MTC: From Cyber Compliance to Cyber Dominance: What VA’s AI Revolution Means for Government Cybersecurity, Legal Ethics, and ABA Model Rule Compliance 💻⚖️🤖

/ The Tech-Savvy Lawyer.Page/

In the age of cyber dominance, “I did not understand the technology” is increasingly unlikely to serve as a safe harbor.

🚨 🤖 👩🏻‍💼👨‍💼

In the age of cyber dominance, “I did not understand the technology” is increasingly unlikely to serve as a safe harbor. 🚨 🤖 👩🏻‍💼👨‍💼

Government technology is in the middle of a historic shift. The Department of Veterans Affairs (VA) stands at the center of this transformation, moving from a check‑the‑box cybersecurity culture to a model of “cyber dominance” that fuses artificial intelligence (AI), zero trust architecture (a security model that assumes no user or device is trusted by default, even inside the network), and continuous risk management. 🔐

For lawyers who touch government work in any way—inside agencies, representing contractors, handling whistleblowers, litigating Freedom of Information Act (FOIA) or privacy issues, or advising regulated entities—this is not just an IT story. It is a law license story. Under the American Bar Association (ABA) Model Rules, failing to grasp core cyber and AI governance concepts can now translate into ethical risk and potential disciplinary exposure. ⚠️

Resources such as The Tech-Savvy Lawyer.Page blog and podcast are no longer “nice to have.” They are becoming essential continuing education for lawyers who want to stay competent in practice, protect their clients, and safeguard their own professional standing. 🧠🎧

Where Government Agency Technology Has Been: The Compliance Era 🗂️

For decades, many federal agencies lived in a world dominated by static compliance frameworks. Security often meant passing audits and meeting minimum requirements, including:

  • Annual or periodic Authority to Operate (ATO, the formal approval for a system to run in a production environment based on security review) exercises

  • A focus on the Federal Information Security Modernization Act (FISMA) and National Institute of Standards and Technology (NIST) security control checklists

  • Point‑in‑time penetration tests

  • Voluminous documentation, thin on real‑time risk

The VA was no exception. Like many agencies, it grappled with large legacy systems, fragmented data, and a culture in which “security” was a paperwork event, not an operational discipline. 🧾

In that world, lawyers often saw cybersecurity as a box to tick in contracts, privacy impact assessments, and procurement documentation. The legal lens focused on:

  • Whether the required clauses were in place

  • Whether a particular system had its ATO

  • Whether mandatory training was completed

The result: the law frequently chased the technology instead of shaping it.

Where Government Technology Is Going: Cyber Dominance at the VA 🚀

The VA is now in the midst of what its leadership calls a “cybersecurity awakening” and a shift toward “cyber dominance”. The message is clear: compliance is not enough, and in many ways, it can be dangerously misleading if it creates a false sense of security.

Key elements of this new direction include:

  • Continuous monitoring instead of purely static certification

  • Zero trust architecture (a security model that assumes no user, device, or system is trusted by default, and that every access request must be verified) as a design requirement, not an afterthought

  • AI‑driven threat detection and anomaly spotting at scale

  • Integrated cybersecurity into mission operations, not a separate silo

  • Real‑time incident response and resilience, rather than after‑the‑fact blame

“Cyber dominance” reframes cybersecurity as a dynamic contest with adversaries. Agencies must assume compromise, hunt threats proactively, and adapt in near real time. That shift depends heavily on data engineering, automation, and AI models that can process signals far beyond human capacity. 🤖

For both government and nongovernment lawyers, this means that the facts on the ground—what systems actually do, how they are monitored, and how decisions are made—are changing fast. Advocacy and counseling that rely on outdated assumptions about “IT systems” will be incomplete at best and unethical at worst.

The Future: Cybersecurity Compliance, Cybersecurity, and Cybergovernance with AI 🔐🌐

The future of government technology involves an intricate blend of compliance, operational security, and AI governance. Each element increasingly intersects with legal obligations and the ABA Model Rules.

1. Cybersecurity Compliance: From Static to Dynamic ⚙️

Traditional compliance is not disappearing. The FISMA, NIST standards, the Federal Risk and Authorization Management Program (FedRAMP), the Health Insurance Portability and Accountability Act (HIPAA), and other frameworks still govern federal systems and contractor environments.

But the definition of compliance is evolving:

  • Continuous compliance: Automated tools generate near real‑time evidence of security posture instead of relying only on annual snapshots.

  • Risk‑based prioritization: Not every control is equal; agencies must show how they prioritize high‑impact cyber risks.

  • Outcome‑focused oversight: Auditors and inspectors general care less about checklists and more about measurable risk reduction and resilience.

Lawyers must understand that “we’re compliant” will no longer end the conversation. Decision‑makers will ask:

  • What does real‑time monitoring show about actual risk?

  • How quickly can the VA or a contractor detect and contain an intrusion?

  • How are AI tools verifying, logging, and explaining security‑related decisions?

2. Cybersecurity as an Operational Discipline 🛡️

The VA’s push toward cyber dominance relies on building security into daily operations, not layering it on top. That includes:

  • Secure‑by‑design procurement and contract terms, which require modern controls and realistic reporting duties

  • DevSecOps (development, security, and operations) pipelines that embed automated security testing and code scanning into everyday software development

  • Data segmentation and least‑privilege access across systems, so users and services only see what they truly need

  • Routine red‑teaming (simulated attacks by ethical hackers to test defenses) and table‑top exercises (structured discussion‑based simulations of incidents to test response plans)

For government and nongovernment lawyers, this raises important questions:

  • Are contracts, regulations, and interagency agreements aligned with zero trust principles (treating every access request as untrusted until verified)?

  • Do incident response plans meet regulatory and contractual notification timelines, including state and federal breach laws?

  • Are representations to courts, oversight bodies, and counterparties accurate in light of actual cyber capabilities and known limitations?

3. Cybergovernance with AI: The New Frontier 🌐🤖

Lawyers can no longer sit idlely by their as cyber-ethic responsibilities are changing!

AI will increasingly shape how agencies, including the VA, manage cyber risk:

  • Machine learning models will flag suspicious behavior or anomalous network traffic faster than humans alone.

  • Generative AI tools will help triage incidents, search legal and policy documents, and assist with internal investigations.

  • Decision‑support systems may influence resource allocation, benefit determinations, or enforcement priorities.

These systems raise clear legal and ethical issues:

  • Transparency and explainability: Can lawyers understand and, if necessary, challenge the logic behind AI‑assisted or AI‑driven decisions?

  • Bias and fairness: Do algorithms create discriminatory impacts on veterans, contractors, or employees, even if unintentional?

  • Data governance: Is sensitive, confidential, or privileged information being exposed to third‑party AI providers or trained into their models?

Blogs and podcasts like Tech-Savvy Lawyer.Page blog and podcast often highlight practical workflows for lawyers using AI tools safely, along with concrete questions to ask vendors and IT teams. Those insights are particularly valuable as agencies and law practices both experiment with AI for document review, legal research, and compliance tracking. 💡📲

What Lawyers in Government and Nongovernment Need to Know 🏛️⚖️

Lawyers inside agencies such as the VA now sit at the intersection of mission, technology, and ethics. Under ABA Model Rule 1.1 (Competence) and its comment on technological competence, agency counsel must acquire and maintain a basic understanding of relevant technology that affects client representation.

For government lawyers and nongovernment lawyers who advise, contract with, or litigate against agencies such as the VA, technological competence now has a common core. It requires enough understanding of system architecture, cybersecurity practices, and AI‑driven tools to ask the right questions, spot red flags, and give legally sound, ethics‑compliant advice on how those systems affect veterans, agencies, contractors, and the public. ⚖️💻

For government lawyers and nongovernment lawyers who interact with agencies such as the VA, this includes:

  • Understanding the basic architecture and risk profile of key systems (for example, benefits, health data, identity, and claims platforms), so you can evaluate how failures affect legal rights and obligations. 🧠

  • Being able to ask informed questions about zero trust architecture, encryption, system logging, and AI tools used by the agency or contractor.

  • Knowing the relevant incident response plans, data breach notification obligations, and coordination pathways with regulators and law enforcement, whether you are inside the agency or across the table. 🚨

  • Ensuring that policies, regulations, contracts, and public statements about cybersecurity and AI reflect current technical realities, rather than outdated assumptions that could mislead courts, oversight bodies, or the public.

Model Rules 1.6 (Confidentiality of Information) and 1.13 (Organization as Client) are especially important. Government lawyers must:

  • Guard sensitive data, including classified, personal, and privileged information, against unauthorized disclosure or misuse.

  • Advise the “client” (the agency) when cyber or AI practices present significant legal risk, even if those practices are popular or politically convenient.

If a lawyer signs off on policies or representations about cybersecurity that they know—or should know—are materially misleading, that can implicate Rule 3.3 (Candor Toward the Tribunal) and Rule 8.4 (Misconduct). The shift to cyber dominance means that “we passed the audit” will no longer excuse ignoring operational defects that put veterans or the public at risk. 🚨

What Lawyers Outside Government Need to Know 🏢⚖️

Lawyers representing contractors, vendors, whistleblowers, advocacy groups, or regulated entities cannot ignore these changes at the VA and other agencies. Their clients operate in the same new environment of continuous oversight and AI‑informed risk management.

Key responsibilities for nongovernmental lawyers include:

  • Contract counseling: Understanding cybersecurity clauses, incident response requirements, AI‑related representations, and flow‑down obligations in government contracts.

  • Regulatory compliance: Navigating overlapping regimes (for example, federal supply chain rules, state data breach statutes, HIPAA in health contexts, and sector‑specific regulations).

  • Litigation strategy: Incorporating real‑time cyber telemetry and AI logs into discovery, privilege analyses, and evidentiary strategies.

  • Advising on AI tools: Ensuring that client use of generative AI in government‑related work does not compromise confidential information or violate procurement, export control, or data localization rules.

Under Model Rule 1.1 (Competence), outside counsel must be sufficiently tech‑savvy to spot issues and know when to bring in specialized expertise. Ignoring cyber and AI governance concerns can:

  • Lead to inadequate or misleading advice.

  • Misstate risk in negotiations, disclosures, or regulatory filings.

  • Expose clients to enforcement actions, civil liability, or debarment.

  • Expose lawyers to malpractice claims and disciplinary complaints.

ABA Model Rules: How Cyber and AI Now Touch Your License 🧾⚖️

Several American Bar Association (ABA) Model Rules are directly implicated by the VA’s evolution from compliance to cyber dominance and by the broader adoption of artificial intelligence (AI) in government operations:

  • Rule 1.1 – Competence

    • Comment 8 recognizes a duty of technological competence.

    • Lawyers must understand enough about cyber risk and AI systems to represent clients prudently.

  • Rule 1.6 – Confidentiality of Information

    • Lawyers must take reasonable measures to safeguard client information, including in cloud environments and AI‑enabled workflows.

    • Uploading sensitive or privileged content into consumer‑grade AI tools without safeguards can violate this duty.

  • Rule 1.4 – Communication

    • Clients should be informed—in clear, non‑technical terms—about significant cyber and AI risks that may affect their matters.

  • Rules 5.1 and 5.3 – Responsibilities of Partners, Managers, and Supervisory Lawyers; Responsibilities Regarding Nonlawyer Assistance

    • Law firm leaders must ensure that policies, training, vendor selection, and supervision support secure, ethical use of technology and AI by lawyers and staff.

  • Rule 1.13 – Organization as Client

    • Government and corporate counsel must advise leadership when cyber or AI governance failures pose substantial legal or regulatory risk.

  • Rules 3.3, 3.4, and 8.4 – Candor, Fairness, and Misconduct

    • Misrepresenting cyber posture, ignoring known vulnerabilities, or manipulating AI‑generated evidence can rise to ethical violations and professional misconduct.

In the age of cyber dominance, “I did not understand the technology” is increasingly unlikely to serve as a safe harbor. Judges, regulators, and disciplinary authorities expect lawyers to engage these issues competently.

Practical Next Steps for Lawyers: Moving from Passive to Proactive 🧭💼

To meet this moment, lawyers—both in government and outside—should:

  • Learn the language of modern cybersecurity:

    • Zero trust (a model that treats every access request as untrusted until verified)

    • Endpoint detection and response (EDR, tools that continuously monitor and respond to threats on endpoints such as laptops, servers, and mobile devices)

    • Security Information and Event Management (SIEM, systems that collect and analyze security logs from across the network)

    • Security Orchestration, Automation, and Response (SOAR, tools that automate and coordinate security workflows and responses)

    • Encryption at rest and in transit (protecting data when it is stored and when it moves across networks)

    • Multi‑factor authentication (MFA, requiring more than one factor—such as password plus a code—to log in)

  • Understand AI’s role in the client’s environment: what tools are used, where data goes, how outputs are checked, and how decisions are logged.

  • Review incident response plans and breach notification workflows with an eye on legal timelines, cross‑jurisdictional obligations, and contractual requirements.

  • Update engagement letters, privacy notices, and internal policies to reflect real‑world use of cloud services and AI tools.

  • Invest in continuous learning through technology‑forward legal resources, including The Tech-Savvy Lawyer.Page blog and podcast, which translate evolving tech into practical law practice strategies. 💡

Final Thoughts: The VA’s journey from compliance to cyber dominance is more than an agency story. It is a case study in how technology, law, and ethics converge. Lawyers who embrace this reality will better protect their clients, their institutions, and their licenses. Those who do not will risk being left behind—by adversaries, by regulators, and by their own professional standards. 🚀🔐⚖️

Editor’s Note: I used the VA as my “example” because Veterans mean a lot to me. I have been a Veterans Disability Benefits Advocate for nearly two decades. Their health and welfare should not be harmed by faulty tech compliance. 🇺🇸⚖️

MTC

📻 BONUS: Tech-Savvy Lawyer on Law Practice Today Podcast — Essential Trust Account Tips for Solo & Small Law Firms w/ Terrell Turner

/ The Tech-Savvy Lawyer.Page/

🙏 Special Thanks to Terrell Turner and the ABA for having me on the Law Practice Today Podcast, produced by the Law Practice Division of the American Bar Association. We have an important discussion on trust account management. We cover essential insights on managing trust accounts using online services. This episode has been edited for time, but no information was altered. We are grateful to the ABA and the Law Practice Today Podcast for allowing us to share this valuable conversation with our audience.

🎯 Join Terrell and me as we discuss the following three questions and more!

  1. What precautions should lawyers using online services to manage trust accounts be aware of?

  2. How can solo and small firm attorneys find competent bookkeepers who understand legal trust accounting?

  3. What security measures should attorneys implement when using online payment processors for client funds?

⏱️ In our conversation, we cover the following:

00:00 – Introduction & Preview: Trust Accounts in the Digital Age

01:00 – Welcome to the Law Practice Today Podcast

01:30 – Today's Topic: Online Services for Payments

02:00 – Guest Introduction: Michael D.J. Eisenberg's Background

03:00 – Michael's Experience with Trust Accounts

04:00 – Challenges for Solo and Small Practitioners

05:00 – Ensuring Security in Online Services

06:00 – Questions to Ask Online Payment Providers

07:00 – Password Security & Two-Factor Authentication

08:00 – Finding a Competent Legal Bookkeeper

09:00 – Why 8AM Law Pay Works for Attorneys

10:00 – Daily Monitoring of Trust Accounts

11:00 – FDIC Insurance & Silicon Valley Bank Lessons

13:00 – Researching Trust Account Best Practices

15:00 – Closing Remarks & Podcast Information

📚 Resources

🔗 Connect with Terrell

💼 LinkedIn: https://www.linkedin.com/in/terrellturner/

🌐 Website: https://www.tlturnergroup.com/

🎙️ Law Practice Today Podcast – https://lawpracticetoday.buzzsprout.com

📰 Mentioned in the Episode

💻 Software & Cloud Services Mentioned in the Conversation

  • 8AM Law Pay – Legal payment processing designed for trust account compliance – https://www.8am.com/lawpay/

  • 1Password – Password manager for generating and syncing complex passwords – https://1password.com/

  • LastPass – Mentioned as a password manager with noted security concerns – https://www.lastpass.com/

🎙️ Ep. 122: Cybersecurity Essentials for Law Firms: Proven Strategies from Navy Veteran & Attorney Cordell Robinson

/ The Tech-Savvy Lawyer.Page/

My next guest is Cordell Brion Robinson, CEO of Brownstone Consulting Firm and a decorated US Navy veteran who brings an extraordinary combination of expertise to cybersecurity. With a background in Computer Science, Electrical Engineering, and law, plus experience as a Senior Intelligence Analyst, Cordell has created cybersecurity programs that comply with the National Institute of Standards and Technology, the Federal Information Security Management Act, and the Office of Management and Budget standards for both government and commercial organizations. His firm specializes in compliance services, performing security framework assessments globally for commercial and government entities. Currently, he's innovating the cybersecurity space through automation for security assessments. Beyond his professional accomplishments, Cordell runs the Shaping Futures Foundation, a nonprofit dedicated to empowering youth through education, demonstrating his commitment to giving back to the community.

Join Cordell Robinson and me as we discuss the following three questions and more! 🎙️

1. What are the top three cybersecurity practices that lawyers should immediately adopt to secure both client data and sensitive case material in their practice?

2. From your perspective as both a legal and cybersecurity expert, what are the top three technology tools or platforms that can help lawyers streamline compliance and governance requirements in a rapidly evolving regulatory environment?

3. What are the top three steps lawyers can take to overcome resistance to technology adoption in law firms, ensuring these tools actually improve outcomes and efficiency rather than just adding complexity

In our conversation, we cover the following: ⏱️

- 00:00:00 - Introduction and welcome to the podcast

- 00:00:30 - Cordell's current tech setup - Windows laptop, MacBook, and iPhone

- 00:01:00 - iPhone 17 Pro Max features including 48MP camera, 2TB storage, and advanced video capture

- 00:01:30 - iPhone 17 Air comparison and laptop webcam discussion

- 00:02:00 - VPN usage strategies - Government VPN for secure client communications

- 00:02:30 - Commercial client communications and secure file sharing practices

- 00:03:00 - Why email encryption matters and Mac Mail setup tutorial

- 00:04:00 - Bonus question: Key differences between commercial and government security work

- 00:05:00 - Security protocols comparison and navigating government red tape

- 00:06:00 - Question 1: Top three cybersecurity practices lawyers must implement immediately

- 00:06:30 - Understanding where client data comes from and having proper IT security professionals

- 00:07:00 - Implementing cybersecurity awareness training for all staff members

- 00:07:30 - Practical advice for solo and small practitioners without dedicated IT staff

- 00:08:00 - Proper email practices and essential security awareness training skills

- 00:08:30 - Handling data from average clients in sensitive cases like family law

- 00:09:00 - Social engineering considerations in contentious legal matters such as divorces

- 00:10:00 - Screening threats from seemingly reliable platforms - Google Play slop ads as recent example

- 00:10:30 - Tenable vulnerability scanning tool recommendation (approximately $1,500/year)

- 00:11:00 - Question 2: Technology tools for streamlining compliance and governance

- 00:11:30 - GRC tools for organizing compliance documentation across various price points

- 00:12:00 - SharePoint security lockdown and importance of proper system configuration

- 00:12:30 - Monitoring tools discussion - why no perfect solution exists and what to consider

- 00:13:00 - Being amenable to change and avoiding long-term contracts with security tools

- 00:14:00 - Question 3: Strategies for overcoming resistance to technology adoption

- 00:14:30 - Demonstrating efficiency and explaining the full implementation process

- 00:15:00 - Converting time savings to dollars and cents for senior attorney buy-in

- 00:15:30 - Mindset shift for billable hour attorneys and staying competitive in the market

- 00:16:00 - Being a technology Guinea pig and testing tools yourself first

- 00:16:30 - Showing real results to encourage buy-in from colleagues

- 00:17:00 - Real-world Microsoft Word example - styles, cross-references, and table of contents time savings

- 00:17:30 - Showing value add and how technology can bring in more revenue

- 00:18:00 - Where to find Cordell Robinson - LinkedIn, www.bcf-us.com, Brownstone Consulting Firm

- 00:18:30 - Company description and closing remarks

Resources 📚

Connect with Cordell Robinson:

Government & Compliance Frameworks:

Software & Tools:

MTC: 📱 Protecting Client Confidentiality NOW in Anticipation of Holiday Travel - Essential Digital Security Guide for Lawyers!

/ The Tech-Savvy Lawyer.Page/

Lawyers know your rights and responsibilities when crossing an international boarder.

As legal professionals prepare for the busy holiday travel season from November through early January, an alarming trend demands immediate attention. U.S. Customs and Border Protection (CBP) conducted a record-breaking 14,899 electronic device searches between April and June 2025—a 16.7% increase over the previous quarterly high. With nearly 15,000 devices examined in just three months, lawyers carrying client data face unprecedented risks to attorney-client privilege.

The timing coincides with significant TSA rule changes that fundamentally alter airport security protocols. Secretary Kristi Noem announced the elimination of shoe removal requirements at checkpoints, while implementing advanced facial recognition technology through TSA PreCheck Touchless ID at select airports. These changes represent the most substantial security overhaul since 9/11, creating new vulnerabilities for legal professionals.

Understanding the Current Threat Landscape

Border searches have escalated dramatically over the past decade. From 8,503 searches in 2015, the numbers jumped to 46,362 in fiscal year 2024. The latest data shows CBP conducting 13,824 basic searches and 1,075 advanced searches during the recent quarter. Basic searches involve manual inspection of device contents, while advanced searches employ forensic tools to extract comprehensive data repositories.

Legal professionals face particular vulnerability because electronic devices commonly contain materials protected by attorney-client privilege. The New York City Bar Association addressed this concern with its Formal Opinion 2017-5 directly, noting that attorneys carry confidential client communications, work product, and sensitive case materials on personal devices. When border agents request device access, lawyers must balance professional obligations with potential entry denial or device confiscation.

Professional Ethical Obligations

The American Bar Association has urged the Department of Homeland Security to establish policies protecting attorney-client privilege during border searches. However, current CBP policies permit extensive searching authority under the border search exception, which allows warrantless inspections within 100 miles of international borders. This doctrine significantly reduces Fourth Amendment protections for travelers, including U.S. citizens.

New York lawyers operating under Rule 1.6 must take reasonable steps to prevent unauthorized disclosure of confidential information. The reasonableness standard requires evaluating potential harm against disclosure likelihood. For attorneys whose practice involves government agencies as opposing parties, heightened precautions become necessary.

Practical Protection Strategies

Modern legal practice demands strategic preparation for international travel. Attorneys should evaluate necessity before carrying confidential information across borders. Essential data should remain minimal—only materials professionally required for specific travel purposes. Cloud-based storage offers significant protection since CBP cannot access remotely stored information during searches.

Encryption provides another critical layer of defense. Strong passwords and disabled biometric authentication prevent immediate access. Restarting your device before reaching the border forces manual password entry rather than biometric unlocking, effectively blocking access for those without proper credentials. For maximum protection, consider using alphanumeric passwords of at least 12 characters combining uppercase letters, numbers, and special symbols. Some firms implement clean device policies, providing employees with minimal-data devices for international travel. Virtual private networks (VPN) and secure remote access solutions allow attorneys to retrieve necessary information without local storage. Additional protective measures include enabling two-factor authentication on cloud accounts, using encrypted messaging applications like Signal for client communications, and implementing remote wipe capabilities for lost or confiscated devices.

Don’t get caught not protecting your client’s pii when traveling!

Technology considerations extend beyond individual devices. The implementation of CT scanners at major airports enables enhanced screening capabilities, while new facial recognition systems create biometric templates for identity verification. These advances improve security efficiency but raise additional privacy concerns for legal professionals handling sensitive cases involving government oversight, immigration matters, or politically sensitive litigation where client anonymity becomes paramount.

Legal authorities have issued specific guidance regarding these new biometric screening protocols. The Privacy and Civil Liberties Oversight Board recommends that TSA's facial recognition program remain voluntary for all passengers, while twelve bipartisan U.S. Senators have called for comprehensive oversight of the technology's expansion. Privacy and digital rights experts advise attorneys to exercise their right to opt out of facial recognition screening by politely requesting alternative identity verification procedures, especially when handling sensitive or high-risk matters. According to the TSA's own policies, travelers can decline biometric scanning without penalty or additional scrutiny. However, studies show that 99% of travelers are not verbally informed of this option by TSA agents, making proactive assertion of opt-out rights essential. The American Bar Association and bar associations recommend attorneys stay informed about biometric screening procedures and safeguard client confidentiality during travel. For attorneys handling cases where government surveillance poses particular risks, consistently opting out of facial recognition becomes a professional obligation to protect client interests and maintain confidentiality.

Preparing for Holiday Travel Season

The holiday travel period presents unique challenges. TSA expects record-breaking passenger volumes during Thanksgiving week, with peak travel days including November 26-27 and December 1. Christmas travel intensifies December 20-22 and December 26. New Year's travel typically peaks December 29 and January 2-3. These high-volume periods increase security scrutiny and delay risks.

Attorneys should develop comprehensive travel protocols before departure. Essential preparations include identifying devices containing client data, securing informed consent for potential disclosure, and establishing communication protocols with firm leadership. Bar identification cards help verify professional status during searches. Legal counsel should remain accessible for consultation during border encounters.

Response Protocols During Searches

When facing device searches, attorneys should immediately identify themselves as legal professionals and notify agents about privileged content. CBP policies require consultation with agency counsel before searching devices containing claimed privileged materials. (See 5.2.1.2) However, this protection offers limited practical value since determination processes remain unclear.

Professional obligations continue during border encounters. Attorneys must object to searches on privilege grounds while understanding that resistance may result in device confiscation or entry complications. U.S. citizens cannot be denied entry, but devices may face extended detention for forensic examination. Non-citizens risk entry denial entirely.

Post-Search Obligations

Following any disclosure of confidential information, attorneys must promptly notify affected clients pursuant to professional responsibility rules. Documentation requirements include recording disclosed materials, identifying involved personnel, and implementing remedial measures. Firms should establish incident response protocols addressing client notification, privilege assertions, and regulatory compliance.

Final Thoughts: Looking Forward

you have certain rights when dealing with boarder patrol.

The legal profession must adapt to evolving security landscapes while maintaining ethical obligations. Holiday travel season presents heightened risks due to increased passenger volumes and enhanced scrutiny. Legal professionals should prioritize preparation, implement robust data protection protocols, and maintain clear communication with clients about potential disclosure risks.

As border search authority continues expanding and technology enables more intrusive examinations, the legal profession must advocate for meaningful protections while developing practical compliance strategies. The intersection of national security concerns and professional obligations requires ongoing attention from bar associations, legal practitioners, and policymakers.

The stakes are clear: protecting client confidentiality while navigating modern travel security demands requires preparation, awareness, and strategic planning. As lawyers prepare for holiday travel, implementing comprehensive digital security protocols becomes not just prudent practice, but professional obligation.

MTC

MTC: AI Governance Crisis - What Every Law Firm Must Learn from 1Password's Eye-Opening Security Research

/ The Tech-Savvy Lawyer.Page/

The legal profession stands at a crossroads. Recent research commissioned by 1Password reveals four critical security challenges that should serve as a wake-up call for every law firm embracing artificial intelligence. With 79% of legal professionals now using AI tools in some capacity while only 10% of law firms have formal AI governance policies, the disconnect between adoption and oversight has created unprecedented vulnerabilities that could compromise client confidentiality and professional liability.

The Invisible AI Problem in Law Firms

The 1Password study's most alarming finding mirrors what law firms are experiencing daily: only 21% of security leaders have full visibility into AI tools used in their organizations. This visibility gap is particularly dangerous for law firms, where attorneys and staff may be uploading sensitive client information to unauthorized AI platforms without proper oversight.

Dave Lewis, Global Advisory CISO at 1Password, captured the essence of this challenge perfectly: "We have closed the door to AI tools and projects, but they keep coming through the window!" This sentiment resonates strongly with legal technology experts who observe attorneys gravitating toward consumer AI tools like ChatGPT for legal research and document drafting, often without understanding the data security implications.

The parallel to law firm experiences is striking. Recent Stanford HAI research revealed that even professional legal AI tools produce concerning hallucination rates—Westlaw AI-Assisted Research showed a 34% error rate, while Lexis+ AI exceeded 17%. (Remember my editorial/bolo MTC/🚨BOLO🚨: Lexis+ AI™️ Falls Short for Legal Research!) These aren't consumer chatbots but professional tools marketed to law firms as reliable research platforms.

Four Critical Lessons for Legal Professionals

First, establish comprehensive visibility protocols. The 1Password research shows that 54% of security leaders admit their AI governance enforcement is weak, with 32% believing up to half of employees continue using unauthorized AI applications. Law firms must implement SaaS governance tools to identify AI usage across their organization and document how employees are actually using AI in their workflows.

Second, recognize that good intentions create dangerous exposures. The study found that 63% of security leaders believe the biggest internal threat is employees unknowingly giving AI access to sensitive data. For law firms handling privileged attorney-client communications, this risk is exponentially greater. Staff may innocently paste confidential case details into AI tools, potentially violating client confidentiality rules and creating malpractice liability.

Third, address the unmanaged AI crisis immediately. More than half of security leaders estimate that 26-50% of their AI tools and agents are unmanaged. In legal practice, this could mean AI agents are interacting with case management systems, client databases, or billing platforms without proper access controls or audit trails—a compliance nightmare waiting to happen.

Fourth, understand that traditional security models are inadequate. The research emphasizes that conventional identity and access management systems weren't designed for AI agents. Law firms must evolve their access governance strategies to include AI tools and create clear guidelines for how these systems should be provisioned, tracked, and audited.

Beyond Compliance: Strategic Imperatives

The American Bar Association's Formal Opinion 512 established clear ethical frameworks for AI use, but compliance requires more than policy documents. Law firms need proactive strategies that enable AI benefits while protecting client interests.

Effective AI governance starts with education. Most legal professionals aren't thinking about AI security risks in these terms. Firms should conduct workshops and tabletop exercises to walk through potential scenarios and develop incident response protocols before problems arise.

The path forward doesn't require abandoning AI innovation. Instead, it demands extending trust-based security frameworks to cover both human and machine identities. Law firms must implement guardrails that protect confidential information without slowing productivity—user-friendly systems that attorneys will actually follow.

Final Thoughts: The Competitive Advantage of Responsible AI Adoption

Firms that proactively address these challenges will gain significant competitive advantages. Clients increasingly expect their legal counsel to use technology responsibly while maintaining the highest security standards. Demonstrating comprehensive AI governance builds trust and differentiates firms in a crowded marketplace.

The research makes clear that security leaders are aware of AI risks but under-equipped to address them. For law firms, this awareness gap represents both a challenge and an opportunity. Practices that invest in proper AI governance now will be positioned to leverage these powerful tools confidently while their competitors struggle with ad hoc approaches.

The legal profession's relationship with AI has fundamentally shifted from experimental adoption to enterprise-wide transformation. The 1Password research provides a roadmap for navigating this transition securely. Law firms that heed these lessons will thrive in the AI-augmented future of legal practice.

MTC

🚨 BOLO: Zoom Remote Access Attacks – Critical Security Alert for Legal Professionals 🚨

/ The Tech-Savvy Lawyer.Page/

Zoom Attack Exposes Lawyers to Major Cyber Risk: Why Vigilance Is Now an Ethical Imperative!

Lawyers need to be able to Spot fake Zoom invites—protect your client data now!

A sophisticated cyberattack targeting Zoom users has recently emerged, with direct implications for lawyers and legal professionals. The attack, detailed by Malwarebytes, involves a crime group dubbed ELUSIVE COMET that lures victims into Zoom meetings and tricks them into granting remote access. This enables the installation of malware and theft of sensitive data, including financial assets and confidential client information, e.g., PII.

How the Attack Works

  • Attackers pose as reputable contacts (e.g., media invitations) and set up Zoom calls.

  • During the meeting, the attacker often sends a remote control request with their camera off, disguising their screen name as “Zoom” to appear legitimate.

  • If the victim approves, the attacker gains full control of the victim’s system, installs malware, and can access files, emails, and even financial accounts.

Why Lawyers Must Be Extra Cautious

Ethical Duties Under ABA Model Rules

You need to be careful who you let into your zoom conferences!

  • Competence (Rule 1.1): Lawyers must provide competent representation, which now explicitly includes technological competence. Comment 8 to Rule 1.1 states:
    To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.

  • Confidentiality (Rule 1.6): Attorneys are ethically obligated to protect client information from unauthorized disclosure. Allowing remote access to your device can expose privileged communications, work product, and sensitive client data to malicious actors.

  • Failing to maintain technological competence or safeguard client data can result in ethical violations, malpractice claims, and reputational harm.

Best Practices to Prevent Zoom-Based Attacks

  • Never accept remote control requests from unknown or unverified participants.

  • Use Zoom via your web browser when possible, as the browser version does not support remote control, reducing risk.

  • Enable meeting passwords and waiting rooms to control access.

  • Restrict screen sharing and disable remote control features unless absolutely necessary.

  • Verify all meeting invitations-scrutinize the sender’s identity, and be wary of unsolicited requests, especially those involving media opportunities or unfamiliar contacts.

  • Keep Zoom and all security software updated to address known vulnerabilities.

  • Educate staff and colleagues about the risks and proper protocols for virtual meetings.

What to Do If You Suspect a Breach

You control access—deny hackers, defend your practice.

  • Disconnect from the internet immediately to limit further access.

  • Contact your IT or cybersecurity team and initiate your incident response plan.

  • Notify affected clients and relevant authorities as required by law and ethical rules.

  • Document the incident and steps taken for compliance and potential reporting obligations.

  • Review and update your security protocols to prevent future incidents.

Let’s be careful out there - it could cost you your job or, worse yet, your bar license if you don’t!

Happy Lawyering!!!

MTC: Legal Cybersecurity Crisis - How the CVE System's Defunding Compromises Digital Safety for Law Firms 🚨

/ The Tech-Savvy Lawyer.Page/

In the chaos, Lawyers need to defend client data as CVE shield may be in jeopardy!

CVE Program’s Last-Minute Rescue: What Lawyers Must Learn from the Cybersecurity Near-Crisis 🚨

The legal world narrowly avoided a digital disaster last week week. The Common Vulnerabilities and Exposures (CVE) program—the backbone of global cybersecurity—came within hours of losing its federal funding, sending shockwaves through the legal and cybersecurity communities. In an eleventh-hour move, the Cybersecurity and Infrastructure Security Agency (CISA) extended funding for MITRE to continue operating the CVE program, averting a shutdown that could have left law firms and their clients exposed to unprecedented cyber risk. The episode is a wake-up call for every legal professional: Our reliance on a single, government-funded system for vulnerability intelligence is a vulnerability in itself.

The Alarm: How Close We Came to Losing the CVE Program ⚠️

On April 16, 2025, MITRE, the non-profit that manages the CVE database, announced its contract with the Department of Homeland Security would expire at midnight. The news triggered widespread alarm across the cybersecurity sector, as the CVE program is essential for tracking, cataloging, and sharing information about software vulnerabilities. Legal technology vendors, law firm IT teams, and risk managers all depend on CVE data to prioritize security updates and defend against cyber threats.

The potential consequences were immediate and severe. Experts warned that a lapse in CVE services would delay vulnerability disclosures, disrupt incident response, and create a dangerous window for attackers to exploit unpatched systems. Law firms, which handle highly sensitive client information, would have faced heightened risks of data breaches, malpractice claims, and regulatory penalties.

The Save: CISA Steps In—But Only for Now

CISA’s rescue: Legal cybersecurity lifeline survives—uncertainty remains.

In response to the outcry, CISA executed a last-minute contract extension, ensuring there would be no interruption in CVE services for at least the next 11 months. MITRE confirmed that the funding would keep the program running, and the global cybersecurity community breathed a collective sigh of relief.

Yet, this solution is temporary. The extension lasts less than a year, and the long-term sustainability of the CVE program remains uncertain. The episode has already spurred the formation of a new nonprofit, the CVE Foundation, aimed at ensuring the program’s independence and stability beyond government sponsorship.

Why This Matters for Lawyers and Law Firms ⚖️

The CVE program is more than a technical tool—it is a legal lifeline. The American Bar Association’s Model Rules require lawyers to safeguard client confidentiality, maintain technological competence, and supervise staff and vendors on cybersecurity practices. See MRPC 1.1[8] & 1.6. Without reliable, up-to-date vulnerability intelligence, law firms cannot meet these obligations.

If the CVE program had gone dark, lawyers would have faced:

  • Increased risk of data breaches: Without a unified system for tracking vulnerabilities, attackers would have more time and opportunity to exploit unpatched systems, putting client data at risk.

  • Malpractice exposure: Failing to implement timely security updates could be seen as a breach of the duty of competence and confidentiality, opening the door to claims of negligence or breach of fiduciary duty.

  • Compliance headaches: With regulatory requirements around breach notification and data protection tightening, law firms would struggle to demonstrate they had taken “reasonable efforts” to protect client information.

  • Vendor management chaos: Many legal technology providers rely on CVE identifiers to communicate security patches. Without them, law firms would face confusion and delays in applying critical updates.

Lessons Learned: What Lawyers Should Do Next 🛡️

The CVE funding scare revealed that even the most established cybersecurity programs can be vulnerable. For the legal profession, this is a clear signal to take proactive steps:

Lawyers have a duty to protect their clients’ PII from cyberattacks!

  • Diversify threat intelligence sources: Don’t rely solely on the CVE program. Lawyers and IT teams should monitor additional resources such as the National Vulnerability Database (NVD), CISA Alerts & Advisories, and vendor-specific feeds.

  • Review and update incident response plans: Ensure your breach response protocols account for the possibility of disruptions in vulnerability intelligence. Document your reliance on CVE and alternative sources for compliance purposes.

  • Strengthen vendor contracts: Require legal technology providers to maintain robust vulnerability management practices, even if the CVE system is disrupted.

  • Stay engaged and advocate: Support efforts to make the CVE program sustainable and independent. The legal community should join calls for diverse funding and governance to avoid future crises.

  • Educate staff and clients: Communicate the importance of cybersecurity vigilance and the evolving landscape. Make sure everyone understands their role in protecting client data.

Final Thoughts: A Fragile Peace and a Call for Vigilance 🔍

The CVE program’s last-minute rescue is a relief, but not a resolution. The legal sector must recognize that the stability of our cybersecurity infrastructure is not guaranteed. With only 11 months of assured funding, the risk of another crisis looms. The new CVE Foundation may provide a path forward, but it will require broad support from both public and private sectors.

Lawyers must remain vigilant, proactive, and informed. The next funding scare could come with less warning—and with even higher stakes for client confidentiality, professional responsibility, and the very trust that underpins the legal profession.

MTC

🚨 BOLO: Apple's Latest Update Activates AI - Lawyers, Protect Your Clients' Data! 🚨

/ The Tech-Savvy Lawyer.Page/

Attention tech-savvy lawyers! 📱💼 Apple's recent iOS and macOS updates have automatically enabled Apple Intelligence, raising significant concerns about client confidentiality and data privacy. As legal professionals, we must remain vigilant in protecting our clients' sensitive information. Here's what you need to know:

The Stealth Activation 🕵️‍♂️

In the last 24 hours, Apple released iOS 18.3, iPadOS 18.3, and macOS Sequoia 15.3, which automatically activate Apple Intelligence on compatible devices. This AI-powered suite offers various features, including rewriting text, generating images, and summarizing emails. While these capabilities may seem enticing, they pose potential risks to client confidentiality. 🚨

Privacy Concerns 🔒

Apple claims that Apple Intelligence uses on-device processing to enhance privacy. However, the system still requires 7GB of local storage and may analyze user interactions to refine its functionality. This level of data access and analysis raises red flags for lawyers bound by ethical obligations to protect client information.

Ethical Obligations ⚖️

Check your apple setting if you want to turn off “Apple Intelligence”!

The ABA Model Rules of Professional Conduct, particularly Rule 1.6, emphasize the duty of confidentiality. This rule extends to all forms of client data, including information stored on devices or accessed remotely. As tech-savvy lawyers, we must exercise reasonable care to prevent unauthorized disclosure of client information.

Potential Risks 🚫

Using AI-powered features without fully understanding their implications could lead to inadvertent breaches of client confidentiality. As we've discussed in our previous blog post, "My Two Cents: With AI Creeping Into Our Computers, Tablets, and Smartphones, Lawyers Need to Be Diligent About The Software They Use," lawyers must be cautious about adopting new technologies without proper vetting.

Lawyers MUST maintain reasonable competency in the use of technology! 🚨 ABA MRPC 1.1 [8] 🚨

Lawyers MUST maintain reasonable competency in the use of technology! 🚨 ABA MRPC 1.1 [8] 🚨

Steps to Take 🛡️

  1. Disable Apple Intelligence: Navigate to Settings > Apple Intelligence & Siri to turn off specific features or disable the entire suite.

  2. Educate Your Team: Ensure all staff members are aware of the potential risks associated with AI-powered features.

  3. Review Privacy Policies: Carefully examine Apple's privacy policies and terms of service related to Apple Intelligence.

  4. Implement Additional Safeguards: Consider using encrypted communication tools and secure cloud storage solutions for client data.

Final Thoughts 🧐

As we navigate this rapidly evolving technological landscape, it's essential to balance innovation with ethical obligations. Lawyers can thrive as tech-savvy professionals by embracing technology to enhance their practice while safeguarding client trust. Remember, maintaining reasonable competency in the use of technology is not just advisable—it’s an ethical duty. See Comment, #8, to ABA Model Rule, #1.1.

Subscribe to The Tech-Savvy Lawyer.Page for updates on this developing situation, news on the evolving impact of AI on the practice of law. Together, we can navigate the complexities of legal technology while upholding our professional responsibilities.

Stay safe, stay informed, and stay tech-savvy! 🚀📚💻

Happy Lawyering!