The rules a firm meets on a Tuesday.

United States

Legal-ethics core (enforced by state bars)

• ABA Model Rule 1.1, Comment 8 — Technology competence
  Adopted in some form by ~40 states + D.C. + Puerto Rico. Keep abreast of the benefits and risks of relevant technology.
• ABA Model Rule 1.6(c) — Safeguarding client information
  Reasonable efforts to prevent unauthorized access or disclosure — current, former, and prospective clients (incl. 1.9(c) and 1.18(b)).
• ABA Model Rule 1.4 — Communication
  The duty that drives client breach notification: keep the client reasonably informed.
• ABA Formal Opinion 483 (2018) — Post-breach obligations
  Monitor, stop, mitigate, and notify affected current and former clients. No safe harbor.
• ABA Formal Opinion 477R (2017) — Securing client communications
  When ordinary email is and isn't enough; encryption expectations.
• ABA Formal Opinion 498 (2021) — Virtual practice
  Security duties for remote / cloud practice.
• State bar rules and ethics opinions
  Most states track Comment 8; CA, NY, TX, FL, and others have their own breach / cloud / tech-competence opinions. Trust-accounting rules vary.

United States

Data-protection & sector law (enforced by states / agencies)

• State data-breach notification laws
  All 50 states + D.C. The firm holds third parties' PII and must notify residents and (often) the state AG. Timelines vary — some 30 or 45 days.
• HIPAA — when the firm is a Business Associate
  A firm handling PHI for healthcare clients is a Business Associate, must sign BAAs, and inherits Security Rule duties. Widely underappreciated.
• GLBA / FTC Safeguards Rule
  Where the firm handles consumer financial information for financial-institution clients.
• PCI-DSS (SAQ-A)
  Any firm accepting card payments for fees (LawPay-class) is in scope at the SAQ-A level.
• CJIS, ITAR / EAR
  Criminal-defense firms touching CJIS data; firms handling export-controlled client data.

United States

Client-imposed & insurer standards (enforced commercially)

• Outside Counsel Guidelines (OCG) security addenda
  Corporate clients' questionnaires, encryption / MFA / breach clauses, sometimes SOC 2. The revenue hook.
• Cyber-insurance and Legal Professional Liability (LPL) applications
  Carriers (Coalition, At-Bay, Beazley, Travelers, Chubb, and the LPL mutuals) ask MFA, EDR, backups, wire-verification, and training questions.

Cross-cutting

Frameworks the market actually references

• CIS Controls v8.1
  The de-facto reasonable-security baseline a firm uses to demonstrate posture to a regulator, a bar, or an insurer. Lead with this.
• NIST Cybersecurity Framework 2.0
  The language OCG questionnaires increasingly use.
• SOC 2 / ISO 27001
  What larger clients demand; usually aspirational for a small firm but worth naming the path.
• FBI IC3 / Financial Fraud Kill Chain
  The wire-recall mechanism behind the trust-account wire-fraud playbook.
• FinCEN advisory FIN-2016-A003
  BEC / email-compromise fraud schemes — the federal framing for wire-fraud reporting.

Canada

• Law Society rules — technological competence & confidentiality
  E.g., Law Society of Ontario Rule 3.1-2 commentary; equivalent provisions in other provinces.
• LawPRO / practicePRO guidance
  Ontario's mandatory LPL insurer — repeated warnings on trust-account wire fraud and back-to-back unauthorized transfers.
• PIPEDA
  Federal private-sector privacy; provincial equivalents in AB / BC / QC — Quebec Law 25 overlay.
• Canadian Centre for Cyber Security
  Baseline controls for small organizations.

United Kingdom

• SRA Standards & Regulations
  Solicitors Regulation Authority — competence and confidentiality; SRA has issued cyber / fraud warnings, especially on conveyancing / Friday-afternoon fraud.
• UK GDPR + Data Protection Act 2018

European Union

• GDPR
  Client personal data; breach notification to the supervisory authority within 72 hours.
• CCBE guidance
  Council of Bars and Law Societies of Europe — professional-secrecy and security guidance.