Understanding Formal Opinion 477R (Securing Client Information)

Securing client information is an unquestionable ethical obligation.

If you work in law, you likely know this without question. Other industries are now being forced to get up to speed and understand the implications of important legislation created to protect the privacy and safety of client data. 

Safeguarding client information has surpassed just “best practice”. It’s a necessity for all businesses. 

The American Bar Association (ABA) recognized this need and issued Formal Opinion 477R. 

Consider this blog your official breakdown of Formal Opinion 477R: everything you need to know and what it means for you.

What is Formal Opinion 477R? 

Let’s explain in layman’s terms. Formal Opinion 477R provides updated guidance for lawyers on how to secure client communications and protect sensitive data. 

It updates earlier opinions on lawyers’ duty to protect client information in light of evolving technology and cybersecurity risks. The opinion interprets Model Rule 1.6(c) of the ABA Model Rules of Professional Conduct, which requires lawyers to make “reasonable efforts” to prevent unauthorized access to or disclosure of client information.

The opinion does not mandate a single approach to data security but instead promotes a fact-based, flexible standard. Lawyers are encouraged to evaluate each situation individually — for example, deciding when to use encrypted email or when a more secure method of communication is appropriate.

This opinion emphasizes that lawyers must take reasonable steps to ensure client confidentiality in the context of modern technology, especially when using cloud storage, or email and other electronic means of communication.

What Should You Consider When Assessing Security Needs?

Formal Opinion 477R doesn’t prescribe a one-size-fits-all solution. Instead, it directs lawyers to assess the level of security required based on several factors, including:

1. Sensitivity of the Information: Consider how confidential or critical is the data? Highly sensitive materials, such as trade secrets or personal identifiers, demand stronger protection.
2. Likelihood of Unauthorized Access: Evaluate the likelihood that the information could be intercepted or accessed by unintended parties.
3. Potential Harm: Consider what damage could occur if the information were compromised.
4. Client Instructions and Expectations: Some clients may require specific security protocols or encryption methods.
5. Nature of the Communication: Routine administrative messages may not need the same level of protection as confidential case strategy discussions.
6. Available Security Measures: Assess what technological safeguards, such as encryption, secure networks, or password protection, are feasible and practical.
7. Cost and Difficulty of Implementation: Balance security needs with the practical cost and effort of applying specific protections.

What Steps Can You Take to Protect Client Information?

After assessing security risks, lawyers should take concrete steps to maintain confidentiality and comply with ethical duties under Formal Opinion 477R. Recommended actions include:

1. Use Secure Communication Channels 

Implement encryption for email and file transfers involving sensitive information.

2. Adopt Strong Password Policies

Require complex passwords and enable multi-factor authentication for all systems accessing client data.

3. Keep Software Updated

Regularly update operating systems, antivirus software, and applications to prevent exploitation of vulnerabilities.

4. Train Staff on Data Security

Ensure that everyone in the firm understands proper data handling and security protocols.

5. Limit Access

Grant access to client information only to those who need it to perform their duties.

6. Secure Physical Devices

Protect laptops, smartphones, and external drives with encryption and physical safeguards.

7. Use Trusted Cloud Providers

If using cloud services, select vendors with strong security certifications and compliance practices.

8. Have an Incident Response Plan

Establish a clear process for responding to data breaches or unauthorized access events.

What 477R Means for You  

Formal Opinion 477R reminds legal professionals that ethical competence includes technological competence. Protecting client information goes beyond good intentions; it requires awareness, assessment, and active management of security risks. By understanding the guidance provided by Opinion 477R and implementing reasonable security measures, lawyers can uphold their duty of confidentiality while confidently navigating the digital landscape.

Do you have more questions about 477R as it relates to your firm?

PK Tech has an extensive history working with law firms in the Greater Phoenix Area.  Schedule a complimentary consultation with our team here.