🔒 CRPC 1.6 Confidentiality: The Foundation of Everything
Every technology decision you make as a California lawyer is a confidentiality decision. CRPC 1.6 doesn't just prohibit active disclosure of client secrets - it requires you to take "reasonable steps" to prevent inadvertent disclosure. That means your cloud storage, your video calls, your AI tools, and your laptop all implicate Rule 1.6.
The remote practice context makes this more complex because information travels through more systems, more networks, and more third parties. But the standard remains the same: reasonable precautions under the circumstances.
Key Insight: "Reasonable" doesn't mean "perfect." It means proportionate to the sensitivity of the information and the available technology. A solo practitioner handling routine matters has different obligations than a firm handling trade secrets litigation.
(a) A lawyer shall not reveal information protected from disclosure by Business and Professions Code section 6068, subdivision (e)(1) unless the client gives informed consent, or the disclosure is permitted by paragraph (b) of this rule.
(e) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information protected from disclosure by Business and Professions Code section 6068, subdivision (e)(1).
📜 What Information Does Rule 1.6 Protect?
CRPC 1.6 incorporates Business & Professions Code section 6068(e)(1), which requires attorneys to "maintain inviolate the confidence, and at every peril to himself or herself to preserve the secrets, of his or her client." This protection is broader than attorney-client privilege:
| Protected Information | Example | Common Tech Risk |
|---|---|---|
| Client identity | The fact that John Smith hired you for a divorce | Calendar app syncing to shared family account |
| Matter existence | The fact that XYZ Corp is considering litigation | Cloud file names visible to IT staff |
| Communications content | Strategy emails, draft documents | Email provider scanning for ads |
| Work product | Legal research, case analysis | Pasted into ChatGPT for "summarization" |
| Client-provided documents | Contracts, financial records, personnel files | Cloud backup to consumer service |
| Witness information | Names and contact info of witnesses | Synced contact lists |
Lawyers sometimes assume that information available in public records isn't confidential. This is wrong. Even if a lawsuit is on file, your analysis of the lawsuit, your strategy for handling it, and your communications about it remain confidential. The existence of public records about a matter doesn't waive confidentiality over your work.
⚖ The "Reasonable Efforts" Standard
CRPC 1.6(e) requires "reasonable efforts" to prevent inadvertent disclosure. This is a flexible, fact-dependent standard. Comment [18] to the rule provides guidance:
"Factors to be considered in determining the reasonableness of the lawyer's efforts include, but are not limited to: the sensitivity of the information; the likelihood of disclosure if additional safeguards are not employed; the cost of employing additional safeguards; the difficulty of implementing the safeguards; and the extent to which the safeguards adversely affect the lawyer's ability to represent clients."
In Practice, This Means:
- Highly sensitive matters (trade secrets, whistleblower cases, high-profile divorces) require stronger precautions
- Routine matters require standard professional precautions but not extraordinary measures
- Available technology matters - encryption that was impractical 10 years ago is now standard
- Cost is a legitimate factor - you don't need enterprise security on a solo practice budget
- Client instructions can increase your obligations - if a client demands heightened security, that becomes your standard
When evaluating any technology decision, ask yourself: "If a disciplinary authority looked at this choice, would they conclude that a reasonable lawyer exercising professional judgment made this decision?" That's the test.
The answer is usually "yes" if you: (1) understood what the technology does with your data, (2) made a conscious choice based on that understanding, and (3) can articulate why the choice was appropriate for the matter. The answer is usually "no" if you: (1) never thought about it, (2) have no idea how the service works, or (3) chose the cheapest/easiest option without considering confidentiality at all.
⏰ When the Duty Attaches (And When It Doesn't End)
Confidentiality duties attach the moment someone becomes a prospective client (CRPC 1.18) and survive the end of the representation. Former client confidences remain protected forever - there's no expiration date.
Technology Implications:
- Data retention: Client files sitting in old cloud storage are still confidential
- Device disposal: Old laptops and phones with client data must be securely wiped
- Account access: Cloud accounts must remain secure even after matters close
- Backup archives: Backups containing client data have the same protection requirements
CRPC 1.9(c) provides: "A lawyer who has formerly represented a client in a matter or whose present or former firm has formerly represented a client in a matter shall not thereafter... (2) reveal information protected by Business and Professions Code section 6068, subdivision (e) or rule 1.6 except as these rules or the State Bar Act would permit with respect to a current client."
The duty continues indefinitely. Former client files deserve the same security as current client files.
✅ The Disclosure Exception: Client Consent
Clients can consent to disclosures that would otherwise violate Rule 1.6. For technology purposes, this typically appears in engagement letters:
Client consent doesn't eliminate your independent duty of competence (CRPC 1.1) or your supervision duties (CRPC 5.3). Even if a client consents to your use of an insecure tool, you may still be disciplined for incompetent practice if the tool was obviously inadequate.
Think of consent as expanding your options within the range of reasonable choices - not as permission to make unreasonable ones.
⚠ Data Breach: When Confidentiality Fails
Despite reasonable precautions, breaches happen. When they do, California lawyers have specific obligations:
- Contain the breach immediately (revoke access, change passwords, isolate affected systems)
- Document what happened (timeline, scope, affected data, how discovered)
- Assess what client information was potentially exposed
- Consult with cybersecurity expert if breach is significant
- Notify affected clients under CRPC 1.4 (keep clients informed of significant developments)
- Determine if California breach notification law applies (Civil Code 1798.82)
- Consider notification to opposing counsel if litigation-sensitive information exposed
- Notify your malpractice carrier
- Implement remedial measures to prevent recurrence
If a breach involves "personal information" (as defined in the statute) of California residents, you may have statutory notification obligations independent of your ethics duties. This includes: (1) social security numbers, (2) driver's license numbers, (3) financial account numbers with passwords, (4) medical information, (5) health insurance information.
The statute requires notification to affected individuals "in the most expedient time possible and without unreasonable delay."
❓ The 7 Questions Before You Use Any Cloud Tool
Before adopting any cloud-based service that will touch client data, work through these questions:
- Where does the data physically reside? (Country, data center locations, backup locations)
- Who can access the data? (Employees, subcontractors, law enforcement, other users)
- Is the data encrypted? (At rest, in transit, and who holds the encryption keys)
- What happens to my data if the service shuts down? (Data portability, export formats, notice period)
- Does the service provider claim any rights to use my data? (Training AI models, analytics, marketing)
- How are security incidents handled? (Notification timeline, what information is provided)
- Can I audit or verify security claims? (SOC 2 reports, penetration test results, compliance certifications)
☁ COPRAC Cloud Computing Opinions: The Official Guidance
California lawyers can use cloud computing, but not blindly. COPRAC (Committee on Professional Responsibility and Conduct) issued two key opinions - 2010-179 on cloud computing generally, and 2012-184 on metadata. Together, they establish that cloud tools are ethically permissible if you exercise reasonable care in selecting and using them.
The opinions don't prohibit any specific tool. Instead, they require you to understand what you're using and make informed judgments about whether it's appropriate for your practice.
📝 COPRAC Opinion 2010-179: Cloud Computing
Issue: May a California attorney use cloud computing to store and work with client materials?
Holding: Yes, provided the attorney takes reasonable steps to ensure confidentiality is maintained. The attorney must make reasonable efforts to ensure the provider will maintain confidentiality and security.
The Key Takeaways from 2010-179:
The opinion establishes a framework for evaluating cloud services that remains relevant today:
COPRAC 2010-179 says the attorney's obligation is to use "reasonable care" in selecting cloud providers. This includes:
- Understanding the provider's data handling: Where data is stored, who can access it, security measures in place
- Reviewing terms of service: Understanding what rights the provider claims over your data
- Ensuring adequate security: Encryption, access controls, audit trails
- Data portability: Ability to retrieve your data if you leave the service
- Jurisdiction concerns: Being aware of where data is stored (particularly for international providers)
The opinion notes: "The attorney must take reasonable steps to ensure that the outsourced services are competent, that confidential client information is protected, and that the attorney retains control over the representation."
Due diligence isn't one-and-done. The opinion emphasizes ongoing obligations:
- Monitor the relationship: Stay aware of changes to provider terms or practices
- Update security measures: As technology evolves, so should your practices
- Respond to red flags: If security concerns arise, address them promptly
- Maintain competence: Keep up with technology developments relevant to your practice
COPRAC 2010-179 doesn't give a checklist. Here's what reasonable diligence looks like in practice:
Minimum: Read the terms of service. Understand the basics of how data is secured. Use a reputable provider with a track record. Enable available security features like two-factor authentication.
Better: Request and review SOC 2 compliance reports. Understand the provider's breach notification procedures. Have a data processing agreement in place. Maintain separate accounts for personal and professional use.
High-Sensitivity Matters: Consider end-to-end encryption where you control the keys. Evaluate geographic location of data storage. Review provider's response to government data requests. Consider specialized legal-focused services.
📝 COPRAC Opinion 2012-184: Metadata
Issue: What are a California attorney's ethical duties regarding metadata in electronic documents?
Holding: Attorneys must exercise reasonable care to prevent inadvertent disclosure of confidential information in metadata. Receiving attorneys must not mine metadata from documents if they have reason to believe the disclosure was inadvertent.
What Is Metadata and Why Does It Matter?
Metadata is "data about data" - information embedded in electronic files that may not be visible when viewing the document normally. This includes:
| Metadata Type | What It Contains | Risk Level |
|---|---|---|
| Document properties | Author name, organization, creation/modification dates | Low-Medium |
| Track changes | All edits made to document, who made them, deleted text | High |
| Comments | Internal notes, sometimes including strategy discussions | High |
| Revision history | Previous versions of the document | High |
| Embedded objects | Source files, linked documents | Medium-High |
| Email headers | Routing information, server names, timestamps | Low-Medium |
| Photo EXIF data | GPS coordinates, camera info, timestamps | Medium (context dependent) |
Classic scenario: You send a "clean" draft settlement agreement to opposing counsel. They open it in Word, turn on track changes, and see your client's bottom line, your internal notes like "they'll probably accept this," and three rounds of edits showing your negotiating strategy.
This happens more often than you'd think, and it's entirely preventable.
Sending Attorney's Duties:
- Scrub metadata before sending: Use built-in document inspection tools or dedicated metadata removal software
- Consider PDF conversion: Converting to PDF removes most Word-specific metadata (but not all)
- Review before sending: Actually look at documents in a way that shows hidden data
- Train staff: Assistants who send documents need to understand metadata risks
Microsoft Word: File > Info > Check for Issues > Inspect Document. Select what to remove.
PDF: Use Adobe Acrobat's "Remove Hidden Information" or "Sanitize Document" feature.
Automated: Tools like Workshare, Payne Consulting's Metadata Assistant, or DocsCorp can automate scrubbing for high-volume practices.
Warning: Simply saving as PDF doesn't remove all metadata. Some properties transfer. Use proper scrubbing tools.
Receiving Attorney's Duties:
COPRAC 2012-184 also addresses what to do when you receive a document with apparent inadvertent metadata:
- If you discover potentially privileged metadata: Stop reviewing immediately
- Notify sending attorney: Alert them to the apparent inadvertent disclosure
- Don't mine for advantage: Intentionally searching for metadata to gain strategic advantage is ethically problematic
- Return or destroy: Follow the sending attorney's instructions on handling the document
In e-discovery, you may be required to produce documents in "native" format, which includes metadata. This creates tension between discovery obligations and confidentiality concerns.
Solution: Carefully review production requests. Negotiate protocols that address metadata handling. Consider whether privilege logs should include metadata-specific claims. Work with your discovery vendor to understand what metadata is included in productions.
🏛 ABA Opinions: National Guidance
While COPRAC opinions govern California specifically, ABA opinions provide useful national context:
Topic: Securing Communication of Protected Client Information
Key Holding: A lawyer generally may transmit information relating to the representation of a client over the internet without violating the Model Rules if the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access.
The opinion provides factors for assessing what precautions are reasonable, including: nature of the threat, sensitivity of the information, cost of additional safeguards, and difficulty of implementation.
Topic: Virtual Practice
Key Holdings on Technology:
- Lawyers may practice virtually if they comply with their professional obligations
- Competence under Model Rule 1.1 includes understanding the technology used in practice
- Lawyers must ensure the security of communications and client data
- Supervision obligations (Model Rule 5.3) extend to technology vendors
While not binding in California, this opinion reflects modern thinking on virtual practice ethics.
✅ Practical Compliance: What the Opinions Really Mean
Combining COPRAC 2010-179, COPRAC 2012-184, and national guidance, here's what compliant cloud practice looks like:
| Obligation | Practical Implementation |
|---|---|
| Evaluate providers before use | Read terms of service, understand data handling, check security certifications |
| Use reasonable security measures | Two-factor auth, strong passwords, encryption, access controls |
| Monitor ongoing compliance | Stay aware of terms changes, respond to security alerts, update practices |
| Scrub documents before sending | Remove track changes, comments, properties; convert to PDF when appropriate |
| Handle inadvertent disclosures properly | Stop review, notify sender, follow instructions on handling |
| Maintain competence | Keep learning about technology, update practices as tools evolve |
🤖 AI and ChatGPT: The New Frontier of Legal Tech Ethics
You can use AI tools in your practice, but not as a shortcut to skip doing your job. Three rules overlap when you use AI: CRPC 1.6 (confidentiality - what data can you input?), CRPC 1.1 (competence - do you understand what you're using?), and CRPC 5.3 (supervision - are you checking the output?).
The most common mistakes: (1) pasting confidential client information into consumer AI tools, (2) submitting AI output without verification, and (3) not disclosing AI use when required. All three are avoidable with proper protocols.
No California ethics opinion specifically addresses AI yet. But existing rules apply. The analysis isn't novel - it's application of established principles to new technology.
📜 The Three Rules That Govern AI Use
(a) A lawyer shall not intentionally, recklessly, with gross negligence, or repeatedly fail to perform legal services with competence.
Comment [5]: "Competent representation may also involve... safeguarding confidential information relating to the representation... including when transmitting such information."
The duty of competence includes understanding the technology you use. Using AI without understanding how it works, what it does with your data, or its limitations isn't competent practice.
(a) A lawyer who employs, retains, or associates with one or more nonlawyers shall make reasonable efforts to ensure the nonlawyer complies with rules applicable to the lawyer.
Application to AI: Many ethics authorities treat AI tools similarly to nonlawyer assistants - you must supervise the output. AI is a tool, not a replacement for professional judgment. You remain responsible for everything submitted under your name.
⛔ AI Prompt Hygiene: What NOT to Paste Into ChatGPT
The biggest risk with consumer AI tools is confidentiality. When you input text into ChatGPT, Claude, or similar tools:
- The text is transmitted to third-party servers
- It may be stored and used for training purposes (depending on settings/subscription)
- You've lost control over the information
- You may have violated CRPC 1.6
- Client names or identifying information
- Case numbers or matter identifiers
- Opposing party names
- Verbatim confidential documents
- Specific facts of a client's case
- Settlement amounts or negotiation positions
- Privileged communications
- Work product with case-specific analysis
The Test: Would a random person reading this prompt know anything about your client or their matter? If yes, don't submit it.
Safe AI Use Patterns:
| Safe Uses | Risky Uses |
|---|---|
| "Explain the elements of breach of contract in California" | "My client John Smith breached his contract with XYZ Corp - what are our defenses?" |
| "Draft a general demand letter template for employment discrimination" | "Draft a demand letter from Jane Doe to ABC Company for wrongful termination" |
| "What factors do courts consider in spousal support determinations?" | "How much spousal support should my client request given income of $X and $Y?" |
| "Proofread this motion for grammatical errors" [redacted version] | "Review this motion" [full version with case details] |
| "Create an outline for a CLE on contract drafting" | "Summarize this confidential settlement agreement" |
If you need to use AI with client data, consider enterprise-grade solutions with appropriate data handling agreements:
- ChatGPT Enterprise/Team: OpenAI offers versions where prompts are not used for training and data is segregated
- Microsoft Copilot for M365: Runs within your Microsoft tenant with your existing data protections
- Legal-specific AI: Tools like CoCounsel, Harvey, Casetext are built with legal confidentiality in mind
Key requirement: Get documentation on data handling and consider adding AI tools to your engagement letter disclosures.
⚠ The Hallucination Problem: AI Verification Requirements
AI tools generate plausible-sounding text that may be completely wrong. "Hallucinations" include:
- Made-up case citations (the most famous lawyer discipline issue with AI)
- Incorrect statements of law
- Fabricated statistics or facts
- Misquoted language from real sources
- Outdated information presented as current
In 2023, New York lawyers were sanctioned after submitting a brief containing six fake cases generated by ChatGPT. The cases sounded real, had proper citation format, and included plausible legal reasoning - but they didn't exist.
The lesson: Every case citation, every quotation, every legal principle from AI output must be independently verified through standard legal research tools. AI is a drafting assistant, not a research tool you can trust blindly.
AI Output Verification Protocol:
- Verify every case citation exists in Westlaw/Lexis/Google Scholar
- Confirm quoted language matches actual source
- Check that cited cases actually say what AI claims they say
- Verify legal standards/elements against authoritative sources
- Shepardize/KeyCite cases for current validity
- Confirm statutory citations are current (AI training data has cutoff dates)
- Cross-reference facts and statistics with primary sources
- Review tone and argument for appropriateness to matter
📢 Disclosure Obligations: When Must You Tell People You Used AI?
Several California courts have adopted local rules requiring AI disclosure. This landscape is evolving rapidly.
General Order 72 and Standing Orders in several NDCA divisions require attorneys to certify whether AI was used in document preparation and confirm that all citations were verified. Similar requirements exist in other districts.
Check local rules before filing. AI disclosure requirements vary by court and are being adopted regularly.
When Disclosure May Be Required:
- Court filings: If local rules require it (check standing orders)
- Client communications: If the client asks or if material to their decision-making
- Fee statements: If charging for time spent reviewing AI output (arguable)
- Discovery responses: Potentially, depending on e-discovery protocols
Some lawyers disclose all AI use proactively; others disclose only when required. My approach: include a general technology disclosure in engagement letters that covers AI tools, then disclose specifically to courts when required by local rules.
What I don't do: try to hide AI use when directly asked. If a client or court asks "Did you use AI to draft this?", answer honestly. Attempting to conceal AI use when questioned creates credibility and ethics problems far worse than simply acknowledging the tool.
✅ Client Consent for AI Use
Consider whether your engagement letter should address AI tools:
📊 AI for Different Tasks: Risk-Adjusted Approach
| Task | AI Risk Level | Recommended Approach |
|---|---|---|
| General legal research questions | Low | Use freely but verify everything |
| Grammar/proofreading | Low | Use freely; redact sensitive info first |
| Template drafting | Low-Medium | Generate framework; heavily customize |
| Brief/motion drafting | Medium | Outline only; verify all authority |
| Contract analysis | Medium-High | Only with enterprise tools; verify conclusions |
| Due diligence review | High | Legal-specific tools only; human review essential |
| Strategic advice | High | AI as brainstorming; never delegate judgment |
| Client communications | High | Draft assistance only; personalize substantially |
If AI generates a draft in 30 seconds that would have taken you 2 hours, how do you bill? This is an emerging ethics question without clear answers.
Conservative approach: Bill for the time you actually spend - reviewing, verifying, customizing AI output. Don't bill "saved" time as if you'd done the work manually.
The rationale: Clients hire you for judgment, not keystrokes. If AI helps you provide better work faster, that's good for the client. Billing as if you'd done everything manually when you didn't is potentially fraudulent.
🛡 Security Protocols for Virtual Practice
Good security isn't expensive or complicated - it's methodical. The biggest risks for small firms aren't sophisticated hackers; they're password reuse, phishing emails, and lost/stolen devices. Addressing these requires discipline, not expertise.
This section covers the security measures every virtual practice should implement, from non-negotiable basics to enhanced protections for sensitive matters.
🔒 The Security Foundation: Non-Negotiables
1. Two-Factor Authentication (2FA)
Enable 2FA on every account that supports it. Period. This single measure prevents the vast majority of account compromises.
Best: Hardware security keys (YubiKey, Google Titan) - physical device required for login
Good: Authenticator apps (Google Authenticator, Microsoft Authenticator, Authy) - time-based codes
Acceptable: SMS text codes - better than nothing but vulnerable to SIM swapping
Not Recommended: Email-based codes - if email is compromised, this provides no protection
Priority accounts: Email, practice management, cloud storage, banking, State Bar portal
2. Password Management
You cannot remember unique, strong passwords for every account. No one can. Use a password manager.
| Password Manager | Notes |
|---|---|
| 1Password | Excellent security, teams/family sharing, lawyer-friendly |
| Bitwarden | Open source, free tier available, self-hosting option |
| Dashlane | Good business features, includes VPN in premium tier |
| LastPass | Well-known but had security incidents; others preferred |
- Reusing passwords across sites - when one is breached, all are compromised
- Storing passwords in a document or spreadsheet - no encryption, easily stolen
- Browser "remember password" without master password - anyone with device access sees everything
- Sharing credentials via email - now in two places that can be breached
- Using personal information in passwords - kids' names, birthdates are easily guessed
3. Device Encryption
Every device that touches client data should have full-disk encryption enabled:
- Mac: FileVault (System Preferences > Security & Privacy > FileVault)
- Windows: BitLocker (Settings > Update & Security > Device Encryption)
- iPhone/iPad: Enabled by default when you set a passcode
- Android: Usually enabled by default; verify in Security settings
Why it matters: If your laptop is stolen, encrypted data is inaccessible without your password. Unencrypted data can be easily extracted.
4. Secure Wi-Fi Practices
- Never access client files or banking on public Wi-Fi without a VPN
- Mobile hotspot from your phone is more secure than coffee shop Wi-Fi
- VPN services: NordVPN, ExpressVPN, or Mullvad for general use; enterprise solutions for firms
- Home Wi-Fi: Use WPA3 encryption (or WPA2 if WPA3 unavailable); change default router password; hide network name if desired
- Verify network names: Attackers create fake networks with similar names ("Starbucks_WiFi" vs "Starbucks WiFi")
📋 Security Audit Checklist
Account Security
- Two-factor authentication enabled on all critical accounts
- Unique passwords for all accounts (verified via password manager)
- No accounts using breached passwords (check haveibeenpwned.com)
- Recovery options (phone, email) are current and secure
- Review and remove unnecessary app permissions
Device Security
- Full-disk encryption enabled on all computers
- Operating systems are current and auto-updating
- Antivirus/antimalware active and current
- Screen lock enabled with reasonable timeout
- Find My Device enabled for remote wipe capability
- Old devices securely wiped before disposal
Network Security
- Home router firmware updated
- Router using WPA3/WPA2 encryption (not WEP or open)
- Default router admin password changed
- VPN available for use on untrusted networks
Data and Backups
- Regular backups running and verified
- At least one backup is offline or air-gapped (ransomware protection)
- Backup restoration tested at least annually
- Cloud sync conflicts and deleted files reviewed
Vendor and Access Review
- All cloud services still necessary and in use
- Former employee/contractor access revoked
- Vendor security certifications still current
- Terms of service changes reviewed for concerning updates
💬 Client Portal Security
Many lawyers use client portals for secure document sharing. Key security considerations:
| Feature | Why It Matters |
|---|---|
| HTTPS encryption | Data encrypted in transit; look for the padlock icon |
| At-rest encryption | Files encrypted when stored, not just transmitted |
| Access logging | Track who accessed what and when |
| Client 2FA | Require clients to use two-factor for portal access |
| Granular permissions | Control who can see/download/edit specific files |
| Watermarking | Identify source if documents are leaked |
| Expiring links | Share links that become invalid after set time |
Practice management portals: Clio, MyCase, PracticePanther all include client portals
Dedicated portals: ShareFile (by Citrix), Box, OneDrive for Business
DIY option: Nextcloud (self-hosted, open source)
Not recommended for confidential files: Consumer Dropbox, Google Drive personal accounts, iCloud file sharing
📹 Video Conferencing Security
Remote practice means lots of video calls. Security considerations:
- Enable waiting room: Prevents uninvited attendees from joining directly
- Require meeting passcode: Additional barrier to entry
- Lock meeting after start: Prevent new joins after all participants present
- Disable "join before host": You control when meeting starts
- Control screen sharing: Only host, or host and co-host can share by default
- Disable recording by participants: Unless you want to allow it
- Use unique meeting IDs: Not your personal meeting room for sensitive calls
- End-to-end encryption: Enable for most sensitive matters (some features limited)
Posting meeting links publicly (on websites, social media, etc.) invites uninvited attendees. For client meetings:
- Send links directly to participants via email
- Use waiting room to screen joiners
- Use unique meeting IDs, not your personal meeting room
- Don't include links in public calendar invites
📱 Mobile Device Security
Your phone probably contains more client information than you realize:
- PIN/passcode is 6+ digits (not 4-digit)
- Biometric unlock enabled (fingerprint, face)
- Auto-lock timeout is 1-2 minutes maximum
- Find My iPhone/Find My Device enabled
- Remote wipe capability confirmed
- Email app requires authentication (not auto-logged-in)
- Practice management app requires authentication
- Notifications don't show full message content on lock screen
- Backup encryption enabled
🔍 Vendor Selection: Your Tech Due Diligence Checklist
Choosing a cloud vendor is choosing a partner in your confidentiality obligations. COPRAC 2010-179 requires "reasonable care" in vendor selection. This means actually reviewing terms of service, understanding data handling, and asking the right questions before you sign up.
You don't need to be a security expert. You need to be a diligent consumer who asks questions and makes informed choices.
📊 Vendor Evaluation Framework
Before adopting any cloud service that will handle client data, evaluate it against these criteria:
Data Security
- Data encrypted in transit (TLS/SSL)
- Data encrypted at rest (AES-256 or equivalent)
- Two-factor authentication available
- Access logs/audit trails available
- SOC 2 Type II certification (or equivalent)
Data Location and Access
- Data center locations disclosed (US preferred for many clients)
- Employee access to customer data limited and logged
- Subcontractor/third-party access disclosed
- Law enforcement request handling policy available
Data Rights and Ownership
- You retain ownership of your data (not licensed to vendor)
- Vendor does not claim right to use data for AI training
- Vendor does not claim right to analyze or mine data
- Data portability - can export in usable format
- Data deletion policy - what happens when you cancel
Business Continuity
- Established company with track record
- Notice period before service discontinuation
- Data retrieval process if vendor shuts down
- Uptime SLA and historical performance
Breach Response
- Breach notification commitment (timeframe specified)
- Breach notification includes sufficient detail for your obligations
- Insurance/indemnification for security incidents
❓ Questions to Ask Vendors
When evaluating a new service, don't just read the marketing materials. Ask specific questions:
📝 Data Processing Agreement (DPA) Provisions
For services handling significant client data, request a Data Processing Agreement. Key provisions:
| Provision | What It Does | Why You Want It |
|---|---|---|
| Purpose limitation | Vendor can only use data for providing the service | Prevents secondary use (analytics, marketing, AI training) |
| Subprocessor disclosure | Vendor must disclose third parties who access data | Know who else touches your client data |
| Security commitments | Specific security measures vendor commits to | Contractual obligation, not just marketing claim |
| Breach notification | Timeframe and content of breach notifications | Ensure you get timely, actionable information |
| Audit rights | Your ability to verify compliance | Usually satisfied by providing SOC 2 reports |
| Data return/deletion | What happens at contract end | Ensure data is retrievable and eventually deleted |
| Law enforcement response | Vendor's process for government requests | Know if/when vendor will turn over your data |
Large vendors (Google, Microsoft, Dropbox) typically offer standard DPAs on a take-it-or-leave-it basis. Small firms can't negotiate custom terms with these companies.
What to do:
- Review the standard DPA they offer (most enterprise/business tiers include one)
- Document your review - note what protections exist and any gaps
- Make an informed decision about whether the standard terms are adequate for your needs
- Consider legal-specific alternatives for highly sensitive matters
The ethics obligation is reasonable diligence, not perfect contracts. If you've reviewed the terms and made an informed choice, you've done your job.
☁ Comparison: Cloud Storage Options
| Service | Encryption | 2FA | DPA Available | Notes |
|---|---|---|---|---|
| Dropbox Business | At rest & transit | Yes | Yes (Business tier) | Admin controls, audit logs in Business tier |
| Google Workspace | At rest & transit | Yes | Yes | Strong security, but privacy concerns for some |
| Microsoft 365 | At rest & transit | Yes | Yes | Compliance tools, retention policies |
| Box | At rest & transit | Yes | Yes | Strong compliance features, popular with firms |
| ShareFile | At rest & transit | Yes | Yes | Designed for professional services |
| Tresorit | End-to-end (you hold keys) | Yes | Yes | Maximum security, Swiss-based |
| iCloud Drive | At rest & transit | Yes | Limited | Consumer-focused; Advanced Data Protection adds E2E |
Free consumer versions of cloud services often have different (worse) terms than business/paid tiers:
- Data may be scanned for advertising
- No DPA or BAA available
- Limited or no admin controls
- No audit logging
- Data may be used for AI training
For law practice use: Pay for business/professional tiers. The cost is minimal compared to the protection.
💻 Practice Management Software Comparison
| Platform | SOC 2 | Encryption | Client Portal | Key Strength |
|---|---|---|---|---|
| Clio | Yes | AES-256 | Yes | Market leader, extensive integrations |
| MyCase | Yes | AES-256 | Yes | User-friendly, good client portal |
| PracticePanther | Yes | AES-256 | Yes | Affordable, intuitive interface |
| Smokeball | Yes | AES-256 | Yes | Automatic time capture |
| Rocket Matter | Yes | AES-256 | Yes | Strong billing features |
| Filevine | Yes | AES-256 | Yes | Workflow automation, larger firms |
All of the major practice management platforms have adequate security for most practices. The security differences between Clio, MyCase, and PracticePanther are marginal compared to the difference between using any of them versus storing client data in unsecured spreadsheets or email folders.
Pick a platform you'll actually use consistently. An imperfect system used diligently beats a "perfect" system you abandon after three weeks.
🤝 Tech Stack Consulting Services
What I Can Help With
- ✓ Tech stack audit for CRPC compliance
- ✓ Vendor selection and comparison
- ✓ Security protocol development
- ✓ AI use policy drafting
- ✓ Data breach response planning
- ✓ Engagement letter technology provisions
- ✓ Staff training on security protocols
Typical Engagements
- ✓ 1-hour tech consult: specific questions answered
- ✓ Half-day audit: review current stack, identify gaps
- ✓ Implementation support: set up new tools properly
- ✓ Policy development: written protocols for your firm
- ✓ Incident response: help if something goes wrong
Sergei Tokmakov, Esq. (CA Bar #279869) is a California lawyer with 14+ years of experience helping attorneys build compliant virtual practices. With 1,500+ completed jobs on Upwork, $500K+ in earnings, and 98% job success rate, he specializes in supporting lawyers who serve international clients with business interests in the USA.
This guide reflects practical experience - what actually works in real virtual practices, not theoretical ideals. Every recommendation comes from helping lawyers solve real technology and ethics challenges.
📜 Quick Reference: Key Authorities
| Authority | Topic | Key Holding |
|---|---|---|
| CRPC 1.6 | Confidentiality | Reasonable efforts to prevent inadvertent disclosure |
| CRPC 1.1 | Competence | Includes understanding technology used in practice |
| CRPC 5.3 | Supervision | Extends to technology vendors and AI tools |
| COPRAC 2010-179 | Cloud computing | Permissible with reasonable vendor diligence |
| COPRAC 2012-184 | Metadata | Scrub before sending; don't mine inadvertent disclosures |
| ABA Op. 477R | Secure communications | Reasonable efforts standard; factor-based analysis |
| ABA Op. 498 | Virtual practice | Permitted with proper security measures |
| Cal. Civ. Code 1798.82 | Breach notification | California breach notification requirements |
How to run remote consults safely, avoid conflicts, and structure engagement letters for virtual practice.
UPL traps, advertising rules, and handling clients in other jurisdictions ethically.
CRC 3.1010 authority, exhibit protocols, and defending depositions without being in the room.