March 03, 2026

TSL.P EP# 132 (Special Episode): AI, Deepfakes, and Metadata: Guest-Hosting Capital University Law School’s First Law Library Podcast Club with Professor Jennifer Wondracek 🎙️⚖️

March 03, 2026/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

🎙️ This week, we have something special for you. Your The Tech-Savvy Lawyer.Page blogger and podcaster, Michael D.J. Eisenberg, was invited back to his alma mater, Capital University Law School, to guest host their very first Podcast Club — a live, recorded podcast conversation featuring real law students, real questions, and real talk. Moderated alongside Professor Wondracek, this is an unscripted, in-the-moment discussion — not a produced studio episode, not a rehearsed explainer — just an honest, practitioner-led conversation about the issues shaping the legal profession today. 🎓 We think that's exactly what makes it worth your time. 🛡️⚖️

In our conversation, we cover the following:

[00:00] 🎬 Welcome & Introductions — Professor Raik introduces Michael D.J. Eisenberg; Michael shares his background representing veterans before the VA and his work at The Tech-Savvy Lawyer.Page, including his Amazon #1 bestselling book The Lawyer's Guide to Podcasting
[01:00] 🕵️ What Is a Deepfake? — Defining deepfakes and the real-world Bethesda incident where a fabricated video triggered a police raid and wasted critical law enforcement resources
[02:30] ⚖️ Deepfakes in Legal Practice — The serious professional responsibility consequences when attorneys introduce fake or AI-generated evidence into a trial or negotiation — and why "I didn't know" won't always protect you
[03:00] 📋 ABA Model Rule 1.1 — Competence & Comment 8 — Why technology competence is an ethical obligation, not optional — and what "competent use of technology" actually means for your daily practice
[05:00] 📶 Public Wi-Fi & VPN Security — The real dangers of using public Wi-Fi at airports, coffee shops, and on planes without a VPN, especially when accessing client portals, trust accounts, or confidential client communications
[05:45] 🔐 VPN Recommendations — NordVPN vs. ExpressVPN; why the right VPN matters for protecting your clients and your license
[07:00] 🔍 How to Detect Deepfakes in Evidence — Reviewing file metadata, spotting visual anomalies, and the Mendones v. Cushman & Wakefield case (Cal. Super. Ct. 2025) where Judge Victoria Kolakowski spotted deepfake videos — and imposed terminating sanctions
[08:30] 📜 ABA Model Rule 3.3 — Candor to the Tribunal — Your duty of honesty to the court and the compounding risks of unknowingly submitting falsified AI-generated evidence
[09:30] 🧑‍⚖️ ABA Model Rule 8.4 — Dishonesty, Fraud, Deceit & Misrepresentation — How these rules can stack with Rule 3.3 to multiply your ethical exposure
[10:30] 🖼️ Live Demo: Accessing File Metadata — A real-time screen share showing how to right-click and access image properties, including GPS coordinates, camera settings, file timestamps, and modification history — using a photo taken right at Capital University Law School
[14:00] 🗂️ Metadata Scrubbing — Why some law firms strip metadata from outgoing emails and documents, and why "scrubbed" evidence should raise red flags during discovery
[17:30] 🛡️ Five Basic Safeguards for Legal Professionals in the AI Era:

Invest in ongoing education — CLEs, podcasts, blogs
Know and follow your office's technology protocols
Be transparent with clients about your use of AI — in your engagement letters and contracts
Update your engagement letters and retainer agreements now
Stay alert to the rapidly changing AI landscape — ignoring it is not an option

[20:00] 💬 Student Q&A — George's question: Does the ethical obligation to review metadata create a resource gap between large firms and solo practitioners? What AI tools can help level the playing field?
[22:00] ⚠️ United States v. Heppner (S.D.N.Y. 2026) — The landmark federal ruling that AI-generated documents used with consumer AI tools are NOT protected by attorney-client privilege or work product doctrine — and why your choice of AI platform is now an ethics decision
[23:30] 🔒 Consumer AI vs. Secure Legal AI Platforms — The critical difference between free and low-cost consumer AI accounts and enterprise-grade legal AI tools with zero-data-retention contracts
[25:30] 📚 LexisNexis Protégé & Secure AI — How LexisNexis's zero-retention, end-to-end encrypted AI platform — including access to ChatGPT and Claude — lets attorneys use AI ethically without jeopardizing client data
[27:00] 💾 Prompt Discoverability — Why your AI prompts may be subpoenaed in malpractice claims or bar investigations, and why documenting and downloading your AI usage history matters
[28:30] 📁 Cassia's Question — Documenting AI research and adopting a random sampling strategy for metadata review: practical approaches to demonstrating "reasonable" due diligence
[30:00] 🗃️ eDiscovery Tools for Metadata at Scale — Relativity, Disco, and how these platforms help even resource-limited firms surface metadata anomalies across large document sets
[33:00] 📰 Current Awareness Resources — Where to stay current on legal tech: law.com, bar association newsletters, The Tech-Savvy Lawyer.Page blog and podcast, CLEs, and legal listservs
[33:30] 🚨 Hallucinated AI Citations & Real Consequences — Mata v. Avianca, Wadsworth v. Walmart (Morgan & Morgan pro hac vice revoked), the Chicago firm dissolution case — and why citation-checking is now a non-negotiable litigation skill
[37:00] 🎲 Book Giveaway — Rolling the virtual dice; congratulations to the winner of Michael's book, The Lawyer's Guide to Podcasting!
[38:00] 🗓️ Upcoming Events — Michael joins the Capital Law Spring Summit/Bootcamp in April; dinner with students at The Red Door Tavern

Resources

Connect with Professor Jennifer Wondracek:

E-Mail: jwondracek@law.capital.edu
LinkedIn: https://www.linkedin.com/in/jennifer-wondracek

📌 Mentioned in the Episode

🏛️ ABA Model Rules

ABA Model Rule 1.1 (Competence), Comment 8 (Technology Competence): https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_1_competence/
ABA Model Rule 3.3 — Candor to the Tribunal: https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_3_3_candor_toward_the_tribunal/
ABA Model Rule 8.4 — Misconduct (Dishonesty, Fraud, Deceit, Misrepresentation): https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_8_4_misconduct/

⚖️ Case Law

Mata v. Avianca, Inc. — The landmark hallucinated AI citation case (S.D.N.Y. 2023): https://www.courtlistener.com/docket/17271435/mata-v-avianca-inc/
Mendones v. Cushman & Wakefield, Inc., No. 23CV028772 (Cal. Super. Ct. Alameda Cnty., Sept. 9, 2025) — Deepfake terminating sanctions: https://ediscoverytoday.com/2025/09/25/deepfake-videos-and-images-lead-to-terminating-sanctions-ediscovery-case-law/
United States v. Heppner, 25-cr-00503-JSR (S.D.N.Y. Feb. 10, 2026) — AI documents not protected by privilege: https://www.insideprivacy.com/artificial-intelligence/ai-and-legal-privilege-key-takeaways-from-us-v-heppner/
Wadsworth v. Walmart — Morgan & Morgan pro hac vice revocation over AI citations: (search Westlaw/Lexis for current citation)

🤔 Other

🎓 Capital University Law School — Law Library Podcast Club: https://law-capital.libguides.com/c.php?g=1168974&p=11364939
📰 Law.com — Legal news and current awareness: https://www.law.com
🏛️ Ohio State Bar Association — Ethics Hotline: https://www.ohiobar.org

💻 Hardware Mentioned in the Conversation

📱 Google Pixel 3 (used to demonstrate photo metadata and GPS geotagging in the live demo): https://store.google.com/us/category/phones

☁️ Software & Cloud Services Mentioned in the Conversation

🤖 ChatGPT (OpenAI) — Consumer & Teams AI platforms: https://openai.com/chatgpt
🤖 ChatGPT Teams — Enhanced security tier: https://openai.com/chatgpt/team
🤖 Claude (Anthropic) — AI assistant: https://claude.ai
📊 CNET — VPN rankings: https://www.cnet.com/tech/services-and-software/best-vpn/
🗃️ CS Disco — AI-powered eDiscovery platform: https://www.csdisco.com
🔐 ExpressVPN — VPN service (#1 on CNET): https://www.expressvpn.com
⚖️ LexisNexis Protégé — Legal AI platform with zero-retention, encrypted access to ChatGPT and Claude: https://www.lexisnexis.com/en-us/products/lexis-plus-ai.page
🖥️ macOS Get Info & File Tags — Native macOS metadata tool: https://support.apple.com/guide/mac-help
🖥️ Microsoft Windows File Properties (right-click → Properties → Details) — Native OS metadata viewer: https://support.microsoft.com/en-us/windows
🔐 NordVPN — VPN service (#1 on Tom's Guide): https://nordvpn.com
🤖 Perplexity AI — AI research assistant: https://www.perplexity.ai
🗃️ Relativity — eDiscovery platform with metadata analysis: https://www.relativity.com
📊 Tom's Guide — VPN rankings: https://www.tomsguide.com/best-picks/best-vpn
⚖️ Westlaw — Legal AI research vault: https://legal.thomsonreuters.com/en/products/westlaw

February 25, 2026

Word 📖 of the Week: Why Lawyers Need to Know the Term “Constitutional AI”

February 25, 2026/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

“Constitutional AI” is a design framework for artificial intelligence that aims to make AI systems helpful, harmless, and honest by training them to follow a defined set of higher‑level rules, much like a constitution. 🤖📜 For lawyers, this is not abstract theory; it connects directly to duties of technological competence, confidentiality, and supervision under the ABA Model Rules.

Most legal professionals now rely on AI‑enabled tools in research, drafting, e‑discovery, document automation, and client communication. These tools may use generative AI in the background even when the marketing materials do not emphasize “AI.” Constitutional AI gives you a practical way to evaluate those tools: are they structured to avoid hallucinations, protect confidential data, and resist being prompted into unethical behavior.

At a high level, a Constitutional AI system is trained to follow explicit principles, such as “do not fabricate legal citations,” “do not disclose confidential information,” and “do not assist in unlawful conduct.” The model learns to critique and revise its own outputs against those principles. For law firms, that aligns with the core expectations in ABA Model Rule 1.1 (competence) and its Comment 8, which require lawyers to understand the benefits and risks of relevant technology and stay current with changes in how these systems work. ⚖️

Constitutional AI also intersects with ABA Model Rule 1.6 on confidentiality. If an AI tool is not designed with strong guardrails, prompts, and outputs can expose sensitive client information to external systems or vendors. When you evaluate an AI platform, you should ask where data is stored, how prompts are logged, whether training data will include your matters, and whether the provider has implemented “constitutional” safeguards against data leakage and unsafe uses.

Supervision is another critical angle. ABA Formal Opinion 512 and Model Rules 5.1 and 5.3 stress that supervising lawyers must set policies and training for how attorneys and staff use generative AI. Constitutional AI can reduce risk, yet it does not replace supervisory duties. You still must review AI‑generated work product, confirm citations, validate factual assertions, and ensure the output is consistent with Rules 3.1, 3.3, and 8.4(c) on meritorious claims, candor to the tribunal, and avoiding dishonesty or misrepresentation.

For practitioners with limited to moderate tech skills, the key is to treat Constitutional AI as a practical checklist rather than a buzzword. ✅ Ask three questions about any AI tool you use:

Is this AI actually helpful to the client’s matter, or is it just saving time while adding risk.
Could this output harm the client through inaccuracy, bias, or disclosure of confidential data.
Is the AI acting honestly, meaning it is not hallucinating cases or claiming certainty where none exists.

If any answer is “no,” you must pause, verify, and revise before relying on the AI output.

In the AI era, your ethical risk often turns on how you select, supervise, and document the use of AI in your practice. Constitutional AI will not make you bulletproof, but it gives you a structured way to align your technology choices with ABA Model Rules while protecting your clients, your license, and your reputation.

February 10, 2026

ANNOUNCEMENT: My Book, “The Lawyer’s Guide to Podcasting,” is Amazon #1 New Release (Law Office Technology)

February 10, 2026/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

I’m excited to report that The Lawyer’s Guide to Podcasting ranked #1 as a New Release in Amazon’s Law Office Technology category for the week of February 07, 2026, and sales have already doubled since last month. 🎙️📈

For lawyers with limited-to-moderate tech skills, the book focuses on practical, repeatable workflows for launching and sustaining a compliant podcast presence. ⚖️💡

As you plan content, remember ABA Model Rule 1.1 (technology competence) and the related duties of confidentiality (Rule 1.6) and communications about services (Rule 7.1): use secure tools, avoid accidental client disclosures, and ensure marketing statements are accurate. 🔐✅

Get your copy today! 📘🚀

amazon link

February 09, 2026

MTC: Everyday Tech, Extraordinary Evidence—Again: How Courts Are Punishing Fake Digital and AI Data ⚖️📱

February 09, 2026/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

Check your Ai work - AI fraud can meet courtroom consequences.

In last month’s editorial, “Everyday Tech, Extraordinary Evidence,” we walked through how smartphones, dash cams, and wearables turned the Minnesota ICE shooting into a case study in modern evidence practice, from rapid preservation orders to multi‑angle video timelines.📱⚖️ We focused on the positive side: how deliberate intake, early preservation, and basic synchronization tools can turn ordinary devices into case‑winning proof.📹 This follow‑up tackles the other half of the equation—what happens when “evidence” itself is fake, AI‑generated, or simply unverified slop, and how courts are starting to respond with serious sanctions.⚠️

From Everyday Tech to Everyday Scrutiny

The original article urged you to treat phones and wearables as critical evidentiary tools, not afterthoughts: ask about devices at intake, cross‑reference GPS trails, and treat cars as rolling 360‑degree cameras.🚗⌚ We also highlighted the Minnesota Pretti shooting as an example of how rapid, court‑ordered preservation of video and other digital artifacts can stop crucial evidence from “disappearing” before the facts are fully understood.📹 Those core recommendations still stand—if anything, they are more urgent now that generative AI makes it easier to fabricate convincing “evidence” that never happened.🤖

The same tools that helped you build robust, data‑driven reconstructions—synchronized bystander clips, GPS logs, wearables showing movement or inactivity—are now under heightened scrutiny for authenticity.📊 Judges and opposing counsel are no longer satisfied with “the video speaks for itself”; they want to know who created it, how it was stored, whether metadata shows AI editing, and what steps counsel took to verify that the file is what it purports to be.📁

When “Evidence” Is Fake: Sanctions Arrive

We have moved past the hypothetical stage. Courts are now issuing sanctions—sometimes terminating sanctions—when parties present fake or AI‑generated “evidence” or unverified AI research.💥

In Mendones v. Cushman & Wakefield, Inc. (Cal. Super. Ct. Alameda County, 2025), plaintiffs submitted multiple videos, photos, and screenshots that the court determined were deepfakes or altered with generative AI.📹 Judge Victoria Kolakowski found intentional submission of false testimony and imposed terminating sanctions, dismissing the case outright and emphasizing that deepfake evidence “fundamentally undermines the integrity of judicial proceedings.”⚖️
In New York, two lawyers became infamous in 2023 after filing a brief containing six imaginary cases generated by ChatGPT; Judge P. Kevin Castel sanctioned them under Rule 11 for abandoning their responsibilities and failing to verify the authorities they cited.📑 They were ordered to pay a monetary penalty and to notify the real judges whose names had been falsely invoked, a reputational hit that far exceeded the dollar amount.💸
A California appellate lawyer, Amir Mostafavi, was later fined $10,000 for filing an appeal with twenty‑one fake case citations generated by ChatGPT.💻 The court stressed that he had not read or verified the AI‑generated text, and treated that omission as a violation of court rules and a waste of judicial resources and taxpayer money.⚠️

These are not “techie” footnotes; they are vivid warnings that falsified or unverified digital and AI data can end careers and destroy cases.🚨

ABA Model Rules: The Safety Rails You Ignore at Your Peril

Train to verify—defend truth in the age of AI.

Your original everyday‑tech playbook already fits neatly within ABA Model Rule 1.1 and Comment 8’s duty of technological competence; the new sanctions landscape simply clarifies the stakes.📚

Rule 1.1 (Competence): You must understand the benefits and risks of relevant technology, which now clearly includes generative AI and deepfake tools.⚖️ Using AI to draft or “enhance” without checking the output is not a harmless shortcut—it is a competence problem.
Rule 1.6 (Confidentiality): Uploading client videos, wearable logs, or sensitive communications to consumer‑grade AI sites can expose them to unknown retention and training practices, risking confidentiality violations.🔐
Rule 3.3 (Candor to the Tribunal) and Rule 4.1 (Truthfulness): Presenting AI‑altered video or fake citations as if they were genuine is the very definition of misrepresentation, as the New York and California sanction orders make clear.⚠️ Even negligent failure to verify can be treated harshly once the court’s patience for AI excuses runs out.
Rules 5.1–5.3 (Supervision): Supervising lawyers must ensure that associates, law clerks, and vendors understand that AI outputs are starting points, not trustworthy final products, and that fake or manipulated digital evidence will not be tolerated.👥

Bridging Last Month’s Playbook With Today’s AI‑Risk Reality

In Last month’s editorial, we urged three practical habits: ask about devices, move fast on preservation, and build a vendor bench for extraction and authentication.📱⌚🚗 This month, the job is to wrap those habits in explicit AI‑risk controls that lawyers with modest tech skills can realistically follow.🧠

Never treat AI as a silent co‑counsel. If you use AI to draft research, generate timelines, or “enhance” video, you must independently verify every factual assertion and citation, just as you would double‑check a new associate’s memo.📑 “The AI did it” is not a defense; courts have already said so.
Preserve the original, disclose the enhancement. Our earlier advice to keep raw smartphone files and dash‑cam footage now needs one more step: if you use any enhancement (AI or otherwise), label it clearly and be prepared to explain what was done, why, and how you ensured that the content did not change.📹
Use vendors and examiners as authenticity firewalls. Just as we suggested, bringing in digital forensics vendors to extract phone and wearable data, you should now consider them for authenticity challenges as well—especially where the opposing side may have incentives or tools to create deepfakes.🔍 A simple expert declaration that a file shows signs of AI manipulation can be the difference between a credibility battle and a terminating sanction.
Train your team using real sanction orders. Nothing clarifies the risk like reading Judge Castel’s order in the ChatGPT‑citation case or Judge Kolakowski’s deepfake ruling in Mendones.⚖️ Incorporate those cases into short internal trainings and CLEs; they translate abstract “AI ethics” into concrete, courtroom‑tested consequences.
Document your verification steps. For everyday tech evidence, a simple log—what files you received, how you checked metadata, whether you compared against other sources, which AI tools (if any) you used, and what you did to confirm their outputs—can demonstrate good faith if a judge later questions your process.📋

Final Thoughts: Authenticity as a First‑Class Question

be the rock star! know how to use ai responsibly in your work!

In the first editorial, the core message was that everyday devices are quietly turning into your best witnesses.📱⌚ The new baseline is that every such “witness” will be examined for signs of AI contamination, and you will be expected to have an answer when the court asks, “What did you do to make sure this is real?”🔎

Lawyers with limited to moderate tech skills do not need to reverse‑engineer neural networks or master forensic software. Instead, they must combine the practical habits from January’s piece—asking, preserving, synchronizing—with a disciplined refusal to outsource judgment to AI.⚖️ In an era of deepfakes and hallucinated case law, authenticity is no longer a niche evidentiary issue; it is the moral center of digital advocacy.✨

Handled wisely, your everyday tech strategy can still deliver “extraordinary evidence.” Handled carelessly, it can just as quickly produce extraordinary sanctions.🚨

MTC

January 28, 2026

Word of the week: “Legal AI institutional memory” engages core ethics duties under the ABA Model Rules, so it is not optional “nice to know” tech.⚖️🤖

January 28, 2026/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

Institutional Memory Meets the ABA Model Rules

“Legal AI institutional Memory” is AI that remembers how your firm actually practices law, not just what generic precedent says. It captures negotiation history, clause choices, outcomes, and client preferences across matters so each new assignment starts from experience instead of a blank page.

From an ethics perspective, this capability sits directly in the path of ABA Model Rule 1.1 on competence, Rule 1.6 on confidentiality, and Rule 5.3 on responsibilities regarding nonlawyer assistance (which now includes AI systems). Comment 8 to Rule 1.1 stresses that competent representation requires understanding the “benefits and risks associated with relevant technology,” which squarely includes institutional‑memory AI in 2026. Using or rejecting this technology blindly can itself create risk if your peers are using it to deliver more thorough, consistent, and efficient work.🧩

Rule 1.6 requires “reasonable efforts” to prevent unauthorized disclosure or access to information relating to representation. Because institutional memory centralizes past matters and sensitive patterns, it raises the stakes on vendor security, configuration, and firm governance. Rule 5.3 extends supervision duties to “nonlawyer assistance,” which ethics commentators and bar materials now interpret to include AI tools used in client work. In short, if your AI is doing work that would otherwise be done by a human assistant, you must supervise it as such.🛡️

Why Institutional Memory Matters (Competence and Client Service)

Tools like Luminance and Harvey now market institutional‑memory features that retain negotiation patterns, drafting preferences, and matter‑level context across time. They promise faster contract cycles, fewer errors, and better use of a firm’s accumulated know‑how. Used wisely, that aligns with Rule 1.1’s requirement that you bring “thoroughness and preparation” reasonably necessary for the representation, and Comment 8’s directive to keep abreast of relevant technology.

At the same time, ethical competence does not mean turning judgment over to the model. It means understanding how the system makes recommendations, what data it relies on, and how to validate outputs against your playbooks and client instructions. Ethics guidance on generative AI emphasizes that lawyers must review AI‑generated work product, verify sources, and ensure that technology does not substitute for legal judgment. Legal AI institutional memory can enhance competence only if you treat it as an assistant you supervise, not an oracle you obey.⚙️

Legal AI That Remembers Your Practice—Ethics Required, Not Optional

How Legal AI Institutional Memory Works (and Where the Rules Bite)

Institutional‑memory platforms typically:

Ingest a corpus of contracts or matters.
Track negotiation moves, accepted fall‑backs, and outcomes over time.
Expose that knowledge through natural‑language queries and drafting suggestions.

That design engages several ethics touchpoints🫆:

Rule 1.1 (Competence): You must understand at a basic level how the AI uses and stores client information, what its limitations are, and when it is appropriate to rely on its suggestions. This may require CLE, vendor training, or collaboration with more technical colleagues until you reach a reasonable level of comfort.
Rule 1.6 (Confidentiality): You must ensure that the vendor contract, configuration, and access controls provide “reasonable efforts” to protect confidentiality, including encryption, role‑based access, and breach‑notification obligations. Ethics guidance on cloud and AI use stresses the need to investigate provider security, retention practices, and rights to use or mine your data.
Rule 5.3 (Nonlawyer Assistance): Because AI tools are “non‑human assistance,” you must supervise their work as you would a contract review outsourcer, document vendor, or litigation support team. That includes selecting competent providers, giving appropriate instructions, and monitoring outputs for compliance with your ethical obligations.🤖

Governance Checklist: Turning Ethics into Action

For lawyers with limited to moderate tech skills, it helps to translate the ABA Model Rules into a short adoption checklist.✅

When evaluating or deploying legal AI institutional memory, consider:

Define Scope (Rules 1.1 and 1.6): Start with a narrow use case such as NDAs or standard vendor contracts, and specify which documents the system may use to build its memory.
Vet the Vendor (Rules 1.6 and 5.3): Ask about data segregation, encryption, access logs, regional hosting, subcontractors, and incident‑response processes; confirm clear contractual obligations to preserve confidentiality and notify you of incidents.
Configure Access (Rules 1.6 and 5.3): Use role‑based permissions, client or matter scoping, and retention settings that match your existing information‑governance and legal‑hold policies.
Supervise Outputs (Rules 1.1 and 5.3): Require that lawyers review AI suggestions, verify sources, and override recommendations where they conflict with client instructions or risk tolerance.
Educate Your Team (Rule 1.1): Provide short trainings on how the system works, what it remembers, and how the Model Rules apply; document this as part of your technology‑competence efforts.

Educating Your Team Is Core to AI Competence

This approach respects the increasing bar on technological competence while protecting client information and maintaining human oversight.⚖️

December 17, 2025

📖 WORD OF THE WEEK (WoW): Zero Trust Architecture ⚖️🔐

December 17, 2025/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

Zero Trust Architecture and ABA Model Rules Compliance 🛡️

Lawyers need to "never trust, always verify" their network activity!

Zero Trust Architecture represents a fundamental shift in how law firms approach cybersecurity and fulfill ethical obligations. Rather than assuming that users and devices within a firm's network are trustworthy by default, this security model operates on the principle of "never trust, always verify." For legal professionals managing sensitive client information, implementing this framework has become essential to protecting confidentiality while maintaining compliance with ABA Model Rules.

The traditional security approach created a protective perimeter around a firm's network, trusting anyone inside that boundary. This model no longer reflects modern legal practice. Remote work, cloud-based case management systems, and mobile device usage mean that your firm's data exists across multiple locations and devices. Zero Trust abandons the perimeter-based approach entirely.

ABA Model Rule 1.6(c) requires lawyers to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." Zero Trust Architecture directly fulfills this mandate by requiring continuous verification of every user and device accessing firm resources, regardless of location. This approach ensures compliance with the confidentiality duty that forms the foundation of legal practice.

Core Components Supporting Your Ethical Obligations

Zero Trust Architecture operates through three interconnected principles aligned with ABA requirements.

legal professionals do you know the core components of modern cyber security?

Continuous verification means that authentication does not happen once at login. Instead, systems continuously validate user identity, device health, and access context in real time.
Least privilege access restricts each user to only the data and systems necessary for their specific role. An associate working on discovery does not need access to billing systems, and a paralegal in real estate does not need access to litigation files.
Micro-segmentation divides your network into smaller, secure zones. This prevents lateral movement, which means that if a bad actor compromises one device or user account, they cannot automatically access all firm systems.

ABA Model Rule 1.1, Comment 8 requires that lawyers maintain competence, including competence in "the benefits and risks associated with relevant technology." Understanding Zero Trust Architecture demonstrates that your firm maintains technological competence in cybersecurity matters. Additional critical components include multi-factor authentication, which requires users to verify their identity through multiple methods before accessing systems. Device authentication ensures that only approved and properly configured devices can connect to firm resources. End-to-end encryption protects data both at rest and in transit.

ABA Model Rule 1.4 requires lawyers to keep clients "reasonably informed about significant developments relating to the representation." Zero Trust Architecture supports this duty by protecting client information and enabling prompt client notification if security incidents occur.

ABA Model Rules 5.1 and 5.3 require supervisory lawyers and managers to ensure that subordinate lawyers and non-lawyer staff comply with professional obligations. Implementing Zero Trust creates the framework for effective supervision of cybersecurity practices across your entire firm.

Addressing Safekeeping Obligations

ABA Model Rule 1.15 requires lawyers to "appropriately safeguard" property of clients, including electronic information. Zero Trust Architecture provides the security infrastructure necessary to meet this safekeeping obligation. This rule mandates maintaining complete records of client property and preserving those records. Zero Trust's encryption and access controls ensure that stored records remain protected from unauthorized access.

Implementation: A Phased Approach 📋

Implementing Zero Trust need not happen all at once. Begin by assessing your current security infrastructure and identifying sensitive data flows. Establish identity and access management systems to control who accesses what. Deploy multi-factor authentication across all applications. Then gradually expand micro-segmentation and monitoring capabilities as your systems mature. Document your efforts to demonstrate compliance with ABA Model Rule 1.6(c)'s requirement for "reasonable efforts."

Final Thoughts

Zero Trust Architecture transforms your firm's security posture from reactive protection to proactive verification while ensuring compliance with essential ABA Model Rules. For legal practices handling confidential client information, this security framework is not optional. It protects your clients, your firm's reputation, and your ability to practice law with integrity.

Blog