Florida Bar Rule 4-1.6 Cybersecurity Guide for Law Firms (2026)

// 01

WHAT FLORIDA BAR RULE 4-1.6 ACTUALLY REQUIRES.

Florida Bar Rule 4-1.6 lives in Chapter 4 of the Rules Regulating The Florida Bar — the Rules of Professional Conduct. Subsection (a) sets the baseline: a lawyer may not reveal information relating to representation of a client unless the client gives informed consent, the disclosure is impliedly authorized to carry out the representation, or one of the enumerated exceptions in subsection (c) applies. Subsection (e) — added to align Florida with ABA Model Rule 1.6(c) — goes further: a lawyer must make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

Three things to note about the Rule's scope. First, it covers all information relating to representation — not just attorney-client privileged communication, not just work product, but the broader universe of confidences and secrets the lawyer learns through the engagement. Second, the obligation is affirmative: the lawyer must take steps to prevent unauthorized access, not merely refrain from intentional disclosure. Third, the standard is “reasonable efforts” — meaning the Rule does not require perfect security but does require a defensible level of effort proportionate to the sensitivity of the information and the foreseeability of compromise.

The Technological Competence Layer (Rule 4-1.1)

Rule 4-1.6(e) does not exist in isolation. It pairs with the lawyer's duty of competence under Rule 4-1.1, which the ABA reinterpreted in 2012 with Model Rule 1.1 Comment 8 to include a duty to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Florida has adopted parallel commentary. The practical effect: a Florida lawyer who does not understand the basic information-security implications of how they store and transmit client files is potentially violating both Rule 4-1.1 (competence) and Rule 4-1.6(e) (reasonable efforts) simultaneously.

What a Disciplinary Panel Actually Looks At

If a grievance comes before The Florida Bar after a cyber incident, the panel will look for: (1) whether the firm had a written information-security policy; (2) whether the lawyer made informed selections of technology vendors; (3) whether basic technical controls (MFA, encryption, backup) were in place; (4) whether the firm had a written incident-response plan; (5) whether the lawyer reasonably trained the workforce; and (6) whether the lawyer's response to the incident was prompt and appropriate. None of these requires perfection — but absence of any of them is hard to defend as “reasonable efforts.”

// 02

WHAT “REASONABLE EFFORTS” MEANS IN 2026.

The “reasonable efforts” standard is deliberately flexible — it scales with the sensitivity of the information, the practical likelihood of compromise, the cost and difficulty of additional safeguards, and the impact of those safeguards on the lawyer's ability to represent the client. ABA Comment [18] to Model Rule 1.6 enumerates these factors and Florida follows the same framework. What has shifted significantly since the Rule was adopted is the practical baseline of what reasonable means.

In 2014, a Florida lawyer could plausibly argue that MFA on their email was an extra step. In 2026, with MFA blocking 99.9% of automated credential attacks (Microsoft Security data) and with phishing-driven mailbox compromise being the leading vector for both wire fraud and ransomware, the absence of MFA on a lawyer's email is no longer defensible as “reasonable efforts.” The bar moves with the threat landscape and with the cost-feasibility curve. A control that costs $5 per user per month and blocks 99.9% of one of the most common attack vectors is almost by definition reasonable.

The 2026 Practical Floor

For a Florida law firm of any size, the 2026 reasonable-efforts floor includes at minimum: MFA on every mailbox and every remote-access entry point; endpoint encryption on every laptop; EDR (not just legacy AV) on every workstation; immutable or off-network backup with tested restore; a written information-security policy; documented onboarding and termination procedures; annual security awareness training; an incident-response plan with named roles and contact numbers; vendor diligence on every cloud service touching client information; and AI-use governance (Section 6).

None of this is exotic. All of it is delivered as a standard Microsoft 365 Business Premium + managed IT package. The firm that doesn't have it in place isn't making a different professional judgment — it's carrying unmitigated ethical and malpractice exposure.

// 03

WIRE FRAUD AT REAL-ESTATE CLOSINGS: THE #1 CYBER RISK FOR FLORIDA FIRMS.

Florida is a real-estate state. Florida lawyers and title agents collectively touch hundreds of billions of dollars in closing-wire activity annually. The FBI's Internet Crime Complaint Center (IC3) has identified real-estate wire fraud as one of the top-loss BEC categories for over a decade, with annual reported losses in the billions and Florida consistently in the top three states for both incident count and dollar loss.

The Standard Attack Pattern

The textbook closing-wire fraud unfolds over weeks: (1) the threat actor compromises a mailbox somewhere in the transaction chain — lawyer, title agent, real-estate agent, lender, or sometimes the buyer or seller. Initial access is almost always via credential phishing. (2) The attacker sets up silent inbox rules forwarding closing-related email to themselves and hiding traces from the legitimate user. (3) On closing day or the day before, the attacker injects an email with altered wire instructions that looks like it came from the legitimate sender. (4) The recipient wires funds to the attacker's account. (5) The attacker moves funds through layered accounts within hours.

The Layered Defense

No single control prevents wire fraud. The defensible posture is layered:

Verbal call-back protocol on every wire request, to a pre-verified phone number (not the number in the email signature), before transmitting any wire. Sender-uninitiated, recipient-driven verification.
MFA enforcement on every firm mailbox and every cloud login, with Conditional Access blocking legacy authentication that bypasses MFA.
Email security gateway with display-name impersonation detection, homoglyph-domain alerts, and external-sender banners.
DMARC enforcement on the firm domain (and ideally the title agent and lender domains) to prevent direct spoofing.
Keyword-trigger alerting on banking-change phrases (“updated wire instructions,” “changed routing,” “new account”) routing to a second human for verification.
Client-facing closing-fraud advisory at engagement so the buyer and seller know to call before wiring.
Crime coverage rider on cyber insurance explicitly covering social-engineering fraud (not just computer fraud).

ALTA Best Practices Pillar 3 codifies the same set of controls for title-industry participants. Florida law firms handling closings should align to ALTA Best Practices as the practical reference, regardless of whether the firm is the title agent or coordinating with one.

// 04

BEC TARGETING ESTATE DISTRIBUTIONS.

The same Business Email Compromise pattern that targets real-estate closings has migrated into estate-administration practice over the past several years. The attacker compromises a mailbox in the chain — the attorney, the executor, an heir, the financial advisor — and injects altered distribution instructions at the moment of disbursement. Distributions to trust accounts, IRA rollovers, and final cash distributions to heirs are the most-targeted vectors.

The estate context creates two compounding risks. First, the dollar amounts can be very large — six- and seven-figure distributions are routine and don't trigger the same scrutiny the firm might apply to a $50,000 settlement disbursement. Second, the parties are often distributed geographically (heirs in multiple states, sometimes overseas) and rely heavily on email coordination — making the verbal call-back step feel impractical and easy to skip.

The countermeasure is identical to real-estate closings: a firm-wide policy requiring verbal call-back to a pre-verified phone number before any banking-instruction execution, regardless of how busy the closing day or how senior the lawyer issuing the disbursement. MFA, conditional access, gateway-level impersonation detection, and a client-facing engagement-letter advisory all stack on top. The firm's malpractice carrier's crime-coverage rider should explicitly cover social-engineering fraud, not just network intrusion.

// 05

SECURE DOCUMENT MANAGEMENT: CLIO, NETDOCUMENTS, IMANAGE.

Document management is the foundation of a Bar-aligned firm. The DMS holds privileged client files, work product, signed engagement agreements, and the audit trail that demonstrates “reasonable efforts” under Rule 4-1.6(e). The major options for Florida law firms in 2026:

Clio

Cloud-native practice management and document management with strong small-firm adoption. Clio Manage integrates timekeeping, billing, matter management, and document storage; Clio Grow handles intake. SOC 2 Type II certified, MFA-capable, end-to-end encrypted in transit and at rest. The deployment model shifts infrastructure security to Clio but concentrates firm responsibility on identity (MFA on every user, role-based access, prompt deprovisioning of departing staff).

NetDocuments

Mid-market and large-firm choice, deep integration with Microsoft 365 and Outlook, strong matter-centric file organization, enterprise-grade security and audit logging. Higher per-user cost than Clio but typically right-sized for firms over 20 users. Conditional Access, SSO via Entra ID, and granular permissions are standard. Document-level encryption keys are firm-managed in higher tiers.

iManage

Enterprise document management with the deepest feature set, strongest large-firm adoption, and most demanding deployment. iManage Cloud is the SaaS path; iManage Work is the on-premise/private-cloud path. Worth considering for firms 50+ users with specialized matter-management needs.

MyCase / PracticePanther / Smokeball / SharePoint with Governance

MyCase, PracticePanther, and Smokeball serve the small-firm segment with bundled practice-management plus document management. For firms already on Microsoft 365 Business Premium that want to keep document storage in-tenant, SharePoint configured with proper matter-folder governance, sensitivity labels, external-sharing controls, and conditional access can satisfy Rule 4-1.6(e) at lower cost — provided someone competent configures it. The fail mode is unmanaged SharePoint with shared sign-in links, which is worse than email.

// 06

GOVERNED AI FOR LAW FIRMS: WHY CHATGPT FOR PRIVILEGED MATTER IS A PROBLEM.

The fastest-changing area of legal cybersecurity in 2026 is AI governance. Lawyers and paralegals are using ChatGPT, Claude, Gemini, and Microsoft Copilot for drafting, summarization, research, and review — often without considering the privilege and confidentiality implications. Multiple state bars have issued AI ethics opinions in the past two years; The Florida Bar issued Ethics Opinion 24-1 (2024) addressing lawyer use of generative AI. The opinion confirms that a lawyer's duty of confidentiality under Rule 4-1.6 extends to AI inputs.

The Privilege Problem with Consumer AI

Free consumer AI tools — ChatGPT free tier, default Claude.ai personal account, free Gemini — typically grant the provider broad license to use submitted prompts for training and improvement. Submitting privileged client information into one of these is, depending on the analysis, either a voluntary disclosure to a third party (potentially waiving privilege) or at minimum a violation of Rule 4-1.6 reasonable efforts. The malpractice exposure runs ahead of the case law — no Florida lawyer wants to be the test case.

The Governed-AI Solution

The fix is to provide the firm a sanctioned AI environment with contractual data-protection terms, then prohibit use of unsanctioned consumer tools for privileged matter. Defensible options in 2026:

Microsoft 365 Copilot under the firm's tenant — firm data not used for model training, integrates with Word/Outlook/Teams, respects existing M365 permissions.
ChatGPT Enterprise / Team — OpenAI contractually commits to not training on enterprise inputs, SOC 2 Type II, SSO via Entra ID.
Claude for Work / Anthropic Enterprise — Anthropic contractually commits to not training on enterprise inputs, available via API or web app, with admin controls.
Legal-specific tools with explicit no-training contracts: Harvey, CoCounsel, Lexis+ AI, Westlaw Precision with CoCounsel.

The firm-level governance step is to add “sanctioned AI tools” to the written information-security policy, train the workforce, and configure Microsoft 365 to block known consumer-AI endpoints from work devices (Conditional Access app filtering). Most disciplinary panels in 2026 will look askance at a firm that lacks any AI-use policy at all.

// 07

REMOTE WORK SECURITY: VPN, MFA, MDM FOR ATTORNEY DEVICES.

Post-pandemic, most Florida law firms support some level of remote and hybrid work. The technical question for Rule 4-1.6(e) compliance is whether the firm has reasonable controls over the off-network attorney device. A firm laptop on a hotel WiFi accessing the cloud DMS is fine if MFA is enforced, the disk is encrypted, EDR is running, and the device is enrolled in MDM. The same access from a personal Mac the lawyer's teenager also uses is not.

The Modern Remote-Work Stack

The 2026 pattern for Florida law firms is not a legacy VPN tunneled to an on-premise file server — that's a 2014 architecture that creates more risk than it solves. The modern pattern is cloud-first identity (Microsoft 365 with Entra ID Conditional Access) where access decisions are made at the identity layer based on user, device, location, and risk signal. No corporate network perimeter to defend; the perimeter is around the identity and the device.

BYOD and Personal Devices

Bring-your-own-device is the policy battleground. The defensible options are: (1) only firm-issued, MDM-enrolled, encrypted devices may access client information; (2) personal devices are permitted but must be MDM-enrolled with a defined “work container” (Intune App Protection Policies on iOS/Android, or full enrollment); (3) personal devices are permitted only for time-tracking and calendar — no client documents. Whatever the policy, it must be written, the workforce must be trained on it, and the technical controls must enforce it. An unwritten BYOD policy is functionally no policy.

// 08

CLOUD STORAGE CONSIDERATIONS UNDER RULE 4-1.6.

The Florida Bar Professional Ethics Opinion 12-3 (2013) addressed cloud computing directly: a lawyer may use cloud-based services for client information provided the lawyer exercises reasonable care in selecting the vendor and configuring the service. The opinion has held up well — subsequent state and ABA opinions have converged on the same framework. What “reasonable care” looks like has continued to evolve.

The vendor-diligence checklist a Florida lawyer should run before adopting a new cloud service for client information: (1) Does the vendor publish a SOC 2 Type II report or equivalent independent audit? (2) Does the vendor encrypt data at rest and in transit, with reasonable key management? (3) Does the vendor support MFA for the firm's administrators and users? (4) Does the vendor publish its data-location and sub-processor list? (5) Does the vendor have a documented incident-response and notification commitment? (6) What does the vendor's standard contract or terms-of-service say about ownership, return, and deletion of firm data at termination? (7) Has the vendor had any publicly disclosed breaches and what was the response?

Document the diligence. A signed engagement with the vendor, a copy of the SOC 2 attestation, and a one-page memo explaining the selection rationale are the artifacts a disciplinary panel or malpractice carrier will want to see. Simply IT maintains a vendor-diligence file template that firms can adapt; the discipline is more important than the format.

// 09

MALPRACTICE INSURANCE: WHAT CARRIERS ARE ACTUALLY ASKING FOR.

Florida law-firm malpractice carriers (TLC, ALPS, ICAT, Lloyd's syndicates) increasingly bundle or layer cyber coverage with professional-liability coverage — and the cyber underwriter has different questions than the malpractice underwriter. The combined 2026 questionnaire for a Florida firm renewing coverage typically asks for attestation of:

MFA on every mailbox and every remote-access entry point.
EDR on every workstation (not just legacy AV).
Offline or immutable backup with tested restore (not just “backup exists”).
Written incident-response plan.
Annual security awareness training with documented completion.
Email security gateway beyond default Microsoft 365 protection.
Vendor inventory with security attestations.
Network segmentation between work and guest networks.
Trust-account / IOLTA controls (separation, dual authorization, monthly reconciliation).
AI-use policy (new in 2026 questionnaires).
Crime-coverage rider for social-engineering fraud (now standard).

Firms that can attest cleanly to all of the above consistently see lower premium increases, higher coverage limits, and fewer carrier-imposed exclusions. The same posture defends “reasonable efforts” under Rule 4-1.6(e). The controls overlap almost completely.

// 10

THE PRACTICAL BAR-ALIGNED IT STACK.

What does a Bar-aligned IT environment actually look like at a 10-person Florida law firm in 2026? Here's the stack Simply IT deploys at every new law-firm client during onboarding. It defends “reasonable efforts” under Rule 4-1.6(e), satisfies the typical malpractice carrier's 2026 questionnaire, and gives the firm audit-ready documentation.

Identity: Microsoft 365 Business Premium, Entra ID with Conditional Access policies, MFA enforced on every user, separate global-admin accounts for IT only.
Endpoint: Defender for Business EDR on every workstation, BitLocker disk encryption on every laptop, Intune MDM (or RMM) on every device including BYOD.
Email: Exchange Online with Defender for Office 365, DMARC enforcement on the firm domain, attachment sandboxing, banking-change keyword alerts, user phishing-reporter add-in.
Document Management: Clio, NetDocuments, iManage, MyCase, or SharePoint-with-governance — selected to match firm size and practice areas.
AI: Microsoft 365 Copilot, ChatGPT Enterprise/Team, or Claude for Work — with consumer-AI blocked at Conditional Access where appropriate.
Network: Business-grade firewall, VLAN segmentation between firm workstations and guest WiFi, secure remote-access pattern (Conditional Access + MFA rather than legacy VPN-to-server).
Backup: Image-based backup of any locally hosted servers, cloud backup of SharePoint and OneDrive, immutable retention for ransomware resilience, quarterly tested restores.
Training: Annual security awareness training (KnowBe4 or equivalent) with law-firm-specific phishing simulations (closing-fraud, BEC), documented completion records.
Documentation: Written information-security policy, AI-use policy, written IR plan, vendor diligence files, BYOD policy, annual risk-assessment memo.

Pricing: this full stack at Simply IT is $150 per user per month on the Simply Compliant tier, with no long-term contracts. A 10-person law firm invests $1,500/month for a Bar-aligned posture — meaningfully less than the lower bound of a single wire-fraud loss, single ransomware recovery, or single grievance-defense engagement.

// 11

FREQUENTLY ASKED QUESTIONS.

What does Florida Bar Rule 4-1.6(e) actually require?+

Rule 4-1.6(e) of the Rules Regulating The Florida Bar states that “a lawyer must make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The Rule mirrors ABA Model Rule 1.6(c) and brings Florida into alignment with the duty of technological competence the ABA articulated in Comment 8 to Model Rule 1.1. In practice: every Florida lawyer has an affirmative ethical obligation to safeguard client information from electronic compromise — not just an obligation to refrain from intentional disclosure.

How does Florida Bar Rule 4-1.6 differ from ABA Model Rule 1.6(c)?+

Florida Bar Rule 4-1.6(e) is substantively parallel to ABA Model Rule 1.6(c) — both require “reasonable efforts” rather than absolute prevention, and both apply to the entire scope of client confidences (not just attorney-client privileged communication). Florida's Comment to Rule 4-1.6 references the same factors ABA Comment [18] enumerates: sensitivity of the information, likelihood of disclosure absent additional safeguards, cost and difficulty of implementing safeguards, and the extent to which safeguards adversely affect the lawyer's ability to represent the client. Florida-specific guidance from Bar ethics opinions (notably Opinion 06-2 on confidentiality of electronic files and Opinion 12-3 on cloud computing) layers practical implementation guidance on top of the Rule.

Does cloud storage of client files comply with Rule 4-1.6?+

Yes — under Florida Bar Professional Ethics Opinion 12-3 (2013) and subsequent Bar guidance, a lawyer may use cloud-storage services for client files provided the lawyer exercises reasonable care in vetting the provider, understands the provider's data-security practices and data-location, has reviewed and accepted the terms of service, and has in place appropriate technical safeguards (encryption in transit and at rest, MFA on accounts, access controls). The opinion does not require any specific vendor — it requires diligence and informed selection. Microsoft 365 Business Premium, Clio, NetDocuments, and iManage are all defensible choices when configured correctly. Free consumer Dropbox or personal Google Drive accounts generally are not.

Does using ChatGPT for privileged client matter waive privilege?+

It can. Submitting privileged client information into a public LLM (ChatGPT free tier, default Claude.ai personal account, free Gemini) typically grants the provider a license to retain and use the input for training and improvement — meaning the firm has voluntarily disclosed privileged information to a third party for the third party's commercial benefit. Most courts and bar authorities are not yet decided on whether this constitutes a privilege waiver, but the conservative reading is that it might, and the malpractice exposure runs ahead of the case law. Governed AI — Microsoft 365 Copilot under the firm's tenant, ChatGPT Enterprise/Team, or Claude for Work with the firm's data-use opt-out — addresses the issue by contractually preventing the provider from training on the firm's prompts.

How can the firm actually defend against real-estate wire fraud?+

Defense is layered. (1) A verbal call-back to the title agent / closer at a pre-verified phone number (not the number in the email signature) before transmitting any wire. (2) Conditional Access policies on the firm's Microsoft 365 tenant blocking legacy authentication and enforcing MFA on every mailbox. (3) Email-security gateway with display-name impersonation detection and homoglyph-domain alerts. (4) Banking-change keyword detection in email rules (“wire instructions changed,” “updated routing”). (5) Client-facing closing-fraud advisory at engagement. (6) Cyber insurance with crime-coverage rider explicitly covering social-engineering fraud. No single control is sufficient; layered controls reduce loss probability and severity.

What does Bar-aligned IT cost a Florida law firm?+

Most Florida law firms we work with invest $125-$150 per user per month for Bar-aligned managed IT (Simply IT's Simply Secure or Simply Compliant tiers). A typical 10-person firm (4 attorneys + 6 paralegal/support) invests $1,250-$1,500 per month, which covers monitoring, EDR, email security, MFA enforcement, encrypted backup, security awareness training, AI governance, secure document management integration, and the documentation maintenance required to defend “reasonable efforts” to a disciplinary panel or malpractice carrier. There's a No long-term contracts.

What documentation should we keep to defend “reasonable efforts”?+

If a Florida Bar grievance committee or a malpractice carrier asks you to prove reasonable efforts, you want to produce: (1) a written information-security policy applicable to the firm; (2) MFA enrollment evidence for every user; (3) endpoint encryption attestation for every laptop; (4) the firm's incident-response plan; (5) annual or onboarding cybersecurity training completion records; (6) vendor due-diligence files for each cloud service (SOC 2 reports, BAAs or equivalent contracts); (7) backup test results; and (8) the dated risk assessment that informed your control selections. Most of this is generated as a byproduct of a competently run managed IT relationship — it's the documentation discipline that makes it audit-ready.

What does cyber insurance for law firms typically require in 2026?+

Standard underwriter questions for law-firm cyber policies in 2026: MFA on every mailbox and every remote-access entry point; EDR (not just legacy AV); offline or immutable backup with tested restore; documented incident response plan; security awareness training; vendor inventory; network segmentation; and increasingly — specific AI-use disclosures. Some carriers also ask for trust-account / IOLTA controls (separation of trust banking from operating, dual authorization on trust transfers, monthly reconciliation). Crime-coverage riders for social-engineering fraud are now standard and worth adding given the wire-fraud exposure.

How is Simply IT different from a generic IT provider for law firms?+

Simply IT is veteran-owned, headquartered in Ocala FL, and treats Bar Rule 4-1.6 alignment as a first-class deliverable. Standard onboarding for every law-firm client includes a written information-security policy template tuned to firm size, MFA enforcement, endpoint encryption verification, document-management security integration (Clio, NetDocuments, iManage, MyCase, or SharePoint with governance), AI governance configuration (Copilot or ChatGPT Enterprise tenant, not personal accounts), and audit-ready evidence for the malpractice carrier or a future grievance committee. Same flat monthly fee, no “compliance add-on” pricing.

Is encrypted email or a portal the right channel for client communication?+

It depends on the matter. For routine non-confidential matter (status updates, scheduling), standard email is generally acceptable under Rule 4-1.6. For sensitive matter (estate plans, litigation strategy, settlement numbers, banking instructions), a secure portal or encrypted email is the prudent default. Microsoft 365 with the right configuration supports both message encryption (sender selects per-email) and secure-portal delivery. Most matter-management platforms (Clio, MyCase, NetDocuments) offer a client portal with end-to-end encryption. The right answer is firm-wide policy plus matter-level judgment, documented in the firm's information-security policy.

Are there specific concerns for estate planning practices?+

Yes. Estate planning files contain SSNs, account numbers, beneficiary information, and identity documents — high-value identity-theft data with multi-year shelf life. BEC attacks targeting estate distributions (impersonating the lawyer to redirect distributions to beneficiaries, or impersonating beneficiaries to the lawyer's trust account) have grown sharply since 2022. The defense profile is identical to real-estate closing fraud: verbal call-back verification on every distribution change, MFA, conditional access, gateway-level impersonation detection, and a client-facing fraud advisory at engagement.

What about real-estate closing safeguards specifically?+

For Florida law firms handling real-estate closings: ALTA Best Practices Pillar 3 (information security) is the practical implementation reference. Pillar 3 calls for written information-security policy, physical security of non-public personal information (NPI), network security with MFA, employee training, vendor management, and incident response. Title underwriters increasingly require ALTA Best Practices certification or attestation. The same controls satisfy Rule 4-1.6 reasonable efforts and substantially reduce wire-fraud probability.

THE FLORIDA BAR RULE 4-1.6 CYBERSECURITY GUIDE FOR LAW FIRMS.

ELEVEN SECTIONS. ABOUT 4,000 WORDS.