ABA Opinion 498: Virtual Practice Reality

by | Apr 21, 2021

COVID has redefined the way law is practiced but hasn’t alleviated any ethical responsibilities…only complicated them.

The ABA recently reaffirmed this notion in a Formal Opinion outlining Model Rules for the virtual practice of law (#498) issued March 10, 2021. These guidelines compel all attorneys to secure their tech infrastructure and ensure compliance from all whom they supervise, whether a solo practitioner working from their guest room or a big firm with a remote IT department.

It’s all a bit daunting for those who may be more familiar with contracts than computers, so let’s examine the prescriptions and explore ways to optimize your team and technology so that you are responsibly safeguarding data, serving clients, and protecting your license.

The Opinion 

As one might expect from a bar association’s proclamation about technology, it covers eight footnoted pages written in legalese sprinkled liberally with geekspeak, so I’ll translate it to more practical concepts.

If you’ve participated in one of our webinars or have been following my Stupid Simple Security Tips, many of the provisions will already sound familiar.

I (almost) hate to say “I told you so,”…but I told you so!

While the Opinion sanctions the shifting realities of modern practice that find many attorneys working online, out-of-the-office, or entirely without a brick-and-mortar firm, it also emphasizes the heightened ethical challenges under this new paradigm.

The ABA reinforces that ethics rules apply equally to traditional and virtual law practices, stressing that lawyers working remotely must remain committed to all professional standards, with particular attention paid to confidentiality: 

[e]specially when practicing virtually, lawyers must fully consider and implement reasonable measures to safeguard confidential information and take reasonable precautions when transmitting such information.” (ABA Formal Op. 498, 3/10/2021)

The Opinion then outlines specific use cases and best practices to consider while assessing whether your technology, supervision, and work environment are consistent with meeting all ethical obligations.

IT Recommendations

Focusing upon the protection, retention, and encryption of data, the ABA highlights several tech measures attorneys should implement to comply with clients’ and courts’ expectations. Some sound pretty technical but aren’t so scary once they’re explained.

Password practice: The ABA rightly suggests using complex, unique passwords across your practice’s various platforms – both when remotely accessing internal systems and logging on to external vendors like video conferencing and file transfer services. This is one of the simpler security improvements you can apply, as it requires no additional hardware, just better Internet hygiene. Remember that longer passwords aren’t enough. You need different passwords for each portal – otherwise, the hacking of a single service can exploit credentials across several online accounts. To generate and track this array of longer codes, I recommend using a password manager service like 1Password.

Two-factor Authentication (2FA): Another precaution that requires little effort on your part, 2FA is already an option attached to most of your online accounts and available as an extra layer for your internal network. Once activated, 2FA demands secondary identification (like a security question or SMS verification) whenever a suspicious log-on is detected so that a stolen password alone won’t be enough to compromise your data. It’s minimal effort that gains significant improvement, so follow the ABA’s advice and turn this on for all of your accounts ASAP.

Virtual Private Networks (VPN): Like password strengthening and 2FA activation, using a VPN is a single improvement that instantly makes several aspects of your tech and your practice more secure. A “virtual private network” may sound pretty fancy, but also doesn’t require additional hardware – just an app on your devices that then sends all Internet traffic through an encrypted third-party service, meaning that your online activity, file transfers, and client communications are shielded from prying eyes even while on a public Wi-Fi connection.

Software protocols: The Opinion indicates that all computers used in legal practice should have firewall protection and be running FULLY-UPDATED AND PATCHED software. Simply installing anti-malware/spyware/virus programs isn’t enough, as coding holes can be exploited, new viruses require fresh countermeasures, and dated versions of software can supply backdoor access to your network. It’s critical that ALL devices are updated in a regular and timely fashion, preferably after testing patches for compatibility with your system…rather than clicking through pop-ups individually (and hoping all team members do the same), we recommend enlisting a service that will manage updates on all of your devices.

File backup/transfer: Emphasizing the necessity for reliable access to client files while working remotely, the ABA Opinion explicitly establishes that attorneys should arrange secure methods and reputable services for backing up and transmitting this data. Best-practice redundancy dictates that all client info should be securely stored in more than one digital location, preferably one of which is remote (to guard against catastrophic loss). Several online services are available to automatically update shadow files on cloud servers in the background, preserving copies in case of ransomware, hardware issues, or accidental deletion.

Additionally, when transferring large batches of data, be certain to do so via secure methods – emailing attachments is not ideal. The solution used by the majority of our clientele is Box.com, which makes it very easy to share files via secure links with options like password requirements and date-stamped expirations.

Encryption: Given the sensitive nature of client information, the ABA specifies that encryption of such data is imperative during transit and storage. By using reputable file storage services and securing connections through VPNs, your info will be encrypted during transfer, and enabling the full disk encryption (FDE) option on your computers will keep your files protected during storage, and unreadable should your physical media ever be lost.

That’s quite a technological laundry list necessary for compliance, and by the ABA’s admission isn’t comprehensive…but it’s a good start.


Formal Opinion #498 dedicates a separate section to addressing attorneys’ obligation regarding supervision – driving home the point that you are responsible for the ethical conduct and compliance of all subordinate lawyers, assistants, and vendors.

Even at a small firm or as a solo practitioner, you must take reasonable precautions to confirm the IT integrity of anyone on-staff or granted access to client data. A chain is only as strong as its weakest link!

For your vendors, this means performing due diligence and vetting services for privacy/security standards and executing NDAs as necessary.

For anyone using a firm computer or BYOD hardware, it means constantly ensuring that all of the above tech precautions are enacted on EVERY device…or enlisting a security service that can monitor, patch, and update them all remotely.

For everyone on your team, it means reinforcing safe practices and providing cybersecurity training. Be certain that your team recognizes phishing scams, uses VPNs on public Wi-Fi, and appreciates that failure to follow protocols puts clients’ privacy and your practice at risk.

Work Environment

Finally, the ABA guidelines provide some practical considerations: issuing reminders to be wary wherever your virtual practice may take you. If it’s somewhere among other people, be sure to lock your screen…if it’s comfortably ensconced at home, disable listening-enabled devices (“Alexa – what’s a good job for a disbarred attorney?“), and if it’s anywhere outside the office, assume the trash will be dumped publicly – retain or shred sensitive documents accordingly.  


The American Bar Association’s Formal Opinion #498 delivers news that is supportive and a bit alarming; while definitively accepting virtual legal practices, it also lays out expansive guidelines to ensure remote technology conforms to ethical expectations.

Some of the provisions are common sense, and many you may have already implemented, but taken as a whole, it’s a lot to consider when you’re already preoccupied WITH BEING AN ATTORNEY AND RUNNING A SMALL BUSINESS!

Hopefully, this article has provided some guidance, but the best advice that I can give is: Get. Some. Help. Clients turn to you because you’re an expert in the law, just as you should turn to other experts when you may be out of your depth.

Sure, you could take the time to deal with access issues, security protocols, software status, network integrity, file backups, vendor selection, and data encryption, then synchronize the settings across devices, hope you executed it all correctly, and pray you never need to explain to an ARDC inquiry that you did-it-all-yourself.

Orrrrrr…you could enlist a turnkey service specializing in legal technology that will take care of all issues and stay apprised of tech developments (as well as ABA requirements), offering peace of mind at a flat rate price and letting you get back to what you do best: practicing law and growing your business.

It seems like a tough decision