January 28, 2026

MTC: “Legal AI institutional memory” engages core ethics duties under the ABA Model Rules, so it is not optional “nice to know” tech.⚖️🤖

January 28, 2026/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

Institutional Memory Meets the ABA Model Rules

“Legal AI institutional Memory” is AI that remembers how your firm actually practices law, not just what generic precedent says. It captures negotiation history, clause choices, outcomes, and client preferences across matters so each new assignment starts from experience instead of a blank page.

From an ethics perspective, this capability sits directly in the path of ABA Model Rule 1.1 on competence, Rule 1.6 on confidentiality, and Rule 5.3 on responsibilities regarding nonlawyer assistance (which now includes AI systems). Comment 8 to Rule 1.1 stresses that competent representation requires understanding the “benefits and risks associated with relevant technology,” which squarely includes institutional‑memory AI in 2026. Using or rejecting this technology blindly can itself create risk if your peers are using it to deliver more thorough, consistent, and efficient work.🧩

Rule 1.6 requires “reasonable efforts” to prevent unauthorized disclosure or access to information relating to representation. Because institutional memory centralizes past matters and sensitive patterns, it raises the stakes on vendor security, configuration, and firm governance. Rule 5.3 extends supervision duties to “nonlawyer assistance,” which ethics commentators and bar materials now interpret to include AI tools used in client work. In short, if your AI is doing work that would otherwise be done by a human assistant, you must supervise it as such.🛡️

Why Institutional Memory Matters (Competence and Client Service)

Tools like Luminance and Harvey now market institutional‑memory features that retain negotiation patterns, drafting preferences, and matter‑level context across time. They promise faster contract cycles, fewer errors, and better use of a firm’s accumulated know‑how. Used wisely, that aligns with Rule 1.1’s requirement that you bring “thoroughness and preparation” reasonably necessary for the representation, and Comment 8’s directive to keep abreast of relevant technology.

At the same time, ethical competence does not mean turning judgment over to the model. It means understanding how the system makes recommendations, what data it relies on, and how to validate outputs against your playbooks and client instructions. Ethics guidance on generative AI emphasizes that lawyers must review AI‑generated work product, verify sources, and ensure that technology does not substitute for legal judgment. Legal AI institutional memory can enhance competence only if you treat it as an assistant you supervise, not an oracle you obey.⚙️

Legal AI That Remembers Your Practice—Ethics Required, Not Optional

How Legal AI Institutional Memory Works (and Where the Rules Bite)

Institutional‑memory platforms typically:

Ingest a corpus of contracts or matters.
Track negotiation moves, accepted fall‑backs, and outcomes over time.
Expose that knowledge through natural‑language queries and drafting suggestions.

That design engages several ethics touchpoints🫆:

Rule 1.1 (Competence): You must understand at a basic level how the AI uses and stores client information, what its limitations are, and when it is appropriate to rely on its suggestions. This may require CLE, vendor training, or collaboration with more technical colleagues until you reach a reasonable level of comfort.
Rule 1.6 (Confidentiality): You must ensure that the vendor contract, configuration, and access controls provide “reasonable efforts” to protect confidentiality, including encryption, role‑based access, and breach‑notification obligations. Ethics guidance on cloud and AI use stresses the need to investigate provider security, retention practices, and rights to use or mine your data.
Rule 5.3 (Nonlawyer Assistance): Because AI tools are “non‑human assistance,” you must supervise their work as you would a contract review outsourcer, document vendor, or litigation support team. That includes selecting competent providers, giving appropriate instructions, and monitoring outputs for compliance with your ethical obligations.🤖

Governance Checklist: Turning Ethics into Action

For lawyers with limited to moderate tech skills, it helps to translate the ABA Model Rules into a short adoption checklist.✅

When evaluating or deploying legal AI institutional memory, consider:

Define Scope (Rules 1.1 and 1.6): Start with a narrow use case such as NDAs or standard vendor contracts, and specify which documents the system may use to build its memory.
Vet the Vendor (Rules 1.6 and 5.3): Ask about data segregation, encryption, access logs, regional hosting, subcontractors, and incident‑response processes; confirm clear contractual obligations to preserve confidentiality and notify you of incidents.
Configure Access (Rules 1.6 and 5.3): Use role‑based permissions, client or matter scoping, and retention settings that match your existing information‑governance and legal‑hold policies.
Supervise Outputs (Rules 1.1 and 5.3): Require that lawyers review AI suggestions, verify sources, and override recommendations where they conflict with client instructions or risk tolerance.
Educate Your Team (Rule 1.1): Provide short trainings on how the system works, what it remembers, and how the Model Rules apply; document this as part of your technology‑competence efforts.

Educating Your Team Is Core to AI Competence

This approach respects the increasing bar on technological competence while protecting client information and maintaining human oversight.⚖️

January 26, 2026

ANNOUNCEMENT: The Lawyer’s Guide to Podcasting Is Here: A Practical, Ethical Launch Plan for Busy Lawyers 🎙️⚖️

January 26, 2026/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

The Lawyer's Guide to Podcasting by Michael D.J. Eisenberg

I’m excited to share! The wait is over! The Lawyer’s Guide to Podcasting is officially released. 🎉🎙️ This book is built for lawyers, paralegals, and legal professionals who want a clear, practical path to launching a podcast—without needing to be “techy” to get it right.

Podcasting has become one of the most effective ways to build trust at scale. People want more than ads. They want a real voice. They want context. They want clarity. A podcast lets you educate, connect, and show your professional judgment in a way a website cannot. It also gives prospective clients a low-pressure way to get to know you before they ever call. 📈🤝

This guide covers the full podcast lifecycle in plain language. You will learn how to pick a topic that fits your goals and schedule. You will learn the most useful show formats for legal audiences, including solo episodes, interviews, storytelling, and educational series. You will also learn what to buy (and what to skip) when building your gear setup. That includes microphones, headphones, webcams, lighting, and basic acoustic improvements that matter in real offices. 🎧🎥💡

Software matters too. In this book, I explain beginner and pro options for recording and editing. It also covers remote recording tools and simple video workflows for YouTube and modern platforms. You will get a clear explanation of podcast hosting and distribution, including how RSS feeds deliver your episodes to directories like Apple Podcasts and Spotify. 📲🌍

A major focus of this book is professional responsibility. Lawyers must avoid accidental legal advice. Lawyers must avoid creating unintended attorney-client relationships. Lawyers must also watch multi-jurisdictional issues and advertising rules. This guide addresses those risks directly and gives practical guardrails you can use in real episodes. 🛡️📜

You will also learn how to use AI efficiently and ethically. AI can save time on transcripts, show notes, clips, and repurposed content. It can also create risk if you feed it sensitive data or publish unverified output. The book offers a workflow-first approach that protects confidentiality and supports accuracy. ✅🤖

The Lawyer’s Guide to Podcasting is part of the Lawyers Tech Guide (LTG) series from Michael D.J. Eisenberg, creator of The Tech-Savvy Lawyer.Page. The mission is simple: use technology to communicate clearly, serve people better, and reclaim time. ⏳✨

Ready to launch?
You are just one click away!

🔗 Purchase here on Amazon 🔗

January 12, 2026

MTC: PornHub Breach: Cybersecurity Wake-Up Call for Lawyers

January 12, 2026/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

Lawyers are the first line defenders for their clientS’ pii.

It's the start of the New Year, and as good a time as any to remind the legal profession of their cybersecurity obligations! The recent PornHub data exposure reveals critical vulnerabilities every lawyer must address under ABA ethical obligations. Third-party analytics provider Mixpanel suffered a breach compromising user email addresses, triggering targeted sextortion campaigns. This incident illuminates three core security domains for legal professionals while highlighting specific duties under ABA Model Rules 1.1, 1.6, 5.1, 5.3, and Formal Opinion 483.

Understanding the Breach and Its Legal Implications

The PornHub incident demonstrates how failures by third-party vendors can lead to cascading security consequences. When Mixpanel's systems were compromised, attackers gained access to email addresses that now fuel sextortion schemes. Criminals threaten to expose purported adult site usage unless victims pay cryptocurrency ransoms. For law firms, this scenario is not hypothetical—your practice management software, cloud storage providers, and analytics tools present identical vulnerabilities. Each third-party vendor represents a potential entry point for attackers targeting your client data.

ABA Model Rule 1.1: The Foundation of Technology Competence

ABA Model Rule 1.1 requires lawyers to provide competent representation, and Comment 8 explicitly extends this duty to technology: "To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology". This is not a suggestion—it is an ethical mandate. Thirty-one states have adopted this technology competence requirement into their professional conduct rules.

What does this mean practically? You must understand the security implications of every technology tool your firm uses. Before onboarding any platform, conduct due diligence on the vendor's security practices. Require SOC 2 compliance, cyber insurance verification, and detailed security questionnaires. The "reasonable efforts" standard does not demand perfection, but it does require informed decision-making. You cannot delegate technology competence entirely to IT consultants. You must understand enough to ask the right questions and evaluate the answers meaningfully.

ABA Model Rule 1.6: Safeguarding Client Information in Digital Systems

Rule 1.6 establishes your duty of confidentiality, and Comment 18 requires "reasonable efforts to prevent [the inadvertent or unauthorized] access or disclosure” to information relating to the representation of a client. This duty extends beyond privileged communications to all client-related information stored digitally.

The PornHub breach illustrates why this matters. Your firm's email system, document management platform, and client portals contain information criminals actively target. The "reasonable efforts" analysis considers the sensitivity of information, likelihood of disclosure without additional safeguards, cost of safeguards, and difficulty of implementation. For most firms, this means mandatory multi-factor authentication (MFA) on all systems, encryption for data at rest and in transit, and secure file-sharing platforms instead of email attachments.

You must also address third-party vendor access under Rule 1.6. When you grant a case management platform access to client data, you remain ethically responsible for protecting that information. Your engagement letters should specify security expectations, and vendor contracts must include confidentiality obligations and breach notification requirements.

ABA Model Rules 5.1 and 5.3: Supervisory Responsibilities Extend to Technology

lawyers need to stay up to date on the security protocOls for their firm’s software!

Rule 5.1 imposes duties on partners and supervisory lawyers to ensure the firm has measures giving "reasonable assurance that all lawyers in the firm conform to the Rules of Professional Conduct". Rule 5.3 extends this duty to nonlawyer assistants, which courts and ethics opinions have interpreted to include technology vendors and cloud service providers.

If you manage a firm or supervise other lawyers, you must implement technology policies and training programs. This includes security awareness training, password management requirements, and incident reporting procedures. You cannot assume your younger associates understand cybersecurity best practices—they need explicit training and clear policies.

For nonlawyer assistance, you must "make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer". This means vetting your IT providers, requiring them to maintain appropriate security certifications, and ensuring they understand their confidentiality obligations. Your vendor management program is an ethical requirement, not just a business best practice.

ABA Formal Opinion 483: Data Breach Response Requirements

ABA Formal Opinion 483 establishes clear obligations when a data breach occurs. Lawyers have a duty to monitor for breaches, stop and mitigate damage promptly, investigate what occurred, and notify affected clients. This duty arises from Rules 1.1 (competence), 1.6 (confidentiality), and 1.4 (communication).

The Opinion requires you to have a written incident response plan before a breach occurs. Your plan must identify who will coordinate the response, how you will communicate with affected clients (including backup communication methods if email is compromised), and what steps you will take to assess and remediate the breach. You must document what data was accessed, whether malware was used, and whether client information was taken, altered, or destroyed.

Notification to clients is mandatory when a breach involves material client confidential information. The notification must be prompt and include what happened, what information was involved, what you are doing in response, and what clients should do to protect themselves. This duty extends to former clients in many circumstances, as their files may still contain sensitive information subject to state data breach laws.

Three Security Domains: Personal, Practice, and Client Protection

Your Law Practice's Security
Under Rules 5.1 and 5.3, you must implement reasonable security measures throughout your firm. Conduct annual cybersecurity risk assessments. Require MFA on all systems. Implement data minimization principles—only share what vendors absolutely need. Establish incident response protocols before breaches occur. Your supervisory duties require you to ensure that all firm personnel, including non-lawyer staff, understand and follow the firm's security policies.

Client Security Obligations
Rule 1.4 requires you to keep clients reasonably informed, which includes advising them on security matters relevant to their representation. Clients experiencing sextortion need immediate, informed guidance. Preserve all threatening emails with headers intact. Document timestamps and demands. Advise clients never to pay or respond—payment confirms active monitoring and often leads to additional demands. Report incidents to the FBI's IC3 unit and local cybercrime divisions. For family law practitioners, understand that sextortion often targets vulnerable individuals during contentious proceedings. Criminal defense attorneys must recognize these threats as extortion, not embarrassment issues. Your competence under Rule 1.1 requires you to understand these threats well enough to provide effective guidance.

Personal Digital Hygiene
Your personal email account is your digital identity's master key. Enable MFA on all professional and personal accounts. Use unique, complex passwords managed through a password manager. Consider pseudonymous email addresses for sensitive subscriptions. Separate your litigation communications from personal browsing activities. The STOP framework applies: Slow down, Test suspicious contacts, Opt out of high-pressure conversations, and Prove identities through independent channels. Your personal security failures can compromise your professional obligations under Rule 1.6.

Practical Implementation Steps

First, conduct a technology audit to map every system that stores or accesses client information. Identify all third-party vendors and assess their security practices against industry standards.

Second, implement MFA across all systems immediately—this is one of the most effective and cost-efficient security controls available.

Third, develop written security policies covering password management, device encryption, remote work procedures, and incident response.

Fourth, train all firm personnel on these policies and conduct simulated phishing exercises to test awareness.

Fifth, review and update your engagement letters to include technology provisions and breach notification procedures.

Conclusion

The PornHub breach is not an isolated incident—it is a template for how modern attacks occur through third-party vendors. Your ethical duties under ABA Model Rules require proactive cybersecurity measures, not reactive responses after a breach. Technology competence under Rule 1.1, confidentiality protection under Rule 1.6, supervisory responsibilities under Rules 5.1 and 5.3, and breach response obligations under Formal Opinion 483 together create a comprehensive framework for protecting your practice and your clients. Cybersecurity is no longer an IT issue delegated to consultants; it is a core professional competency that affects your license to practice law. The time to act is before your firm appears in a breach notification headline.

December 05, 2025

TSL Labs Bonus Podcast: Google’s Notebook LLM “Deep Dive” on December 1st, 2025, editorial on the the Lawyer’s Defense Against Holiday Scams and ‘Bargain’ Tech Traps!

December 05, 2025/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

Listen in as Google's Notebook LLM provides an AI-powered conversation unpacks our December 1st, 2025 editorial examining how the holiday digital marketplace transforms into a lucrative hunting ground for device compromise and credential theft. We explore why attorneys and paralegals—trained to spot hidden clauses and anticipate risk—often abandon professional skepticism when faced with shiny gadgets bearing 70% off stickers. Our discussion arms you with actionable strategies to protect your practice, safeguard client confidentiality, and prevent the kind of security breaches that trigger bar complaints and operational shutdowns. Whether you're a solo practitioner or part of a large firm, this episode delivers the technical insights you need without the jargon.

Join Google's Notebook LLM as we discuss the following three questions and more!

How do bargain tech deals create hidden professional liabilities that extend far beyond wasted money, and what specific technical deficits should lawyers avoid in discount hardware?
What free forensic tools can legal professionals use to distinguish genuine discounts from manipulated pricing schemes, and how do these tools apply procurement-level rigor to personal shopping decisions?
Which three active scam vectors target high-value professionals during the holiday season, and what mandatory four-point protocol ensures comprehensive protection against credential theft and device compromise?

In our conversation, we cover the following:

[00:00:00] Welcome to TSL Labs Bonus Episode: AI-powered deep dive on holiday shopping risks
[00:01:00] Why legal professionals abandon professional skepticism during holiday sales
[00:02:00] The high stakes: credential theft, device compromise, and operational lockdown
[00:03:00] The bargain trap: understanding technical debt in cheap vs. inexpensive hardware
[00:04:00] Processor bottleneck red flags: older generation chips that consume billable time
[00:05:00] Screen resolution hazards: how 1366x768 displays create genuine error risks
[00:06:00] RAM deficits and security longevity: when devices become e-waste and compliance gaps
[00:07:00] Introduction to forensic price tracking tools for procurement-level shopping
[00:08:00] CamelCamelCamel, Keepa, and Honey: free tools that reveal true pricing history
[00:09:00] Malwarebytes 2025 holiday scam report: three attack vectors targeting professionals
[00:10:00] Scam #1: urgent delivery smishing attacks exploiting package expectations
[00:11:00] Scam #2: malvertising minefield—when legitimate ads redirect to cloned fraud sites
[00:12:00] Scam #3: gift card emergency scams posing as court clerks and government officials
[00:13:00] Bonus threat: social media marketplace fraud and payment protection gaps
[00:14:00] The mandatory four-point protocol for holiday shopping protection
[00:15:00] Final thoughts: applying contract-reading diligence to every link you click

Resources

Hardware Mentioned in the Conversation

Business-class Lenovo laptops: https://www.lenovo.com/business
HP commercial-grade hardware: https://www.hp.com/business
Dell professional series: https://www.dell.com/business
Apple MacBook Pro: https://www.apple.com/macbook-pro/

Software & Cloud Services Mentioned in the Conversation

CamelCamelCamel (Amazon price tracker): https://camelcamelcamel.com
Keepa (Amazon price history browser extension): https://keepa.com
Honey (price tracking & coupon tool): https://www.joinhoney.com
Prisync (enterprise pricing solution): https://www.prisync.com
Price2Spy (enterprise pricing intelligence): https://www.price2spy.com
Malwarebytes (security software): https://www.malwarebytes.com

November 26, 2025

🚨 BOLO: Samsung Budget Phones Contain Pre-Installed Data-Harvesting Software: Critical Action Steps for Legal Professionals

November 26, 2025/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

‼️ ALERT: Hidden Spyware in Samsung Phones!

Samsung Galaxy A, M, and F series smartphones contain pre-installed software called AppCloud, developed by ironSource (now owned by Unity Technologies), that harvests user data, including location information, app usage patterns, IP addresses, and potentially biometric data. This software cannot be fully uninstalled without voiding your device warranty, and it operates without accessible privacy policies or explicit consent mechanisms. Legal professionals using these devices face significant risks to attorney-client privilege and confidential client information.

The Threat Landscape

AppCloud runs quietly in the background with permissions to access network connections, download files without notification, and prevent phones from sleeping. The application is deeply integrated into Samsung's One UI operating system, making it impossible to fully remove through standard methods. Users across West Asia, North Africa, Europe, and South Asia report that even after disabling the application, it reappears following system updates.

The digital rights organization SMEX documented that AppCloud's privacy policy is not accessible online, and the application does not present users with consent screens or terms of service disclosures. This lack of transparency raises serious ethical and legal compliance concerns, particularly for attorneys bound by professional responsibility rules regarding client confidentiality.

Legal and Ethical Implications for Attorneys

Under ABA Model Rule 1.6, attorneys must make "reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client". The duty of technological competence under Rule 1.1, Comment 8, requires attorneys to "keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology".

The New York Bar's 2022 ethics opinion specifically addresses smartphone security, prohibiting attorneys from sharing contact information with smartphone applications unless they can confirm that no person will view confidential client information and that data will not be transferred to third parties without client consent. AppCloud's data harvesting practices appear to violate both conditions.

Immediate Action Steps

‼️ Act now if you’ve purchased certain samsung phones - your bar license could be in jeopardy!

Step 1: Identify Affected Devices
Check whether you use a Samsung Galaxy A series (A05 through A56), M series (M01 through M56), or F series device. These budget and mid-range models are primary targets for AppCloud installation.

Step 2: Disable AppCloud
Navigate to Settings > Apps > Show System Apps > AppCloud > Disable. Additionally, revoke notification permissions, restrict background data usage, and disable the "Install unknown apps" permission.

Step 3: Monitor for Reactivation
After system updates, return to AppCloud settings and re-disable the application.

Step 4: Consider Device Migration
For attorneys handling highly sensitive matters, consider transitioning to devices without pre-installed data collection software. Document your decision-making process as evidence of reasonable security measures.

Step 5: Client Notification Assessment
Evaluate whether client notification is required under your jurisdiction's professional responsibility rules. California's Formal Opinion 2020-203 addresses obligations following an electronic data compromise.

The Bottom Line

Budget smartphone economics should not compromise attorney-client privilege. Samsung's partnership with ironSource places aggressive advertising technology on devices used by legal professionals worldwide. Until Samsung provides transparent opt-out mechanisms or removes AppCloud entirely, attorneys using affected devices should implement immediate mitigation measures and document their security protocols.

November 03, 2025

MTC: London's iPhone Theft Crisis: Critical Mobile Device Security Lessons for Traveling Lawyers 📱⚖️

November 03, 2025/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

lawyers can learn about cyber mobile security from the recent iphone thefts in london

Recent events in London should serve as a wake-up call for every legal professional who carries client data beyond the office walls. London police recently dismantled a sophisticated international theft ring responsible for smuggling approximately 40,000 stolen iPhones to China in just twelve months. This operation revealed thieves earning up to £300 per stolen device, with phones reselling overseas for as much as $5,000. With over 80,000 phones stolen in London last year alone, this crisis underscores critical vulnerabilities that lawyers must address when working remotely.

The sophistication of these operations is alarming. Criminals on electric bikes snatch phones from unsuspecting victims and immediately wrap devices in aluminum foil to block tracking signals. This industrial-scale crime demonstrates that our mobile devices—which contain privileged communications, case strategies, and confidential client data—are valuable targets for organized criminal networks operating globally.

Your Ethical Obligations Are Clear

ABA Model Rule 1.1 requires lawyers to maintain competence, including understanding "the benefits and risks associated with relevant technology". This duty of technological competence has been adopted by over 40 states and isn't optional—it's fundamental to ethical practice. Model Rule 1.6(c) mandates that lawyers "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client".

When your phone disappears—whether through theft, loss, or border seizure—you face potential violations of these ethical duties. Recent data shows U.S. Customs and Border Protection searched 14,899 devices between April and June 2025, a 16.7% increase from previous surges. Lawyers traveling internationally face heightened risks, and a stolen or searched device can compromise attorney-client privilege instantly.

Essential Security Measures for Mobile Lawyers

Before leaving your office, implement these non-negotiable protections. Enable full-device encryption on all smartphones, tablets, and laptops. For iPhones, setting a passcode automatically enables encryption; Android users must manually activate this feature in security settings. Strong passwords matter—use alphanumeric combinations of at least 12 characters, avoiding easily guessed patterns.

lawyer need to know how to protect their client’s pii when crossing the boarder!

Two-factor authentication (2FA) adds critical protection layers. Even if someone obtains your password, 2FA requires secondary verification through your phone or authentication app. This simple step dramatically reduces unauthorized access risks. Configure remote wipe capabilities before traveling. If your device is stolen, you can erase all data remotely, protecting client information even when physical recovery is impossible.

Disable biometric authentication when traveling internationally. Face ID and fingerprint scanners can be used against you at borders where Fourth Amendment protections are diminished. Restart your device before crossing borders to force password-only access. Consider carrying a "clean" device for international travel, accessing files only through encrypted cloud storage rather than storing sensitive data locally.

Coffee Shops, Airports, and Public Spaces

Public Wi-Fi networks pose serious interception risks. Hackers create fake hotspots with legitimate-sounding names, capturing everything you transmit. As lawyers increasingly embrace cloud-based computing for their work, encryption when using public Wi-Fi becomes non-negotiable

Always use a trusted VPN (Virtual Private Network) when connecting to public networks. VPNs encrypt your internet traffic, preventing interception even on compromised networks. Alternatively, use your smartphone's personal hotspot rather than connecting to public Wi-Fi. Turn off file sharing on all mobile devices. Avoid accessing highly sensitive client files in public spaces altogether—save detailed case work for secure, private connections.

Physical security deserves equal attention. Visual privacy screens prevent shoulder surfing. Position yourself with your back to walls in coffee shops so others cannot observe your screen. Be alert to your surroundings and maintain physical control of devices at all times. Never leave laptops, tablets, or phones unattended, even briefly.

Border Crossings and International Travel

Lawyers crossing international borders face unique challenges. CBP policies permit extensive device searches within 100 miles of borders under the border search exception, significantly reducing Fourth Amendment protections. New York State Bar Association Ethics Opinion 2017-5 addresses lawyers' duties when traveling with client data across borders.

The reasonableness standard governs your obligations. Evaluate whether you truly need to bring confidential information across borders. If travel requires client data, bring only materials professionally necessary for your specific purpose. Consider these strategies: store files in encrypted cloud services rather than locally; use strong passwords and disable biometric authentication; carry your bar card to identify yourself as an attorney if questioned; identify which files contain privileged information before reaching the border.

If border agents demand device access, clearly state that you are an attorney and the device contains privileged client communications. Ask whether the request is optional or mandatory. If agents conduct a search, document what occurred and consider whether client notification is required under Rule 1.4. New York Rule 1.6 requires taking reasonable steps to prevent unauthorized disclosure, with heightened precautions necessary when government agencies are opposing parties.

Practical Implementation Today

Create firm policies addressing mobile device security. Require immediate reporting of lost or stolen devices. Implement Mobile Device Management (MDM) software to monitor, secure, and remotely wipe all connected devices. Conduct regular security awareness training covering email practices, phishing recognition, and social engineering tactics.

Develop an Incident Response Plan before breaches occur. Know which experts to contact, document cybersecurity policies, and establish notification protocols. Under various state laws and regulations like California Civil Code § 1.798.82 and HIPAA's Breach Notification Rule, lawyers may be legally required to notify clients of data breaches.

Lawyers are on the front line of cybersecurity when on the go!

Communicate with clients about security measures. Obtain informed consent regarding electronic communications and any security limitations. Some firms include these discussions in engagement letters, setting clear expectations about communication methods and encryption use.

Stay current with evolving threats. Subscribe to legal technology security bulletins. The Tech-Savvy Lawyer blog regularly covers mobile security issues, including recent coverage of the SlopAds malware campaign that compromised 224 Android applications on Google Play Store. Technology competence requires ongoing learning as threats and safeguards evolve.

The Bottom Line

The London iPhone theft crisis demonstrates that our devices are valuable targets for sophisticated criminal networks operating internationally. Every lawyer who works outside the office—whether at coffee shops, client meetings, or international destinations—must take mobile security seriously. Your ethical obligations under Model Rules 1.1 and 1.6 demand it. Your clients' confidential information depends on it. Your professional reputation requires it.

Implementing these security measures isn't complicated or expensive. Enable encryption. Use strong passwords and 2FA. Avoid public Wi-Fi or use VPNs. Disable biometrics when traveling. Maintain physical control of devices. These straightforward steps significantly reduce risks while allowing you to work effectively from anywhere.

The legal profession has embraced mobile technology's benefits—now we must address its risks with equal commitment. Don't wait for a theft, loss, or border seizure to prompt action. Protect your clients' confidential information today.

MTC

October 29, 2025

📖 Word of the Week: The Meaning of “Data Governance” and the Modern Law Practice - Your Essential Guide for 2025

October 29, 2025/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

Understanding Data Governance: A Lawyer's Blueprint for Protecting Client Information and Meeting Ethical Obligations

Lawyers need to know about “DAta governance” and how it affects their practice of law.

Data governance has emerged as one of the most critical responsibilities facing legal professionals today. The digital transformation of legal practice brings tremendous efficiency gains but also creates significant risks to client confidentiality and attorney ethical obligations. Every email sent, document stored, and case file managed represents a potential vulnerability that requires careful oversight.

What Data Governance Means for Lawyers

Data governance encompasses the policies, procedures, and practices that ensure information is managed consistently and reliably throughout its lifecycle. For legal professionals, this means establishing clear frameworks for how client information is collected, stored, accessed, shared, retained, and ultimately deleted. The goal is straightforward: protect sensitive client data while maintaining the accessibility needed for effective representation.

The framework defines who can take which actions with specific data assets. It establishes ownership and stewardship responsibilities. It classifies information by sensitivity and criticality. Most importantly for attorneys, it ensures compliance with ethical rules while supporting operational efficiency.

The Ethical Imperative Under ABA Model Rules

The American Bar Association Model Rules of Professional Conduct create clear mandates for lawyers regarding technology and data management. These obligations serve as an excellent source of guidance regardless of whether your state has formally adopted specific technology competence requirements. BUT REMEMBER ALWAYS FOLLOW YOUR STATE’S ETHIC’S RULES FIRST!

Model Rule 1.1 addresses competence and was amended in 2012 to explicitly include technological competence. Comment 8 now requires lawyers to "keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology". This means attorneys must understand the data systems they use for client representation. Ignorance of technology is no longer acceptable.

Model Rule 1.6 governs confidentiality of information. The rule requires lawyers to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client". Comment 18 specifically addresses the need to safeguard information against unauthorized access by third parties. This creates a direct ethical obligation to implement appropriate data security measures.

Model Rule 5.3 addresses responsibilities regarding nonlawyer assistants. This rule extends to technology vendors and service providers who handle client data. Lawyers must ensure that third-party vendors comply with the same ethical obligations that bind attorneys. This requires due diligence when selecting cloud storage providers, practice management software, and artificial intelligence tools.

The High Cost of Data Governance Failures

lawyers need to know the multiple facets of data Governance

Law firms face average data breach costs of $5.08 million. These financial losses pale in comparison to the reputational damage and loss of client trust that follows a security incident. A single breach can expose trade secrets, privileged communications, and personally identifiable information.

The consequences extend beyond monetary damages. Ethical violations can result in disciplinary action. Inadequate data security arguably constitutes a failure to fulfill the duty of confidentiality under Rule 1.6. Some jurisdictions have issued ethics opinions requiring attorneys to notify clients of breaches resulting from lawyer negligence.

Recent guidance from state bars emphasizes that lawyers must self-report breaches involving client data exposure. The ABA's Formal Opinion 483 addresses data breach obligations directly. The opinion confirms that lawyers have duties under Rules 1.1, 1.4, 1.6, 5.1, and 5.3 related to cybersecurity.

Building Your Data Governance Framework

Implementing effective data governance requires systematic planning and execution. The process begins with understanding your current data landscape.

Step One: Conduct a Data Inventory

Identify all data assets within your practice. Catalog their sources, types, formats, and locations. Map how data flows through your firm from creation to disposal. This inventory reveals where client information resides and who has access to it.

Step Two: Classify Your Data

Not all information requires the same level of protection. Establish a classification system based on sensitivity and confidentiality. Many firms use four levels: public, internal, confidential, and restricted.

Privileged attorney-client communications require the highest protection level. Publicly filed documents may still be confidential under Rule 1.6, contrary to common misconception. Client identity itself often qualifies as protected information.

Step Three: Define Access Controls

Implement role-based access controls that limit data exposure. Apply the principle of least privilege—users should access only information necessary for their specific responsibilities. Multi-factor authentication adds essential security for sensitive systems.

Step Four: Establish Policies and Procedures

Document clear policies governing data handling. Address encryption requirements for data at rest and in transit. Set retention schedules that balance legal obligations with security concerns. Create incident response plans for potential breaches.

Step Five: Train Your Team

The human element represents the greatest security vulnerability. Sixty-eight percent of data breaches involve human error. Regular training ensures staff understand their responsibilities and can recognize threats. Training should cover phishing awareness, password security, and proper data handling procedures.

Step Six: Monitor and Audit

Continuous oversight maintains governance effectiveness. Regular audits identify vulnerabilities before they become breaches. Review access logs for unusual activity. Update policies as technology and regulations evolve.

Special Considerations for Artificial Intelligence

The rise of generative AI tools creates new data governance challenges. ABA Formal Opinion 512 specifically addresses AI use in legal practice. Lawyers must understand whether AI systems are "self-learning" and use client data for training.

Many consumer AI platforms retain and learn from user inputs. Uploading confidential client information to ChatGPT or similar tools may constitute an ethical violation. Even AI tools marketed to law firms require careful vetting.

Before using any AI system with client data, obtain informed consent. Boilerplate language in engagement letters is insufficient. Clients need clear explanations of how their information will be used and what risks exist.

Vendor Management and Third-Party Risk

Lawyers cannot delegate their ethical obligations to technology vendors. Rule 5.3 requires reasonable efforts to ensure nonlawyer assistants comply with professional obligations. This extends to cloud storage providers, case management platforms, and cybersecurity consultants.

Before engaging any vendor handling client data, conduct thorough due diligence. Verify the vendor maintains appropriate security certifications like SOC 2, ISO 27001, or HIPAA compliance. Review vendor contracts to ensure adequate data protection provisions. Understand where data will be stored and who will have access.

The Path Forward

lawyers need to advocate data governance for their clients!

Data governance is not optional for modern legal practice. It represents a fundamental ethical obligation under multiple Model Rules. Client trust depends on proper data stewardship.

Begin with a realistic assessment of your current practices. Identify gaps between your current state and ethical requirements. Develop policies that address your specific risks and practice areas. Implement controls systematically rather than attempting wholesale transformation overnight.

Remember that data governance is an ongoing process requiring continuous attention. Technology evolves. Threats change. Regulations expand. Your governance framework must adapt accordingly.

The investment in proper data governance protects your clients, your practice, and your professional reputation. More importantly, it fulfills your fundamental ethical duty to safeguard client confidences in an increasingly digital world.

October 14, 2025

🎙️ Ep. 122: Cybersecurity Essentials for Law Firms: Proven Strategies from Navy Veteran & Attorney Cordell Robinson

October 14, 2025/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

My next guest is Cordell Brion Robinson, CEO of Brownstone Consulting Firm and a decorated US Navy veteran who brings an extraordinary combination of expertise to cybersecurity. With a background in Computer Science, Electrical Engineering, and law, plus experience as a Senior Intelligence Analyst, Cordell has created cybersecurity programs that comply with the National Institute of Standards and Technology, the Federal Information Security Management Act, and the Office of Management and Budget standards for both government and commercial organizations. His firm specializes in compliance services, performing security framework assessments globally for commercial and government entities. Currently, he's innovating the cybersecurity space through automation for security assessments. Beyond his professional accomplishments, Cordell runs the Shaping Futures Foundation, a nonprofit dedicated to empowering youth through education, demonstrating his commitment to giving back to the community.

Join Cordell Robinson and me as we discuss the following three questions and more! 🎙️

1. What are the top three cybersecurity practices that lawyers should immediately adopt to secure both client data and sensitive case material in their practice?

2. From your perspective as both a legal and cybersecurity expert, what are the top three technology tools or platforms that can help lawyers streamline compliance and governance requirements in a rapidly evolving regulatory environment?

3. What are the top three steps lawyers can take to overcome resistance to technology adoption in law firms, ensuring these tools actually improve outcomes and efficiency rather than just adding complexity

In our conversation, we cover the following: ⏱️

- 00:00:00 - Introduction and welcome to the podcast

- 00:00:30 - Cordell's current tech setup - Windows laptop, MacBook, and iPhone

- 00:01:00 - iPhone 17 Pro Max features including 48MP camera, 2TB storage, and advanced video capture

- 00:01:30 - iPhone 17 Air comparison and laptop webcam discussion

- 00:02:00 - VPN usage strategies - Government VPN for secure client communications

- 00:02:30 - Commercial client communications and secure file sharing practices

- 00:03:00 - Why email encryption matters and Mac Mail setup tutorial

- 00:04:00 - Bonus question: Key differences between commercial and government security work

- 00:05:00 - Security protocols comparison and navigating government red tape

- 00:06:00 - Question 1: Top three cybersecurity practices lawyers must implement immediately

- 00:06:30 - Understanding where client data comes from and having proper IT security professionals

- 00:07:00 - Implementing cybersecurity awareness training for all staff members

- 00:07:30 - Practical advice for solo and small practitioners without dedicated IT staff

- 00:08:00 - Proper email practices and essential security awareness training skills

- 00:08:30 - Handling data from average clients in sensitive cases like family law

- 00:09:00 - Social engineering considerations in contentious legal matters such as divorces

- 00:10:00 - Screening threats from seemingly reliable platforms - Google Play slop ads as recent example

- 00:10:30 - Tenable vulnerability scanning tool recommendation (approximately $1,500/year)

- 00:11:00 - Question 2: Technology tools for streamlining compliance and governance

- 00:11:30 - GRC tools for organizing compliance documentation across various price points

- 00:12:00 - SharePoint security lockdown and importance of proper system configuration

- 00:12:30 - Monitoring tools discussion - why no perfect solution exists and what to consider

- 00:13:00 - Being amenable to change and avoiding long-term contracts with security tools

- 00:14:00 - Question 3: Strategies for overcoming resistance to technology adoption

- 00:14:30 - Demonstrating efficiency and explaining the full implementation process

- 00:15:00 - Converting time savings to dollars and cents for senior attorney buy-in

- 00:15:30 - Mindset shift for billable hour attorneys and staying competitive in the market

- 00:16:00 - Being a technology Guinea pig and testing tools yourself first

- 00:16:30 - Showing real results to encourage buy-in from colleagues

- 00:17:00 - Real-world Microsoft Word example - styles, cross-references, and table of contents time savings

- 00:17:30 - Showing value add and how technology can bring in more revenue

- 00:18:00 - Where to find Cordell Robinson - LinkedIn, www.bcf-us.com, Brownstone Consulting Firm

- 00:18:30 - Company description and closing remarks

Resources 📚

Connect with Cordell Robinson:

LinkedIn: https://www.linkedin.com/in/cordell-robinson-a2213a4

Company Website: https://www.bcf-us.com
Instagram: https://www.instagram.com/brownstone_consulting_firm
Shaping Futures Foundation: https://shapingfutures.org

Government & Compliance Frameworks:

NIST: https://www.nist.gov
NIST Time Services: https://nist.time.gov

Software & Tools:

Apple Mail Encryption Guide: https://support.apple.com/guide/mail/sign-or-encrypt-emails-mlhlp1180/mac

Apple Products: https://www.apple.com
Microsoft SharePoint: https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration
Microsoft Word: https://www.microsoft.com/en-us/microsoft-365/word
Tenable Vulnerability Management: https://www.tenable.com

August 18, 2025

🚨 BOLO CYBERSECURITY ALERT: LunaSpy Android Spyware Threatens All Users—Protect Your Law Practice Now!

August 18, 2025/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

Android users must be aware of potential threats to their data!

CRITICAL THREAT ALERT 🚨 A sophisticated new Android spyware campaign dubbed LunaSpy has been active since February 2025, broadly targeting Android users via messaging apps—anyone installing its fake “antivirus” could be compromised, including legal professionals. LunaSpy spreads through Telegram, WhatsApp, Signal, and other platforms by sending messages like “Hi, install this program here,” tricking victims into granting extensive device permissions after fake security scans report fabricated threats.

Once installed, LunaSpy’s capabilities pose severe risks: it steals passwords from browsers and messaging apps, intercepts text messages (including two-factor codes), records audio and video via microphones and cameras, captures screen contents (e.g., client documents, case notes), and tracks real-time location (e.g., revealing meetings and court visits). Kaspersky researchers have linked over 150 command-and-control servers to LunaSpy’s global network, enabling continuous data exfiltration and remote command execution.

While any Android user is at risk, lawyers face heightened consequences if infected. A breach of attorney-client communications or privileged documents can trigger:

Malpractice liability for failing to safeguard confidential client information
ABA ethics violations under Model Rules 1.1 (Competence), 1.1(8) (Maintaining Competence) and 1.6 (Confidentiality)
State bar disciplinary action for professional misconduct
Regulatory compliance fines under privacy laws like California Consumer Privacy Act (CCPA)/General Data Protection Regulation (GDPR) – Legal Text
Reputational damage that can permanently erode client trust

Immediate Action Steps for all Android-using legal professionals and their staff:

users are the first line of defense when it comes to preventing computer viruses on their tech!

Audit and remove any unverified security or banking apps; restrict installations to Google Play only.
Deploy Mobile Device Management (MDM): enforce app blacklists, remote wipe, and automated patching.
Enable full-disk encryption and secure lock screens with complex passcodes or biometrics.
Train staff on social engineering tactics—recognize unsolicited install prompts or links in messages.
Use end-to-end encrypted desktop-based messaging for privileged communications, limiting mobile use.
Establish an incident response plan: include immediate device quarantine, forensic analysis, and regulatory notification procedures.

LunaSpy is not a hypothetical risk—it’s actively compromising Android devices around the globe. Although the campaign targets the general public, legal professionals handling sensitive client data are particularly vulnerable to cascading professional, legal, and ethical consequences if infected. With over 150 active command servers and ongoing code enhancements, the threat will only escalate. Every day without these safeguards increases your exposure—act now to secure mobile devices, train teams, and reinforce your firm’s cybersecurity posture.

June 26, 2025

BOLO: Lawyers Face Critical Risk from 2025's 16 Billion Password Data Leak 🔒⚖️

June 26, 2025/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

lawyers were your client’s pii hacked from your computers and software?

Lawyers across the nation need to take immediate action following the exposure of 16 billion login credentials—covering platforms from Apple and Google to Facebook and countless others—in what researchers describe as one of the largest exposures of sensitive data in history. While headlines have suggested a catastrophic, single-source breach, the reality is more nuanced but equally concerning for legal professionals. This leak is not a new, isolated hack of a major provider. Instead, it's a massive aggregation of credentials collected over years from various infostealer malware campaigns and previous breaches, now compiled and exposed in over 30 datasets.

What Is the Nature of This Breach? Is It "New"? 🕵️‍♂️

The so-called "16 billion password breach" is not the result of a single event. Instead, it's a compilation of old and some recent credentials, gathered from infostealer malware, credential stuffing lists, and previously leaked databases. Some datasets are fresh and weaponizable, including session tokens and cookies that can bypass multi-factor authentication, but much of the data is recycled or duplicated. The scale, however, means nearly every major online service is potentially implicated, and the risk of credential stuffing and account takeover is real—especially for those who reuse passwords or have not updated them in years.

Why Should Lawyers Care? ⚠️

Lawyers are high-value targets for cybercriminals due to the sensitive nature of client data and privileged communications. The legal profession has already seen significant cybersecurity challenges, with 29% of law firms encountering cybersecurity breaches in 2023, and the average cost of a data breach for law firms reaching $5.08 million. A compromised password can lead to unauthorized access to confidential files, emails, and client records, exposing firms to malpractice claims, regulatory penalties, and reputational harm. The legal sector's increasing reliance on cloud platforms and digital workflows makes robust credential management non-negotiable for lawyers.

🚨

Lawyers must take action today. 📣 Your clients' trust—and your practice's future—depend on it!

🚨 Lawyers must take action today. 📣 Your clients' trust—and your practice's future—depend on it!

What Should Lawyers Do Now? 🛡️

Immediate Steps:

Reset passwords for any account that may be affected, especially if you reuse passwords across sites.
Check your exposure using tools like "Have I Been Pwned" to see if your email or credentials are part of known breaches.
Enable Multi-Factor Authentication (MFA) on all accounts—this is the single most effective way to prevent unauthorized access, even if a password is leaked.

Long-Term Best Practices:

Adopt a password manager (such as 1Password* or similar) to generate and store unique, complex passwords for every account.
Educate your staff on phishing, social engineering, and the dangers of password reuse.
Implement passkeys and biometrics where possible, reducing reliance on passwords alone.
Regularly monitor for compromised credentials using security tools and services that alert you to new breaches.
Never store passwords in plaintext or unsecured documents; use encrypted vaults and secure delivery for sensitive credentials.

What Should Law Firms and Lawyers Be Doing to Stay Secure? 🏛️

Lawyers need to be active in protecting their client’s pii!

Review and update firm-wide password policies to mandate unique, strong passwords and regular changes.
Ensure all devices and cloud services used for legal work are protected with MFA and monitored for suspicious activity.
Consult with cybersecurity counsel or specialists to assess your firm's exposure and compliance with data protection regulations.
Stay informed about new threats and regularly audit your digital security posture.

Essential Resources from The Tech-Savvy Lawyer 📚🎧

For deeper insights into cybersecurity best practices for legal professionals, explore these valuable resources from The Tech-Savvy Lawyer.Page:

Blog Posts:

"🚨 BOLO: Zoom Remote Access Attacks – Critical Security Alert for Legal Professionals 🚨" - Learn about sophisticated cyberattacks targeting legal professionals through video conferencing platforms and how to protect your practice.
"BOLO: Is LastPass on its Last Leg?! 🧐 Is it time to get a new password manager? 😳" - Essential guidance on password manager security following the LastPass breach, with recommendations for alternative solutions like 1Password.
"🚨 BOLO: Apple's Latest Update Activates AI - Lawyers, Protect Your Clients' Data! 🚨" - Critical analysis of how automatic AI features can impact attorney-client privilege and data security.

Podcast Episodes:

🎙️ Ep. 104: The Importance of Data Backup & Cybersecurity w "Mr. Backup", Curtis Preston! - Expert insights on what lawyers are doing wrong with cybersecurity, e-discovery best practices, and ransomware response strategies.
🎙️ Ep. 106: "How Lawyers Can Protect Client Data in the Age of AI - A conversation with Erich Dylus!" - Essential guidance on maintaining client confidentiality while leveraging AI tools.
🎙️Episode 99: "Navigating the Intersection of Law Ethics and Technology with Jayne Reardon" - Practical insights for lawyers with limited to moderate tech skills on strategic legal tech adoption.

These resources provide actionable guidance specifically tailored for legal professionals navigating cybersecurity challenges while maintaining ethical obligations under the ABA Model Rules.

Lawyers Must Act Now - Your Practice's Security Is Your Clients' Trust 🔐

Follow The Tech-Savvy Lawyer.Page for breaking news and bolos that lawyers need to know!

The 16 billion password leak serves as a stark reminder that cybersecurity is not optional for today's legal professionals—it's an ethical imperative that lawyers cannot ignore. While this massive data aggregation may seem overwhelming, it presents an opportunity for lawyers to strengthen their firm's digital defenses and demonstrate their commitment to protecting client confidentiality.

Remember, as outlined in ABA Model Rule 1.1, Comment 8, lawyers must maintain reasonable competency in technology, including understanding "the benefits and risks associated with relevant technology". The steps outlined above are not just technical recommendations for lawyers—they're essential components of competent legal representation in the digital age.

By implementing robust password policies, enabling multi-factor authentication, and staying informed through resources like The Tech-Savvy Lawyer.Page, lawyers are not just protecting data—they're preserving the foundational trust that defines the attorney-client relationship. In an era where cyber threats evolve daily and law firms face increasing risks, lawyers' proactive approach to cybersecurity becomes a competitive advantage and a mark of professional excellence.

Lawyers must take action today. Your clients' trust—and your practice's future—depend on it.

Blog