The ABA Technology Competence Rule: What Oklahoma Attorneys Are Actually Required to Do About Cybersecurity

Most Oklahoma attorneys know they have a duty of competence. What fewer realize is that since 2012, the ABA has explicitly extended that duty to technology. The question isn't whether cybersecurity is an ethical obligation for your firm. It is. The question is what that actually requires of you — in practical, day-to-day terms.

If your firm experiences a breach and a client files a bar complaint, the inquiry won't center on whether you tried your best. It will center on whether you had reasonable safeguards in place — and whether those safeguards matched what the legal profession expects in 2025.

The ABA Rule and What It Actually Says

ABA Model Rule 1.1 requires attorneys to provide competent representation — and Comment 8 states that competence includes keeping abreast of changes in the law and its practice, "including the benefits and risks associated with relevant technology."

This is not aspirational guidance. It's a competence requirement. The Oklahoma Bar Association aligns with ABA guidance on this point. The standard is "reasonable safeguards" — but what's reasonable has risen significantly as cyber threats have grown and as basic protections like multi-factor authentication have become industry standard.

What "Reasonable Safeguards" Looks Like in 2025

Confidentiality (Rule 1.6)

Rule 1.6 requires reasonable efforts to prevent unauthorized disclosure of client information. Encryption, access controls, and secure file sharing all fall under this obligation. Sending sensitive client documents as unencrypted email attachments — or storing them on personal cloud accounts — may not meet the standard if those channels are compromised.

Communication (Rule 1.4)

Clients have a right to know if their data was exposed. Breach notification isn't just a statutory requirement under Oklahoma's data breach notification law — it's an ethical obligation to communicate honestly with clients about matters that affect their interests.

Supervision (Rules 5.1 and 5.3)

Partners and supervising attorneys are responsible for the security practices of associates and non-attorney staff. If a paralegal falls for a phishing email that exposes client data, the supervising attorney's failure to implement reasonable training and controls — including the phishing attack types most likely to target your team — becomes part of the ethical inquiry.

Third-Party Vendors

Sending client files to unsecured cloud services or unvetted vendors may itself violate confidentiality rules. You are responsible for ensuring that third parties who handle client data maintain reasonable security — not just for your own systems.

"We didn't know" is not a defense when MFA has been a standard recommendation for years.

The FTC Safeguards Rule: A Separate (Often Overlooked) Obligation

If your firm handles consumer financial data — estate planning with financial account details, family law matters involving asset documentation, real estate closings with mortgage and banking information — the FTC Safeguards Rule requires a written information security program. This is a federal regulatory requirement, independent of bar rules.

The rule requires designating a qualified individual to oversee your security program, conducting a risk assessment, implementing specific safeguards, monitoring vendors, and maintaining written documentation. Penalties for non-compliance can be significant, and the rule applies regardless of your firm's size.

What a Bar Complaint or Malpractice Claim Looks Like After a Breach

The sequence is predictable. A breach is discovered — often weeks after it occurred. Client notification becomes required. A client files a bar complaint alleging failure to use reasonable safeguards to protect confidential information. Separately or simultaneously, a malpractice claim alleges negligence in failing to protect client data.

Courts and bar authorities increasingly look at whether the firm had basic, industry-standard controls in place at the time of the breach. Did you have MFA? Encrypted backups? A written security policy? Staff training records? The absence of these controls — when they've been standard recommendations for years — weakens your position significantly.

A Practical Compliance Checklist for Oklahoma Attorneys

This checklist isn't exhaustive, but if you can't check most of these boxes today, your firm has work to do — and that gap is visible to anyone reviewing your practices after an incident.

How ABT Cyber Helps

We understand both the technical and legal dimensions of this obligation. Our team works with Oklahoma law firms to assess gaps, implement reasonable safeguards, and produce the documentation that demonstrates compliance — for bar inquiries, malpractice defense, and cyber insurance applications. Explore our cybersecurity risk assessments and compliance support services.