Client Confidentiality & IT

Your client emails you sensitive case details. You save them to Dropbox. A paralegal forwards a document to the wrong email address. Your laptop gets stolen from your car. None of these scenarios are hypothetical; they're real situations Missouri attorneys have faced, and each one triggers specific ethical obligations under the Rules of Professional Conduct.

Missouri Rule 4-1.6 requires attorneys to protect client information. In 2026, that means understanding how your technology choices create or reduce risk. The Missouri Bar has issued multiple advisory opinions on cloud computing, email mishaps, AI tools, and data breaches, all tying back to one fundamental question: Are you making "reasonable efforts" to safeguard electronic client data?

Here's what Missouri attorneys need to know about client confidentiality in the digital age, and what your IT setup should include to meet your ethical obligations.

Missouri Rule 4-1.6: The Core Requirement

Missouri Rule 4-1.6(c) states that a lawyer must "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of the client." This isn't a suggestion. It's an enforceable ethical obligation that extends to every piece of technology you use in your practice.

The key phrase here is "reasonable efforts." The rule doesn't require perfection. It doesn't demand that you become a cybersecurity expert overnight. But it does require you to understand the risks associated with your technology choices and take appropriate steps to mitigate them.

What counts as reasonable depends on the circumstances. Comment 15 to Rule 4-1.6 lists factors including the sensitivity of the information, the likelihood of disclosure if additional safeguards aren't used, the cost of additional safeguards, the difficulty of implementing them, and the extent to which the safeguards adversely affect the lawyer's ability to represent clients. A family law attorney handling a high-profile divorce with significant assets has different obligations than a small practice handling routine real estate closings, but both must demonstrate thoughtful consideration of the risks.

The Missouri Advisory Committee has been notably active in applying these principles to modern technology. Their informal opinions create a roadmap for compliance that every attorney practicing in the St. Louis area and throughout Missouri should understand.

Cloud Computing: What Missouri's Advisory Opinion 2018-09 Requires

Missouri Informal Opinion 2018-09 directly addresses cloud computing–everything from cloud-based practice management software to simple file storage services like Dropbox or Google Drive. The opinion confirms that attorneys may use cloud computing services, but only if they maintain competence in the technology and make reasonable efforts to safeguard client information.

The opinion lists specific areas where attorneys should ensure adequate provider policies and practices. These include security measures protecting confidentiality during transmission and storage, prompt notification if the provider experiences a security breach or receives a subpoena for client information, clear ownership of data by the attorney or firm (not the provider), no access rights by the provider to client information except as required by law, regular data backups, clear handling of data if the relationship terminates, compliance with applicable data laws, reliable attorney access to data, no third-party access including advertisers, and domestic data storage or storage in a jurisdiction with equivalent protections.

That's a substantial checklist, and it means attorneys can't simply sign up for the cheapest cloud service without reading the terms. You need to understand where your data lives, who can access it, what happens if the provider is breached, and what happens to your data if you cancel the service.

The practical implication for Missouri law firms is clear: your IT provider (whether internal or external) should be able to document how your cloud services meet these requirements. If they can't answer these questions, that's a problem that needs addressing before it becomes a disciplinary issue.

When Things Go Wrong: Data Breach Response Under Rule 4-1.6

Missouri Informal Opinion 2020-26 addresses what happens when technology fails–specifically, when an attorney's laptop, phone, or other device containing client information is stolen. The opinion outlines concrete steps attorneys must take immediately.

First, you must take all steps reasonably necessary to prevent unauthorized access. This includes deactivating phones, securing your network and any offsite data, and changing all passwords that may have been stored on the stolen device. The opinion specifically recommends consulting with a qualified IT professional if appropriate - which, for most attorneys, means having a relationship with an IT provider who can respond quickly to incidents.

Second, you must communicate with affected clients to the extent reasonably necessary for them to make informed decisions about their representation. This isn't optional. If client confidential information may have been compromised, clients have a right to know.

Third, you must comply with applicable data breach notification laws. Missouri has its own breach notification statute, and depending on what information was exposed, federal regulations may apply as well.

The lesson here for St. Louis law firms and practices throughout Missouri is that incident response planning isn't just good business practice–it's an ethical requirement. You need to know, before an incident occurs, who to call, what steps to take, and how to fulfill your notification obligations. An IT provider who understands the legal industry should be able to help you develop and test an incident response plan.

Email Errors and Staff Supervision: Opinion 2022-07

Missouri Informal Opinion 2022-07 tackles a scenario every attorney dreads: your assistant sends confidential information to the wrong email address. This opinion connects Rule 4-1.6 to Rule 4-5.3, which addresses the lawyer's responsibility for nonlawyer assistants.

The opinion makes clear that attorneys are responsible for their staff's conduct when the staff acts at the attorney's direction. When an email goes to the wrong recipient, the attorney must take "reasonable remedial action to mitigate the consequences." That means attempting to retrieve or delete the message, assessing what confidential information was disclosed, and–importantly–disclosing the breach to the client so they can make informed decisions about their representation.

This has practical implications for IT setup. Technical controls can reduce the likelihood of this happening in the first place. Email systems can be configured to warn users before sending to external addresses, to require confirmation before sending to new recipients, or to delay outgoing messages by a few minutes to allow for recall. Data loss prevention tools can scan outgoing emails for sensitive patterns like Social Security numbers or case numbers and flag them for review.

None of these controls are perfect, and none are explicitly required by the rules. But they're examples of "reasonable efforts" that demonstrate an attorney is taking confidentiality seriously. For firms in the Greater St. Louis area competing for clients who increasingly ask about data security, these controls can also be a business differentiator.

AI and Generative Technology: The 2024 Guidance

Missouri Informal Opinion 2024-11 addresses the newest challenge: generative AI tools like ChatGPT. The opinion applies the same Rule 4-1.6(c) framework to AI platforms, requiring attorneys to make reasonable efforts to safeguard client confidential information when using these services.

The key concern is straightforward: if you paste client information into a generative AI tool, where does that data go? Is it used to train future versions of the model? Can other users access it? Is it stored on servers in jurisdictions with different privacy laws? These are the same questions Missouri attorneys should ask about any cloud service, but the rapid adoption of AI tools has caught many firms off guard.

The opinion also connects AI use to Rule 4-1.1's competence requirement, requiring lawyers to consider the guidance in Comment 15 about maintaining competence in relevant technology. This doesn't mean every attorney needs to become an AI expert. It means you need to understand enough about the tools you're using to evaluate whether they're appropriate for handling client information.

For Missouri law firms, this creates a practical question: has your firm developed a policy on AI use? Does your IT provider understand which AI tools are appropriate for legal work and which create unacceptable risk? These conversations need to happen before someone uploads a confidential brief to a consumer AI tool.

What "Reasonable Efforts" Actually Looks Like in Practice

Across all these Missouri opinions, a pattern emerges. The rules don't prescribe specific technologies or configurations. Instead, they require attorneys to think carefully about risks and take appropriate steps. For most firms, reasonable efforts include several key elements.

Encryption matters, both for data at rest and data in transit. Client files stored on laptops or cloud services should be encrypted. Email containing sensitive information should use encryption where practical. Missouri hasn't mandated specific encryption standards, but this is a baseline expectation in 2026.

Access controls are essential. Not everyone in your firm needs access to every client file. Role-based access, strong passwords, and multi-factor authentication reduce the risk of unauthorized access. If your current systems don't support these controls, that's worth discussing with an IT provider.

Vendor due diligence is non-negotiable after Opinion 2018-09. Before signing up for any cloud service, you should understand their security practices, data handling policies, and what happens to your data if the relationship ends. This applies to practice management software, document storage, email providers, and any other service that touches client information.

Staff training reduces human error, which remains the largest source of data breaches. Your team should understand confidentiality obligations, recognize phishing attempts, and know what to do if they make a mistake.

Incident response planning ensures you can respond appropriately when (not if) something goes wrong. You should know who to contact, what steps to take, and how to fulfill your notification obligations.

Choosing an IT Provider Who Understands Legal Ethics

For solo practitioners and small firms in Missouri, handling all of this internally isn't realistic. Most attorneys need external IT support, but not all IT providers understand the specific requirements facing law firms.

When evaluating IT support, look for providers who can speak specifically to legal industry requirements. They should understand concepts like attorney-client privilege, the duty of confidentiality, and the ethical rules around cloud computing. They should be willing to sign agreements acknowledging their role in helping you maintain confidentiality. They should be able to help you document your compliance efforts in case questions arise.

This doesn't mean your IT provider needs to be an ethics expert. But they should understand that your obligations differ from a typical small business. A retail store can tolerate some downtime or data exposure that would be professionally catastrophic for a law firm. Your IT partner should get that.

The Cost of Getting This Wrong

The consequences of failing to protect client confidentiality extend beyond disciplinary action. Missouri clients increasingly expect their attorneys to take data security seriously, and sophisticated clients (particularly corporate clients) may conduct security due diligence before hiring outside counsel.

Beyond reputation, there's malpractice exposure. If a confidentiality breach harms a client, the failure to take reasonable security precautions could support a malpractice claim. Cyber liability insurance can help, but insurers increasingly require evidence of baseline security practices before issuing policies.

And then there's the practical impact on your practice. A data breach can disrupt operations for weeks. Client notifications consume time and damage relationships. Regulatory investigations demand attention when you should be serving clients. The cost of prevention is almost always less than the cost of recovery.

Moving Forward: A Practical Checklist

For Missouri attorneys evaluating their technology compliance, start with these questions:

• Do you know where all your client data is stored, including cloud services, local devices, and backup systems?
  
  
• Have you reviewed the terms of service for your cloud providers against the requirements in Opinion 2018-09?
  
• Do you have an incident response plan that addresses your notification obligations under Rule 4-1.6 and Missouri's breach notification law?
  
• Have you trained your staff on confidentiality requirements and common risks like phishing?
  
• Do you have documented policies on emerging technology like generative AI?

If you can't answer yes to all of these, you have work to do. The good news is that compliance doesn't require a massive budget or enterprise-grade technology. It requires thoughtful consideration of risks and reasonable steps to address them.

The Missouri Rules of Professional Conduct don't expect perfection. They expect reasonable efforts, documented decision-making, and a genuine commitment to protecting client information. For attorneys in St. Louis and throughout Missouri, meeting that standard starts with understanding what the rules actually require and finding technology partners who can help you get there.

Looking for IT support that understands legal industry requirements?

See what managed IT services cost for law firms on our pricing page. We publish our rates because we believe attorneys deserve transparency before the first conversation.