April 2, 2026
Cybersecurity is no longer just an IT issue. For North Carolina lawyers, it is part of professional responsibility.
Law firms in Raleigh are under constant pressure to balance responsiveness, convenience, and confidentiality. Clients expect fast communication. Lawyers need to work from court, home, mobile devices, and shared cloud platforms. But ABA Formal Opinion 477R makes one point clear: when lawyers communicate electronically about client matters, convenience alone is not the standard. The ethical standard is whether the lawyer has made reasonable efforts to prevent unauthorized access to protected client information.
That is why Opinion 477R still matters. It did not ban email. It did not require encryption for every communication. What it did do was move the conversation away from the old assumption that ordinary email is always good enough. The ABA explained that a lawyer may generally transmit client information over the internet if the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. But the opinion also says lawyers may need to take special security precautions when required by client agreement, by law, or by the nature of the information itself.
For Raleigh law firms, that risk-based approach is especially important. A scheduling email is one thing. A message containing trust account details, merger documents, health records, trade secrets, privileged litigation strategy, or personally identifiable information is something else entirely. Opinion 477R asks lawyers to evaluate the sensitivity of the information and choose safeguards that match the risk. That makes cybersecurity ethics a matter of judgment, not just software.
North Carolina lawyers should read that principle alongside Rule 1.6 of the North Carolina Rules of Professional Conduct. The State Bar explains that the duty of confidentiality applies not just to communications made in confidence, but to all information acquired during the representation, whatever its source. It also warns that even disclosures that do not directly reveal protected information can still violate the rule if they could reasonably lead to discovery by a third party. In practice, that means a careless workflow, weak access controls, or an insecure communication channel can create an ethics problem even when no one intended to reveal anything.
The local context makes this even more concrete. The North Carolina State Bar has recently warned lawyers about TOAD attacks targeting trust accounts. In those attacks, criminals use phishing and social engineering to trick lawyers or law firm staff into disclosing confidential information and gaining online access to firm financial systems. That is exactly the kind of real-world threat environment that makes Opinion 477R more than theoretical. It is not about abstract “best practices.” It is about whether a firm’s day-to-day habits are ethically defensible in a world where attackers are specifically targeting lawyers.
One of the most important lessons in 477R is that lawyers cannot outsource ethical responsibility just because they outsource technology functions. The opinion emphasizes understanding the nature of the threat, understanding how client information is transmitted and stored, using reasonable security measures, training lawyers and staff, and conducting due diligence on vendors. In other words, ethics compliance is operational. A law firm cannot simply say, “our IT provider handles that.” The lawyer still has to exercise professional judgment about whether the firm’s systems and practices are reasonable for the matters it handles.
That has several practical implications for Raleigh firms. First, communication policies should be matter-sensitive. Not every type of client information should be sent the same way. Second, firms should know where their data lives: in email, document systems, mobile devices, cloud storage, and third-party legal applications. Third, lawyers should know when ordinary email is acceptable and when a more secure method such as encryption, a secure portal, or restricted document sharing is the better ethical choice. Fourth, training matters. Many confidentiality failures begin with human error, not a sophisticated hack.
Opinion 477R is also a reminder that cybersecurity should be discussed with clients, not hidden from them. Some clients will insist on specific safeguards. Others may assume the firm is already using them. Either way, a thoughtful discussion at the start of the representation can reduce risk and strengthen trust. For example, a firm may want to define when email is appropriate, when sensitive attachments should be shared through a secure platform, how remote access is handled, and what happens if a lawyer is traveling or using personal devices. Those conversations are part of competent representation.
It is also helpful to understand what 477R does not require. It does not promise perfect security. It does not mandate the most expensive tool on the market. And it does not require the same safeguards for every message in every matter. The standard is reasonableness. But “reasonable” is not static. As threats evolve and baseline safeguards become more common, the ethical expectation evolves too. A law firm that ignores multi-factor authentication, weakens remote access controls, or fails to vet vendors may have a harder time arguing that its efforts were reasonable if something goes wrong. The ABA’s ethics archive also places Opinion 477R alongside Formal Opinion 483, which addresses a lawyer’s duties after an electronic data breach or cyberattack. Together, they reinforce that lawyers have obligations both to prevent incidents and to respond appropriately when prevention fails.
For Raleigh law firms, the bottom line is simple: cybersecurity is now part of legal ethics. It sits inside competence, confidentiality, supervision, and client communication. Firms do not need to become cybersecurity companies. But they do need to be able to explain, in practical terms, why their safeguards are reasonable for the information they handle. That is the real lesson of ABA Formal Opinion 477R — and it is one North Carolina lawyers cannot afford to treat as someone else’s problem.
If your Raleigh firm has not recently reviewed how it handles client email, remote access, mobile devices, vendor risk, and trust-account-related security, now is the time to do it. Ethical compliance and cybersecurity readiness are no longer separate conversations. We specialize in supporting law firms right here in the Triangle.
Book a 15-minute discovery call today if you desire to know where your firm stands in light of these requirements.
