Choosing Legal Technology That Meets Attorney-Client Privilege Standards

The Ethical Foundation: ABA Model Rules 1.1 and 1.6

Two ABA Model Rules form the backbone of an attorney's obligation when selecting technology. Model Rule 1.1 — the duty of competence — requires attorneys to provide competent representation, which the ABA has interpreted to include an understanding of the benefits and risks of relevant technology. Comment 8 to Rule 1.1, added in 2012, explicitly states that competence includes keeping abreast of "the benefits and risks associated with relevant technology." This is not aspirational language. It is part of the black-letter rule on competence, and at least 40 states have now adopted this or similar language.

Model Rule 1.6(a) prohibits disclosure of information relating to the representation of a client unless the client gives informed consent. Rule 1.6(c), also added in 2012, goes further: an attorney "shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." The operative phrase is "reasonable efforts." You are not required to guarantee perfect security, but you must take affirmative, documented steps appropriate to the sensitivity of the information.

Together, these rules create a clear mandate: you must understand the technology you use, and you must take reasonable steps to ensure it protects client information. Ignorance of how a tool handles your client's data is itself an ethical failure.

What Ethics Opinions Say About Cloud Technology

ABA Formal Opinion 477R (2017) directly addresses the use of technology to communicate and store client information. The opinion holds that attorneys must take "reasonable efforts" to secure client communications when using technology, and that the required level of protection varies with the sensitivity of the information. It identifies factors attorneys should consider: the nature of the threat, how the client information is being stored and transmitted, the use of reasonable electronic security measures, how electronic communications about client matters are protected, and whether additional security measures are warranted in specific circumstances.

ABA Formal Opinion 498 (2021) specifically addresses virtual practice and cloud-based tools. It reaffirms that using cloud services is ethically permissible but requires lawyers to make reasonable efforts to ensure that the service provider's conduct is compatible with the lawyer's professional obligations. This includes reviewing terms of service, understanding where and how data is stored, and verifying that adequate security protections are in place.

State-level opinions provide more granular direction. New York State Bar Association Ethics Opinion 1020 (2014) outlines a detailed checklist for attorneys using cloud storage, including encryption requirements and the need to understand a vendor's data handling practices. California Formal Opinion 2010-179 held that attorneys must take reasonable steps to ensure confidential client information is secure when using technology for communication and storage, specifically identifying encryption as a key protective measure. Pennsylvania Bar Association Formal Opinion 2011-200 explicitly approved cloud storage of client files, provided attorneys exercise reasonable care to maintain confidentiality.

The common thread across all of these opinions is a three-part obligation: understand the technology, evaluate its security, and document that you did both.

Encryption: The Minimum Baseline

Encryption is the starting point, not the finish line. You need both encryption in transit (TLS 1.2 or 1.3 for all data transmitted between your browser and the service) and encryption at rest (AES-256 or equivalent for all stored data). But not all encryption implementations are equal, and the critical question is who holds the encryption keys.

If the vendor holds the decryption keys, they have the technical ability to access your data, regardless of what their policy states. Look for services that use customer-managed encryption keys (CMEK) or, at minimum, envelope encryption where key management is handled by a dedicated service like AWS KMS with access controls that prevent vendor personnel from accessing decryption keys under normal circumstances.

For criminal defense work involving highly sensitive evidence — recorded confessions, witness interviews, body camera footage of incidents that may involve excessive force — the sensitivity analysis under Rule 1.6 demands stronger protections than, say, a routine billing system. You should evaluate encryption not as a checkbox but as a spectrum, matching the strength of protection to the sensitivity of the data.

Data Residency, Access Controls, and Subprocessors

Data residency matters for two reasons. Data stored in certain jurisdictions may be subject to that jurisdiction's laws regarding government access. And several state bar opinions have specifically recommended that attorneys understand the geographic location of cloud-stored client data. At minimum, the vendor should tell you which cloud region your data is stored in. For U.S. criminal defense work, data should remain within the United States. Be skeptical of services that cannot answer this question clearly or that use infrastructure spanning multiple countries without giving you control.

Access controls require careful inquiry. Ask specifically: who at the vendor organization can access your data, under what circumstances, and is that access logged? The answer should be "no one under routine operations" or "only a specifically enumerated set of roles under specifically defined and auditable circumstances." Within the platform itself, look for role-based access controls that let you restrict case visibility to specific team members. Not every paralegal needs access to every case file. A public defender's office handling 300 cases should not have a system where every attorney can see every client's evidence.

Subprocessors are where many attorneys fail to dig deep enough. If a platform uses AI to analyze your evidence, where does that processing happen? If the service sends your audio to a third-party speech-to-text API, that third party is a subprocessor with access to your client's data. Every subprocessor in the chain must meet the same confidentiality standards you require of the primary vendor. Key questions: Does the vendor publish a list of subprocessors? Do they notify you when subprocessors change? Are subprocessors contractually bound to the same data protection terms? Is your data used to train AI models belonging to any party in the processing chain? That last question is essential — if client evidence is being used to improve a commercial AI model, that creates a serious privilege concern.

Compliance Certifications and Contractual Protections

SOC 2 Type II is the standard benchmark for cloud service security. A SOC 2 Type II report means an independent auditor has verified that the vendor's security controls are both appropriately designed and have been operating effectively over a sustained period, typically six to twelve months. SOC 2 Type I only verifies design at a single point in time, which is less meaningful. If a vendor has not completed SOC 2 Type II, ask why, and scrutinize their security controls through other means — penetration test reports, vulnerability scanning results, and detailed architecture documentation.

Data Processing Agreements (DPAs) are contractual documents that specify the vendor's obligations regarding your data. They should address data handling, retention, deletion, breach notification, and restrictions on secondary use. If a vendor does not offer a DPA, ask for one. If they refuse, treat it as a significant red flag. Similarly, Business Associate Agreements (BAAs) are required under HIPAA when a vendor handles protected health information. Even if your cases do not typically involve PHI, a vendor's willingness to sign a BAA signals maturity in their data protection practices.

Other relevant certifications include ISO 27001 for information security management and FedRAMP authorization for federal casework. These are not strictly required for ethical compliance, but they indicate that a vendor has invested substantially in verifiable security practices rather than relying on marketing claims alone.

AI-Specific Privilege Concerns

The emergence of AI-powered legal tools introduces privilege questions that traditional cloud storage guidance does not fully address. These deserve separate analysis because the data flows in AI systems are fundamentally different from static storage.

Training data usage. When you upload evidence for AI analysis, is that content used to train or fine-tune the underlying model? If so, your client's privileged information could influence outputs generated for other users. This is arguably a disclosure under Rule 1.6. Reputable AI vendors for legal use should have clear policies — and binding contractual commitments — that customer data is never used for model training or improvement.

Data retention in AI pipelines. How long does your data persist in the AI processing pipeline? Is it cached, logged, or stored at any intermediate point during analysis? Even without training data usage, temporary storage during processing creates exposure windows. Look for platforms that process data ephemerally and purge all intermediate data promptly after delivering results to you.

Model hosting and third-party AI providers. If the legal technology vendor uses a third-party AI provider for processing, that provider's data handling practices become your concern. Some AI providers offer enterprise tiers with zero-retention guarantees and enhanced contractual protections. Legal technology vendors should be using these enterprise tiers, not consumer-grade API access that may carry different terms. Tools built specifically for evidence analysis in defense contexts, such as platforms that process body camera footage and generate transcripts with AI assistance, should be transparent about exactly which AI providers are involved and what contractual protections govern each one.

Red Flags That Should Stop Adoption

Some indicators should halt your evaluation immediately or at least trigger significantly more scrutiny:

• Terms of service that grant the vendor broad rights to use your data — phrases like "to improve our services" or "for product development" when applied to uploaded content are incompatible with privilege obligations.
• Inability or unwillingness to identify subprocessors — if the vendor cannot tell you who processes your data, you cannot fulfill your duty under Rule 1.6.
• No data deletion capability — you need the ability to permanently and verifiably remove all client data when a matter concludes or when a client requests it.
• Consumer-grade security without legal-specific controls — general-purpose cloud storage without audit logs, access controls, or encryption at rest is insufficient for client evidence.
• No breach notification policy — your state bar likely requires you to notify affected clients of a data breach, and you cannot do that if the vendor does not commit to notifying you promptly.
• Refusal to share security documentation under NDA — a vendor that will not let you review their SOC 2 report, penetration test summary, or architecture overview is asking you to take their security on faith, which is not "reasonable efforts."

Building Your Evaluation Framework

Rather than evaluating each tool ad hoc, develop a standardized evaluation framework that you apply consistently. This serves two purposes: it ensures thorough evaluation, and it creates documentation demonstrating your reasonable efforts should your diligence ever be questioned.

Your framework should include these categories, each with specific questions and acceptable answers:

• Encryption: TLS 1.2+ in transit, AES-256 at rest, documented key management approach.
• Data residency: Clear identification of storage regions; U.S.-only for domestic criminal defense work.
• Access controls: RBAC, MFA, audit logging, documented internal access policies at the vendor.
• Subprocessors: Published list, change notification, contractual flow-down of data protection obligations.
• AI data handling: No training data usage, ephemeral processing, enterprise-tier AI provider agreements.
• Certifications: SOC 2 Type II preferred; ISO 27001 and penetration test results as supplementary evidence.
• Contractual protections: DPA available, breach notification commitments, data deletion rights and verification.
• Data portability: Ability to export your data in standard formats; contingency plan if the vendor ceases operations.

Score each category, document the results, and establish a threshold below which you will not adopt a tool regardless of its features. Keep these evaluations on file. They are evidence of your compliance with your ethical obligations and can be updated annually as vendors mature and standards evolve.

The Practical Reality

The standard is "reasonable efforts," not perfection. You do not need to become a cybersecurity expert. You need to ask the right questions, understand the answers, and make informed decisions proportionate to the sensitivity of the information you are handling. For criminal defense work — where the stakes for your client are liberty — that proportionality bar is appropriately high.

The consequences of failing to vet legal technology are not abstract. Disciplinary actions for technology-related confidentiality failures are increasing. Courts have found that an attorney's failure to take reasonable precautions to protect electronic documents can constitute a breach of professional obligations. Beyond disciplinary risk, a privilege waiver resulting from inadequate technology security could be devastating to a client's case — and unlike other forms of malpractice, privilege waiver is often irreversible.

The legal technology market is maturing. Vendors focused on criminal defense and litigation are increasingly building products that understand these requirements from the ground up. But the obligation to evaluate them remains yours. Treat technology selection with the same rigor you bring to every other aspect of your client's defense. Your clients' liberty may depend on decisions that feel like they belong in an IT department. They do not. They belong squarely within your professional responsibility as their attorney.