The Florida Bar’s Rule 4-1.6 has always required attorneys to take reasonable precautions to prevent the unauthorized disclosure of client information. But what counts as “reasonable” has changed dramatically as law practice has moved online.
In 2023, the Florida Bar updated its ethics guidance to make clear that competent representation under Rule 4-1.1 includes understanding “the benefits and risks of relevant technology.” The days of treating IT security as someone else’s problem are over. For Miami attorneys, cybersecurity is now a professional obligation.
Here’s what that means in practice — and what the most common IT failures look like at Miami law firms.
What Rule 4-1.6 actually requires regarding technology
The rule requires attorneys to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The comment to the rule specifically mentions that attorneys must consider “the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients.”
In plain English: you don’t have to use perfect technology, but you have to make a genuine, documented effort to protect client data — and the more sensitive the data, the more effort is required.
What “reasonable precautions” means in practice in 2026
Based on current Florida Bar ethics opinions and industry standards, reasonable IT precautions for a Miami law firm in 2026 include: multi-factor authentication on all email accounts, encrypted email for sensitive client communications, a documented backup procedure with offsite or cloud copies, access controls limiting who can see which client files, endpoint protection on all firm devices, and a basic incident response plan in writing.
None of these are exotic. All of them are achievable with a competent IT provider and a reasonable budget. The bar is not perfection — it is documented, reasonable effort.
The 5 most common IT compliance failures at Miami law firms
1. No MFA on email. Email is where most law firm breaches begin. A single compromised attorney email account can expose years of privileged client communications. MFA is free on Microsoft 365 and takes an afternoon to deploy. Not having it is indefensible.
2. No email archiving policy. Florida Bar Rule 5-1.4 requires attorneys to retain certain client records. If you can’t produce email records when required — because they were never archived, or were deleted, or were on a device that failed — that’s a compliance problem that extends beyond IT.
3. Staff working on personal devices without controls. Associates and paralegals who access case management systems or email from personal devices create significant exposure. If those devices aren’t managed — no MDM enrollment, no remote wipe capability, no endpoint protection — the firm has no way to secure or recover firm data if the device is lost or compromised.
4. No written incident response plan. Bar ethics guidance recommends that firms have a documented response plan for data breaches — who gets notified, in what order, and within what timeframe. Florida’s data breach notification law (Fla. Stat. § 501.171) imposes its own obligations. Without a written plan, response is slower and less defensible.
5. Using unvetted cloud services for client data. Not all cloud software is created equal. If your firm stores client files, communications, or case data in a cloud service, that provider should have a signed Business Associate Agreement (if HIPAA applies) or equivalent data processing agreement. Using consumer cloud storage for client files — personal Dropbox, Gmail, etc. — is a risk that’s difficult to defend under Rule 4-1.6.
Email encryption and client communications
Standard email is not encrypted in transit in a way that meets the bar’s expectations for sensitive communications. Microsoft 365 Message Encryption and S/MIME both provide attorney-to-client encrypted email. For highly sensitive matters, encrypted client portals — available in most modern practice management platforms like Clio or MyCase — are the more practical solution. The key is having a policy and using the tools, not simply hoping regular email is good enough.
Remote access and working from home safely
Remote work is now permanent at most Miami law firms. Attorneys and staff accessing firm systems from home need to do so through a VPN or a secure cloud workspace — not by opening a direct RDP connection to the office server, and not from a personal computer with no endpoint protection. Remote access that isn’t secured is a direct path into your entire network.
What to do if you suffer a breach
Contain the incident first — isolate affected systems. Then notify your IT provider immediately. Document everything: what happened, when, what data was potentially exposed, and what steps were taken in response. Florida’s breach notification law may require notifying affected individuals within 30 days if more than 500 Florida residents are affected. Consult with your malpractice insurer — most policies require prompt notification of potential claims.
How to document your IT compliance efforts
The Florida Bar doesn’t require a specific certification or audit, but it does expect attorneys to be able to demonstrate reasonable efforts if the question ever arises. Keep a simple log of IT security measures: the date MFA was enabled, when staff received security training, when your backup was last tested, which cloud providers have signed data agreements. This documentation costs nothing to maintain and provides meaningful protection if a complaint is ever filed.
We offer a free IT compliance assessment for Miami law firms — including a written report you can document for your records and share with your partners. We’ll review your current setup against Florida Bar requirements and tell you exactly what needs to change. Contact SKALS IT to schedule yours.