Menu
Menu

Speak With An IT Professional Immediately. Call (312) 922-8600

What ABA Rule 1.6 Requires From Your IT: A 2026 Guide for Illinois Law Firms

A Comprehensive 2026 Guide to ABA Rule 1.6 for Law Firms in Chicago & Throughout Illinois

Most Illinois attorneys know that ABA Rule 1.6 requires them to protect client confidentiality. What most don’t know is exactly what that means for the technology running their practice – and how far ‘reasonable efforts’ now extends. The answer has changed significantly in the last five years. As a listed provider in the Illinois State Bar Association Expert Directory, CTI Technology stays ahead of what law firms in Chicago and throughout Illinois need to know about data security and compliance

Guidance from the American Bar Association, the Illinois State Bar Association, and ISBA Mutual has been explicit: the cybersecurity standard for Illinois law firms has risen, and what was acceptable in 2020 may not satisfy the ‘reasonable efforts’ requirement in 2026. For many firms, that gap exists right now in their IT environment; they just haven’t mapped it yet.

This post breaks down what Rule 1.6 and Rule 1.1 actually require from a technology standpoint, what Illinois-specific guidance says, and what a compliant IT environment looks like in practical terms – so you can assess where your firm stands. If you have questions, give us a call at (847) 888-1900 or schedule an introductory call with us. 

Note: This post is written from an IT provider’s perspective, not a legal one. Nothing here constitutes legal advice. For guidance on your specific ethical obligations, consult the Illinois Rules of Professional Conduct, ISBA resources, or an attorney who specializes in professional responsibility.

What Rule 1.6(c) Actually Says

Rule 1.6(c) of the Illinois Rules of Professional Conduct states that a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

The operative phrase is ‘reasonable efforts.’ It’s deliberately not a checklist. The rule doesn’t say ‘install antivirus’ or ‘use a VPN.’ It sets a standard that is evaluated against the threat environment at the time, which means what counts as ‘reasonable’ evolves as threats evolve and as better safeguards become accessible and affordable.

ISBA Mutual – the Illinois State Bar Association’s malpractice insurer – has stated directly in its 2025 cybersecurity guidance that ‘reasonable’ has evolved, and what was acceptable five years ago may no longer meet today’s expectations. That’s not a vague warning. It’s a signal that the standard has moved and firms need to move with it.

The Rule 1.1 Problem: Technology Competence Is Now an Ethical Obligation

Rule 1.6 is the confidentiality obligation. But there’s a second rule that Illinois attorneys need to understand alongside it: Rule 1.1, which governs competence.

In 2012, Comment 8 to ABA Model Rule 1.1 was amended to explicitly state that a competent lawyer must keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology. Illinois adopted equivalent language. As of 2026, 42 states have adopted Comment 8 or an equivalent provision – making technology competence an enforceable ethical standard, not just a best practice.

What this means in practice: an attorney who doesn’t understand the security posture of the platforms their firm uses – how client files are stored, who can access them, how they’re transmitted, and what happens if the system is compromised – is arguably not meeting their competence obligation. Comment 8 doesn’t require attorneys to become IT experts. It requires them to understand enough to make informed decisions, or to work with professional, legal-specific IT firms who can advise them.

The Illinois Supreme Court Commission on Professionalism has been consistent on this point: technology competence, including cybersecurity awareness, is part of what it means to practice law competently in 2026.

What ‘Reasonable Efforts’ Looks Like in 2026 – Illinois Standard

The ABA and ISBA don’t publish a specific technical checklist for Rule 1.6 compliance. But the guidance they’ve issued, combined with the controls now required by cyber insurers and the expectations documented in disciplinary proceedings, gives a clear picture of what ‘reasonable efforts’ means in 2026 for an Illinois law firm.

Multi-Factor Authentication on All Accounts

MFA is no longer optional. ISBA Mutual’s 2025 guidance explicitly identifies MFA as a baseline requirement, and cyber insurers universally require it as a condition of coverage. This means MFA is necessary on email, document management systems, practice management software, billing platforms, and any remote access – not just the firm’s primary login. A partner who accesses iManage or NetDocuments without MFA is creating exactly the kind of unauthorized access risk that Rule 1.6 is designed to prevent.

Least-Privilege Access Controls

ISBA Mutual is direct: sensitive client data should never be accessible to every employee by default. Each staff member should have access only to the data their role requires. A paralegal working on family law matters doesn’t need access to corporate files. A billing coordinator doesn’t need access to case strategy documents. This ‘least privilege’ model needs to be enforced by the system – not just by policy – because policy-only controls don’t create an audit trail and don’t prevent access, they just prohibit it.

Audit Trails and Activity Monitoring

Rule 1.6 compliance isn’t just about preventing unauthorized access. It’s about being able to demonstrate that you took reasonable steps if a breach occurs. Audit logs that record who accessed what files, when, and from where serve two purposes: they’re a detection mechanism (if an associate downloads an unusual volume of files, the log flags it) and a compliance record (if a disciplinary inquiry follows a breach, documented controls are a material defense). ISBA Mutual specifically identifies audit trail review as part of a compliant access management system.

Annual Cybersecurity Awareness Training — Documented

ISBA Mutual recommends cybersecurity awareness training for all Illinois lawyers and staff at least annually, with emphasis on phishing detection, proper data handling, and reporting suspicious activity. The documentation matters as much as the training itself – participation records, training dates, and topics covered create the paper trail that demonstrates the firm’s reasonable efforts. A firm that trained staff but can’t prove it trained staff has a much harder position in a disciplinary or malpractice proceeding.

Encrypted Communications and Secure Remote Access

ISBA Mutual’s guidance is explicit: all client communications, including email, file sharing, and messaging, should be encrypted end-to-end. Attorneys working remotely should access firm systems through a VPN. Personal devices used to access firm files need antivirus software, screen locks, and remote-wipe capability. The expansion of hybrid and remote work in legal practice has extended the attack surface of every firm that hasn’t updated its remote access policies since 2020.

A Written Incident Response Plan

Only 34% of law firms have a documented incident response plan in place, yet this is now a baseline requirement for cyber insurance and a key factor in how disciplinary bodies evaluate a firm’s response to a breach. The plan needs to be specific: who is notified in the first 24 hours, who manages client communication, what are the firm’s reporting obligations under Illinois law and ABA Model Rule 1.4, and how is evidence of the incident preserved. A generic template downloaded from the internet is not the same as a plan tailored to the firm’s actual environment and obligations. Read our full guide: What a Proper Incident Response Plan Looks Like for Chicago Law Firms

The Illinois-Specific Layer: ISBA Mutual and ISBA Guidance

Illinois attorneys have access to specific guidance that attorneys in many other states don’t: the ISBA Mutual Liability Minute blog, ISBA Mutual’s risk management resources, and the ISBA’s own privacy and information security law publications.

ISBA Mutual, which provides malpractice coverage to a significant portion of Illinois attorneys, has a direct financial interest in helping Illinois law firms reduce their cyber exposure. Their guidance is practical and current, updated to reflect the 2025-2026 threat environment. The ISBA’s Privacy and Information Security Law section newsletter publishes regular updates on cybersecurity framework compliance, AI governance, and vendor risk management.

For Illinois firms handling health-related matters – personal injury with medical records, medical malpractice, any work as a HIPAA business associate – there is an additional technical compliance layer. HIPAA mandates specific safeguards for protected health information that go beyond the bar association rules. Illinois firms at this intersection are operating under both ABA Rule 1.6 and HIPAA simultaneously, and the technical requirements of both need to be addressed in the firm’s IT environment.

The AI Adoption Problem: A New Rule 1.6 Exposure Most Firms Haven’t Mapped

79% of legal professionals now use AI tools in their practice. Most of those tools were adopted without a formal security review of how they handle client data. The ABA’s formal ethics opinions on cloud computing establish that competence requires understanding the security posture of every platform handling client data. That obligation extends to AI drafting tools, AI research assistants, and any other AI platform that processes matter-related information.

If a tool ingests client documents to generate output, the firm needs to understand where that data goes, how it’s stored, whether it’s used for model training, and whether the vendor’s data handling terms are consistent with Rule 1.6 confidentiality obligations. This is a growing area of disciplinary attention. A written prohibition on AI tool use is not sufficient. Technical controls, training, and documented vendor review are what satisfy the ‘reasonable efforts’ standard.

What Happens When an Illinois Law Firm Falls Short

The consequences of failing to meet the Rule 1.6 reasonable efforts standard aren’t abstract. They include:

  • Disciplinary proceedings: the Attorney Registration and Disciplinary Commission (ARDC) has the authority to investigate and discipline Illinois attorneys for ethical violations, including failure to protect client information. A data breach that results from inadequate safeguards is exactly the kind of event that triggers an ARDC inquiry.
  • Malpractice exposure: a client whose confidential information is disclosed as a result of a preventable breach has a colorable malpractice claim. The ‘reasonable efforts’ standard is the benchmark – if a firm couldn’t demonstrate it took reasonable steps, the claim becomes harder to defend.
  • Notification obligations: Illinois law requires notification to affected individuals following a breach of personal information. For firms handling client financial data, health information, or personally identifiable information, this can mean notifying clients, regulators, and potentially the Illinois Attorney General – within a defined timeframe and with documented disclosure.
  • Insurance consequences: a firm that experiences a breach and can’t demonstrate it had reasonable controls in place may face coverage disputes. Cyber insurers are increasingly scrutinizing claims for evidence that the firm represented its security posture accurately on the application.
  • Client loss: 37% of legal clients in 2025 reported willingness to pay a premium for law firms with stronger cybersecurity measures. The reverse is also true… A publicized breach, or even a client’s discovery that a firm lacks basic controls, can end the relationship.

A Practical IT Checklist for Illinois Law Firm Rule 1.6 Compliance

This isn’t a legal compliance checklist, but rather, an IT checklist from a leading legal IT consulting firm’s perspective. Use it to assess whether your firm’s technical environment supports your Rule 1.6 obligations. If you’re unsure about any of these, it’s worth getting an outside assessment.

  • MFA enabled on all accounts including email, DMS, practice management, billing, remote access, and admin accounts
  • Least-privilege access controls configured in your DMS and practice management software – not just policy, system-enforced
  • Audit logs active and reviewed regularly to check file access, downloads, external sharing, and login anomalies
  • Annual cybersecurity awareness training completed, documented, with participation records retained
  • Email and file transfer encrypted to ensure client communications aren’t sent via unprotected platforms or personal email
  • VPN required for remote access to firm systems from personal devices managed with MDM or equivalent
  • 24/7 monitored endpoint detection and response (EDR) – not just antivirus and a firewall
  • Immutable backups stored separately from the primary network and tested for restoration
  • Written incident response plan that is firm-specific, current, tested, and identifies notification obligations & responsible parties
  • Microsoft 365 security settings reviewed with external sharing, conditional access, and retention policies configured deliberately
  • AI tools reviewed for data handling with vendor terms assessed for consistency with Rule 1.6 confidentiality obligations 
  • Attorney offboarding process documented with access revoked, file access reviewed, and forwarding rules checked

How CTI Technology Helps Illinois Law Firms Meet the Standard

CTI Technology has been working with Chicago-area law firms for over 20 years. We’re listed in the Illinois State Bar Association (ISBA) Expert Directory under Information Technology, and our technicians are HIPAA-certified and trained in the specific compliance requirements Illinois law firms operate under.

When we assess a law firm’s IT environment, we’re not just looking at whether the network is secure in general terms. We’re mapping the firm’s technical controls against the Rule 1.6 reasonable efforts standard – identifying what’s in place, what’s missing, and what needs to change before a breach or a disciplinary inquiry makes that conversation urgent.

We work with firms running iManage, NetDocuments, Clio, ProLaw, and the full range of Microsoft 365 environments. We understand how those platforms need to be configured to support confidentiality obligations, not just to function. We support a range of legal software to ensure everything works together properly and securely. 

If you’d like a free assessment of where your firm’s IT environment stands relative to the current Rule 1.6 standard, we’re happy to take a look. No pressure, no commitment… Just an honest picture of where things stand.

Call (847) 888-1900 or schedule a free assessment online. CTI Technology serves law firms throughout Chicago, Schaumburg, Naperville, and the surrounding Chicagoland area from our office in Elgin, IL.

Why Is CTI Technology The Best Choice For IT Services In The Chicagoland Region?

quotes
“Great pricing, even better service. Highly recommended!”
Great pricing, even better service. Highly recommended!”
Guido Arquilla
stars
quotes
“Great IT company for our business! Highly recommended.”
“Great IT company for our business! Highly recommended.”
Brian Coli
stars
quotes
“CTI is a great company and I would not trust my IT services to anyone else.”
CTI is a great company and I would not trust my IT services to anyone else.
Jenny Wagner
stars
Check Out Our Google Reviews

CTI Technology Tips & Articles

Microsoft 365 Copilot Updates: What’s New and How Your Team Benefits
Microsoft 365 Copilot Updates: What’s New and How Your Team Benefits
Read More
The Hidden Gem in Microsoft 365
The Hidden Gem in Microsoft 365
Read More
Stop Wasting the First 10 Minutes of Every Meeting
Stop Wasting the First 10 Minutes of Every Meeting
Read More
Check Out Our Technology Insights
Call Now Button