the information, the cost of protective measures, and the likelihood of unauthorized access.
For Ohio law firms handling client financial data, litigation strategy, M&A targets, or personally identifiable information, "reasonable efforts" increasingly means: encrypted email, MFA on all systems, dark web monitoring, and a documented incident response plan.
Ohio Safe Harbor: Ohio Revised Code §1354 provides an affirmative defense against data breach litigation for organizations that implement and maintain a recognized cybersecurity framework. Law firms that qualify for Safe Harbor have a significant legal advantage in the event of a breach.
A data breach at an Ohio law firm creates multiple simultaneous exposure paths: Bar discipline for violation of confidentiality or competence obligations; Malpractice claims from clients whose information was compromised; Breach notification obligations under Ohio law for any disclosure of personal information; and Reputational damage that may be permanent in a trust-dependent profession.
Securafy's Comply-CARE tier is specifically designed for Ohio law firms — written incident response and information security plans that satisfy ABA guidance, Ohio Safe Harbor documentation, email encryption for all client communications, dark web monitoring for attorney credentials, and quarterly security assessments that demonstrate the "reasonable efforts" standard.
While Ohio does not currently mandate a specific cybersecurity policy for law firms, ABA Rules 1.1 and 1.6 create an obligation to take reasonable steps to protect client confidential information. A documented cybersecurity policy is the most defensible evidence of "reasonable efforts" and is strongly recommended by the Ohio State Bar Association.
Ohio Revised Code §1354 (the Ohio Safe Harbor Act) provides an affirmative defense against data breach litigation for organizations that implement and maintain a recognized cybersecurity framework (such as NIST CSF). Ohio law firms that qualify for Safe Harbor can use their security program as a defense against breach-related lawsuits from clients.
Email encryption is an important component of satisfying Rule 1.6, but it is not the only required measure. The ABA has clarified that attorneys must assess the sensitivity of each communication and apply appropriate protections. Encrypted email, combined with MFA on all systems, secure file sharing, and endpoint encryption, provides the strongest defensible position.
Immediately upon discovering a breach: contain the incident (isolate affected systems), preserve evidence for forensic investigation, notify your cybersecurity insurance carrier, consult with legal counsel about breach notification obligations under Ohio law, and assess whether the breach triggers any client notification obligations under ABA Rule 1.4.
Start with a free 47-point security and network assessment — no obligation, no upsell.
Book a Free Strategy Call → 📞 (330) 906-8888