January 12, 2026

MTC: PornHub Breach: Cybersecurity Wake-Up Call for Lawyers

January 12, 2026/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

Lawyers are the first line defenders for their clientS’ pii.

It's the start of the New Year, and as good a time as any to remind the legal profession of their cybersecurity obligations! The recent PornHub data exposure reveals critical vulnerabilities every lawyer must address under ABA ethical obligations. Third-party analytics provider Mixpanel suffered a breach compromising user email addresses, triggering targeted sextortion campaigns. This incident illuminates three core security domains for legal professionals while highlighting specific duties under ABA Model Rules 1.1, 1.6, 5.1, 5.3, and Formal Opinion 483.

Understanding the Breach and Its Legal Implications

The PornHub incident demonstrates how failures by third-party vendors can lead to cascading security consequences. When Mixpanel's systems were compromised, attackers gained access to email addresses that now fuel sextortion schemes. Criminals threaten to expose purported adult site usage unless victims pay cryptocurrency ransoms. For law firms, this scenario is not hypothetical—your practice management software, cloud storage providers, and analytics tools present identical vulnerabilities. Each third-party vendor represents a potential entry point for attackers targeting your client data.

ABA Model Rule 1.1: The Foundation of Technology Competence

ABA Model Rule 1.1 requires lawyers to provide competent representation, and Comment 8 explicitly extends this duty to technology: "To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology". This is not a suggestion—it is an ethical mandate. Thirty-one states have adopted this technology competence requirement into their professional conduct rules.

What does this mean practically? You must understand the security implications of every technology tool your firm uses. Before onboarding any platform, conduct due diligence on the vendor's security practices. Require SOC 2 compliance, cyber insurance verification, and detailed security questionnaires. The "reasonable efforts" standard does not demand perfection, but it does require informed decision-making. You cannot delegate technology competence entirely to IT consultants. You must understand enough to ask the right questions and evaluate the answers meaningfully.

ABA Model Rule 1.6: Safeguarding Client Information in Digital Systems

Rule 1.6 establishes your duty of confidentiality, and Comment 18 requires "reasonable efforts to prevent [the inadvertent or unauthorized] access or disclosure” to information relating to the representation of a client. This duty extends beyond privileged communications to all client-related information stored digitally.

The PornHub breach illustrates why this matters. Your firm's email system, document management platform, and client portals contain information criminals actively target. The "reasonable efforts" analysis considers the sensitivity of information, likelihood of disclosure without additional safeguards, cost of safeguards, and difficulty of implementation. For most firms, this means mandatory multi-factor authentication (MFA) on all systems, encryption for data at rest and in transit, and secure file-sharing platforms instead of email attachments.

You must also address third-party vendor access under Rule 1.6. When you grant a case management platform access to client data, you remain ethically responsible for protecting that information. Your engagement letters should specify security expectations, and vendor contracts must include confidentiality obligations and breach notification requirements.

ABA Model Rules 5.1 and 5.3: Supervisory Responsibilities Extend to Technology

lawyers need to stay up to date on the security protocOls for their firm’s software!

Rule 5.1 imposes duties on partners and supervisory lawyers to ensure the firm has measures giving "reasonable assurance that all lawyers in the firm conform to the Rules of Professional Conduct". Rule 5.3 extends this duty to nonlawyer assistants, which courts and ethics opinions have interpreted to include technology vendors and cloud service providers.

If you manage a firm or supervise other lawyers, you must implement technology policies and training programs. This includes security awareness training, password management requirements, and incident reporting procedures. You cannot assume your younger associates understand cybersecurity best practices—they need explicit training and clear policies.

For nonlawyer assistance, you must "make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer". This means vetting your IT providers, requiring them to maintain appropriate security certifications, and ensuring they understand their confidentiality obligations. Your vendor management program is an ethical requirement, not just a business best practice.

ABA Formal Opinion 483: Data Breach Response Requirements

ABA Formal Opinion 483 establishes clear obligations when a data breach occurs. Lawyers have a duty to monitor for breaches, stop and mitigate damage promptly, investigate what occurred, and notify affected clients. This duty arises from Rules 1.1 (competence), 1.6 (confidentiality), and 1.4 (communication).

The Opinion requires you to have a written incident response plan before a breach occurs. Your plan must identify who will coordinate the response, how you will communicate with affected clients (including backup communication methods if email is compromised), and what steps you will take to assess and remediate the breach. You must document what data was accessed, whether malware was used, and whether client information was taken, altered, or destroyed.

Notification to clients is mandatory when a breach involves material client confidential information. The notification must be prompt and include what happened, what information was involved, what you are doing in response, and what clients should do to protect themselves. This duty extends to former clients in many circumstances, as their files may still contain sensitive information subject to state data breach laws.

Three Security Domains: Personal, Practice, and Client Protection

Your Law Practice's Security
Under Rules 5.1 and 5.3, you must implement reasonable security measures throughout your firm. Conduct annual cybersecurity risk assessments. Require MFA on all systems. Implement data minimization principles—only share what vendors absolutely need. Establish incident response protocols before breaches occur. Your supervisory duties require you to ensure that all firm personnel, including non-lawyer staff, understand and follow the firm's security policies.

Client Security Obligations
Rule 1.4 requires you to keep clients reasonably informed, which includes advising them on security matters relevant to their representation. Clients experiencing sextortion need immediate, informed guidance. Preserve all threatening emails with headers intact. Document timestamps and demands. Advise clients never to pay or respond—payment confirms active monitoring and often leads to additional demands. Report incidents to the FBI's IC3 unit and local cybercrime divisions. For family law practitioners, understand that sextortion often targets vulnerable individuals during contentious proceedings. Criminal defense attorneys must recognize these threats as extortion, not embarrassment issues. Your competence under Rule 1.1 requires you to understand these threats well enough to provide effective guidance.

Personal Digital Hygiene
Your personal email account is your digital identity's master key. Enable MFA on all professional and personal accounts. Use unique, complex passwords managed through a password manager. Consider pseudonymous email addresses for sensitive subscriptions. Separate your litigation communications from personal browsing activities. The STOP framework applies: Slow down, Test suspicious contacts, Opt out of high-pressure conversations, and Prove identities through independent channels. Your personal security failures can compromise your professional obligations under Rule 1.6.

Practical Implementation Steps

First, conduct a technology audit to map every system that stores or accesses client information. Identify all third-party vendors and assess their security practices against industry standards.

Second, implement MFA across all systems immediately—this is one of the most effective and cost-efficient security controls available.

Third, develop written security policies covering password management, device encryption, remote work procedures, and incident response.

Fourth, train all firm personnel on these policies and conduct simulated phishing exercises to test awareness.

Fifth, review and update your engagement letters to include technology provisions and breach notification procedures.

Conclusion

The PornHub breach is not an isolated incident—it is a template for how modern attacks occur through third-party vendors. Your ethical duties under ABA Model Rules require proactive cybersecurity measures, not reactive responses after a breach. Technology competence under Rule 1.1, confidentiality protection under Rule 1.6, supervisory responsibilities under Rules 5.1 and 5.3, and breach response obligations under Formal Opinion 483 together create a comprehensive framework for protecting your practice and your clients. Cybersecurity is no longer an IT issue delegated to consultants; it is a core professional competency that affects your license to practice law. The time to act is before your firm appears in a breach notification headline.

January 05, 2026

🎙️📘 Quick reminder: The Lawyer’s Guide to Podcasting releases NEXT WEEK!

January 05, 2026/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

Inside title page of The Lawyer’s Guide to Podcasting, releasing January 12, 2026.

If you want a podcast that sounds professional without turning your week into a production project, this book is built for you. It’s practical. It’s workflow-first. It keeps ethics and confidentiality in view. 🔐⚖️

✅ Inside you’ll learn:

How to choose a podcast format that fits your goals 🎯
A simple, reliable setup that sounds credible 🎤
Recording habits that reduce editing time ⏱️
Repurposing steps so one episode powers your content plan ♻️

📩 Want the release link the moment it’s live? Email Admin@TheTechSavvyLawyer.Page with subject “Book Link.” I’ll send it on launch day. 🚀

December 31, 2025

📖 WORD OF THE WEEK YEAR🥳: Verification: The 2025 Word of the Year for Legal Technology ⚖️💻

December 31, 2025/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

all lawyers need to remember to check ai-generated legal citations

After reviewing a year's worth of content from The Tech-Savvy Lawyer.Page blog and podcast, one word emerged to me as the defining concept for 2025: Verification. This term captures the essential duty that separates competent legal practice from dangerous shortcuts in the age of artificial intelligence.

Throughout 2025, The Tech-Savvy Lawyer consistently emphasized verification across multiple contexts. The blog covered proper redaction techniques following the Jeffrey Epstein files disaster. The podcast explored hidden AI in everyday legal tools. Every discussion returned to one central theme: lawyers must verify everything. 🔍

Verification means more than just checking your work. The concept encompasses multiple layers of professional responsibility. Attorneys must verify AI-generated legal research to prevent hallucinations. Courts have sanctioned lawyers who submitted fictitious case citations created by generative AI tools. One study found error rates of 33% in Westlaw AI and 17% in Lexis+ AI. Note the study's foundation is from May 2024, but a 2025 update confirms these findings remain current—the risk of not checking has not gone away. "Verification" cannot be ignored.

The duty extends beyond research. Lawyers must verify that redactions actually remove confidential information rather than simply hiding it under black boxes. The DOJ's failed redaction of the Epstein files demonstrated what happens when attorneys skip proper verification steps. Tech-savvy readers simply copied text from beneath the visual overlays. ⚠️

use of ai-generated legal work requires “verification”, “Verification”, “Verification”!

ABA Model Rule 1.1 requires technological competence. Comment 8 specifically mandates that lawyers understand "the benefits and risks associated with relevant technology." Verification sits at the heart of this competence requirement. Attorneys cannot claim ignorance about AI features embedded in Microsoft 365, Zoom, Adobe, or legal research platforms. Each tool processes client data differently. Each requires verification of settings, outputs, and data handling practices. 🛡️

The verification duty also applies to cybersecurity. Zero Trust Architecture operates on the principle "never trust, always verify." This security model requires continuous verification of user identity, device health, and access context. Law firms can no longer trust that users inside their network perimeter are authorized. Remote work and cloud-based systems demand constant verification.

Hidden AI poses another verification challenge. Software updates automatically activate AI features in familiar tools. These invisible assistants process confidential client data by default. Lawyers must verify which AI systems operate in their technology stack. They must verify data retention policies. They must verify that AI processing does not waive attorney-client privilege. 🤖

ABA Formal Opinion 512 eliminates the "I didn't know" defense. Lawyers bear responsibility for understanding how their tools use AI. Rule 5.3 requires attorneys to supervise software with the same care they supervise human staff members. Verification transforms from a good practice into an ethical mandate.

verify your ai-generated work like your bar license depends on it!

The year 2025 taught legal professionals that technology competence means verification competence. Attorneys must verify redactions work properly. They must verify AI outputs for accuracy. They must verify security settings protect confidential information. They must verify that hidden AI complies with ethical obligations. ✅

Verification protects clients, preserves attorney licenses, and maintains the integrity of legal practice. As The Tech-Savvy Lawyer demonstrated throughout 2025, every technological advancement creates new verification responsibilities. Attorneys who master verification will thrive in the AI era. Those who skip verification steps risk sanctions, malpractice claims, and disciplinary action.

The legal profession's 2025 Word of the Year is verification. Master it or risk everything. 💼⚖️

December 29, 2025

ANNOUNCEMENT (BOOK RELEASE): The Lawyer’s Guide to Podcasting: The Simple, Ethics-Aware Playbook to Launch a Professional Podcast (Release mid-January, 2026)

December 29, 2025/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

Anticipated release is mid-january 2026.

🎙️📘 Podcasting is still one of the fastest ways to build trust. It works for lawyers, legal professionals, and any expert who needs to explain complex topics in plain language.

On January 12, 2026, I’m releasing The Lawyer’s Guide to Podcasting. This book is designed for busy professionals who want a podcast that sounds credible, protects confidentiality, and fits into a real workflow. No studio required. No tech overwhelm.

✅ Inside the book, you’ll learn:

How to pick a podcast format that matches your goals 🎯
The “minimum viable setup” that sounds professional 🎤
Recording workflows that reduce editing time ⏱️
Practical ethics and risk habits for public content 🔐
Repurposing steps so one episode becomes a week of marketing ♻️

📩 Get the release link: Email Admin@TheTechSavvyLawyer.Page with the subject line “Podcasting Book Link” and I’ll send the link as soon as the book is released. 📩🎙️

December 17, 2025

📖 WORD OF THE WEEK (WoW): Zero Trust Architecture ⚖️🔐

December 17, 2025/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

Zero Trust Architecture and ABA Model Rules Compliance 🛡️

Lawyers need to "never trust, always verify" their network activity!

Zero Trust Architecture represents a fundamental shift in how law firms approach cybersecurity and fulfill ethical obligations. Rather than assuming that users and devices within a firm's network are trustworthy by default, this security model operates on the principle of "never trust, always verify." For legal professionals managing sensitive client information, implementing this framework has become essential to protecting confidentiality while maintaining compliance with ABA Model Rules.

The traditional security approach created a protective perimeter around a firm's network, trusting anyone inside that boundary. This model no longer reflects modern legal practice. Remote work, cloud-based case management systems, and mobile device usage mean that your firm's data exists across multiple locations and devices. Zero Trust abandons the perimeter-based approach entirely.

ABA Model Rule 1.6(c) requires lawyers to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." Zero Trust Architecture directly fulfills this mandate by requiring continuous verification of every user and device accessing firm resources, regardless of location. This approach ensures compliance with the confidentiality duty that forms the foundation of legal practice.

Core Components Supporting Your Ethical Obligations

Zero Trust Architecture operates through three interconnected principles aligned with ABA requirements.

legal professionals do you know the core components of modern cyber security?

Continuous verification means that authentication does not happen once at login. Instead, systems continuously validate user identity, device health, and access context in real time.
Least privilege access restricts each user to only the data and systems necessary for their specific role. An associate working on discovery does not need access to billing systems, and a paralegal in real estate does not need access to litigation files.
Micro-segmentation divides your network into smaller, secure zones. This prevents lateral movement, which means that if a bad actor compromises one device or user account, they cannot automatically access all firm systems.

ABA Model Rule 1.1, Comment 8 requires that lawyers maintain competence, including competence in "the benefits and risks associated with relevant technology." Understanding Zero Trust Architecture demonstrates that your firm maintains technological competence in cybersecurity matters. Additional critical components include multi-factor authentication, which requires users to verify their identity through multiple methods before accessing systems. Device authentication ensures that only approved and properly configured devices can connect to firm resources. End-to-end encryption protects data both at rest and in transit.

ABA Model Rule 1.4 requires lawyers to keep clients "reasonably informed about significant developments relating to the representation." Zero Trust Architecture supports this duty by protecting client information and enabling prompt client notification if security incidents occur.

ABA Model Rules 5.1 and 5.3 require supervisory lawyers and managers to ensure that subordinate lawyers and non-lawyer staff comply with professional obligations. Implementing Zero Trust creates the framework for effective supervision of cybersecurity practices across your entire firm.

Addressing Safekeeping Obligations

ABA Model Rule 1.15 requires lawyers to "appropriately safeguard" property of clients, including electronic information. Zero Trust Architecture provides the security infrastructure necessary to meet this safekeeping obligation. This rule mandates maintaining complete records of client property and preserving those records. Zero Trust's encryption and access controls ensure that stored records remain protected from unauthorized access.

Implementation: A Phased Approach 📋

Implementing Zero Trust need not happen all at once. Begin by assessing your current security infrastructure and identifying sensitive data flows. Establish identity and access management systems to control who accesses what. Deploy multi-factor authentication across all applications. Then gradually expand micro-segmentation and monitoring capabilities as your systems mature. Document your efforts to demonstrate compliance with ABA Model Rule 1.6(c)'s requirement for "reasonable efforts."

Final Thoughts

Zero Trust Architecture transforms your firm's security posture from reactive protection to proactive verification while ensuring compliance with essential ABA Model Rules. For legal practices handling confidential client information, this security framework is not optional. It protects your clients, your firm's reputation, and your ability to practice law with integrity.

December 12, 2025

TSL Labs 🧪Bonus: 🎙️ From Cyber Compliance to Cyber Dominance: What VA's AI Revolution Means for Government Cybersecurity, Legal Ethics, and ABA Model Rule Compliance!

December 12, 2025/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

In this TSL Labs bonus episode, we examine this week’s editorial on how the Department of Veterans Affairs is leading a historic transformation from traditional compliance frameworks to a dynamic, AI-driven approach called "cyber dominance." This conversation unpacks what this seismic shift means for legal professionals across all practice areas—from procurement and contract law to privacy, FOIA, and litigation. Whether you're advising government agencies, representing contractors, or handling cases where data security matters, this discussion provides essential insights into how continuous monitoring, zero trust architecture, and AI-driven threat detection are redefining professional competence under ABA Model Rule 1.1. 💻⚖️🤖

Join our AI hosts and me as we discuss the following three questions and more!

How has federal cybersecurity evolved from the compliance era to the cyber dominance paradigm? 🔒
What are the three technical pillars—continuous monitoring, zero trust architecture, and AI-driven detection—and how do they interconnect? 🛡️
What professional liability and ethical obligations do lawyers now face under ABA Model Rule 1.1 regarding technology competence? ⚖️

In our conversation, we cover the following:

[00:00:00] - Introduction: TSL Labs Bonus Podcast on VA's AI Revolution 🎯
[00:01:00] - Introduction to Federal Cybersecurity: The End of the Compliance Era 📋
[00:02:00] - Legal Implications and Professional Liability Under ABA Model Rules ⚖️
[00:03:00] - From Compliance to Continuous Monitoring: Understanding the Static Security Model 🔄
[00:04:00] - The False Comfort of Compliance-Only Approaches 🚨
[00:05:00] - The Shift to Cyber Dominance: Three Integrated Technical Pillars 💪
[00:06:00] - Zero Trust Architecture (ZTA) Explained: Verify Everything, Trust Nothing 🔐
[00:07:00] - AI-Driven Detection and Legal Challenges: Professional Competence Under Model Rule 1.1 🤖
[00:08:00] - The New Legal Questions: Real-Time Risk vs. Static Compliance 📊
[00:09:00] - Evolving Compliance: From Paper Checks to Dynamic Evidence 📈
[00:10:00] - Cybersecurity as Operational Discipline: DevSecOps and Security by Design 🔧
[00:11:00] - Litigation Risks: Discovery, Red Teaming, and Continuous Monitoring Data ⚠️
[00:12:00] - Cyber Governance with AI: Algorithmic Bias and Explainability 🧠
[00:13:00] - Synthesis and Future Outlook: Law Must Lead, Not Chase Technology 🚀
[00:14:00] - The Ultimate Question: Is Your Advice Ready for Real-Time Risk Management? 💡
[00:15:00] - Conclusion and Resources 📚

Resources

Mentioned in the Episode

ABA Model Rule 1.1 - Competent Representation (including technology competence requirement) - https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_1_competence/
Department of Veterans Affairs (VA) Cybersecurity Initiative - https://www.va.gov/oit/cybersecurity/
DevSecOps Pipelines - Security integration in software development - https://www.devsecops.org/
FedRAMP (Federal Risk and Authorization Management Program) - https://www.fedramp.gov/
FISMA (Federal Information Security Management Act) - https://www.cisa.gov/topics/cyber-threats-and-advisories/federal-information-security-modernization-act
Google Notebook AI - AI discussion generation tool - https://notebooklm.google.com/
HIPAA (Health Insurance Portability and Accountability Act) - https://www.hhs.gov/hipaa/index.html
NIST Cybersecurity Framework - https://www.nist.gov/cyberframework
Red Teaming - Ethical hacking and security testing methodology - https://www.cisa.gov/red-team-assessments
Zero Trust Architecture (ZTA) - Federal mandate for security verification - https://www.cisa.gov/zero-trust

Software & Cloud Services Mentioned in the Conversation

AI-Driven Detection Systems - Automated threat detection and response platforms
Automated Compliance Platforms - Dynamic evidence generation systems
Continuous Monitoring Systems - Real-time security assessment platforms
DevSecOps Tools - Automated security testing in software development pipelines
Firewalls - Network security hardware devices
Google Notebook AI - https://notebooklm.google.com/
Penetration Testing Software - Security vulnerability assessment tools
Zero Trust Architecture (ZTA) Solutions - Identity and access verification systems

December 10, 2025

📖 "Word of the Week! 📧 "Inbox Zero" - Reclaim Your Productivity and Mental Clarity!

December 10, 2025/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

Achieving “inbox zero” can help you have some sence of "Zen” at work!

Inbox Zero represents a systematic approach to email management that transforms overwhelmed inboxes into streamlined productivity systems. Rather than obsessing over an entirely empty inbox, Inbox Zero focuses on processing each message decisively so that emails serve your practice—not the reverse.

The average office worker receives approximately 121 emails daily. For legal professionals managing client communications, case updates, and firm operations, unmanaged email creates more than mere clutter. It generates decision fatigue, interrupts focused work, and creates persistent mental stress. Inbox Zero addresses this challenge through a structured methodology.

The Five Actions Framework forms the core of Inbox Zero practice. When you open an email, you must immediately decide whether to delete it, delegate it to a colleague, respond to it, defer it for later action, or complete the task it describes. This "touch it once" approach prevents emails from cycling through your inbox repeatedly, wasting your mental energy and professional time.

For attorneys, the benefits extend beyond organizational tidiness. Studies indicate that constant email interruptions reduce productivity by up to 40%. By implementing scheduled email times—typically two to four designated periods throughout your workday—you can reclaim significant focus time for substantive legal work. Many successful practitioners process emails after lunch and at the end of the business day, aligning email management with natural energy dips.

Implementation requires intentional strategy, not perfection. Begin by setting up automated filters and labels that sort incoming messages by category or client matter. Disable email notifications outside your designated checking times - we are guilty of FOMO (“Fear of Missing Out”)! Meanwhile, a unified inbox connected to your case management system, when available, consolidates related communications and prevents critical messages from scattering across multiple platforms.

The "two-minute rule" proves particularly valuable in legal practice. If you can respond to an email or complete its associated task within two minutes, address it immediately during your processing window. This approach prevents small matters from accumulating into overwhelming backlogs. Emails requiring substantive legal analysis, research, or client strategy should be tagged, categorized to a specific matter, and scheduled for dedicated work blocks.

The chaos 🤪 of e-mail can reduce your productivity significantly! 🤑

Notification Zero represents an evolution of traditional Inbox Zero methodology. Modern legal professionals manage communications across email, case management platforms, messaging applications, and task management tools. Achieving mental clarity requires managing notifications across all these channels, not just email alone. Implement Do Not Disturb modes during deep work sessions to protect your concentration.

Research demonstrates that attorneys adopting these practices report significant stress reduction and improved time management. Team-wide implementation proves even more effective—establishing no-email hours for collaborative deep work and using shared calendars to reduce scheduling back-and-forth can decrease email volume by 20 to 30%.

Achieving Inbox Zero requires commitment rather than complexity. Start with one or two strategic changes: batch-checking emails, blocking calendar time for email processing, silencing notifications between designated times, or integrating automation tools. The goal transcends a pristine inbox. It centers on regaining control over your time, protecting your mental resources, and building a practice where email management supports rather than sabotages your professional success.

December 09, 2025

🎙️Ep. 126: AI and Access to Justice With Pearl.com Associate General Counsel Nick Tiger

December 09, 2025/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

Our next guest is Nick Tiger, Associate General Counsel at Pearl.com, Nick shares insights on integrating AI into legal practice. Pearl.com champions AI and human expertise for professional services. He outlines practical uses such as market research, content creation, intake automation, and improved billing efficiency, while stressing the need to avoid liability through robust human oversight.

Nick is a legal leader at Pearl.com, partnering on product design, technology, and consumer-protection compliance strategy. He previously served as Head of Product Legal at EarnIn, an earned-wage access pioneer, building practical guidance for responsible feature launches, and as Senior Counsel at Capital One, supporting consumer products and regulatory matters. Nick holds a J.D. from the University of Missouri–Kansas City, lives in Richmond, Virginia, and is especially interested in using technology to expand rural community access to justice.

During the conversation, Nick highlights emerging tools, such as conversation wizards and expert-matching systems, that enhance communication and case preparation. He also explains Pearl AI's unique model, which blends chatbot capabilities with human expert verification to ensure accuracy in high-stakes or subjective matters.

Nick encourages lawyers to adopt human-in-the-loop protocols and consider joining Pearl's expert network to support accessible, reliable legal services.

Join Nick and me as we discuss the following three questions and more!

What are the top three most impactful ways lawyers can immediately implement AI technology in their practices while avoiding the liability pitfalls that have led to sanctions in recent high-profile cases?
Beyond legal research and document review, what are the top three underutilized or emerging AI applications that could transform how lawyers deliver value to clients, and how should firms evaluate which technologies to adopt?
What are the top three criteria Pearl uses to determine when human expert verification is essential versus when AI alone is sufficient? How can lawyers apply this framework to develop their own human-in-the-loop protocols for AI-assisted legal work, and how is Perl different from its competitors?

In our conversation, we cover the following:

[00:56] Nick's Tech Setup

[07:28] Implementing AI in Legal Practices

[17:07] Emerging AI Applications in Legal Services

[26:06] Pearl AI's Unique Approach to AI and Legal Services

[31:42] Developing Human-in-the-Loop Protocols

[34:34] Pearl AI's Advantages Over Competitors

[36:33] Becoming an Expert on Pearl AI

Resources:

Connect with Nick:

Nick's LinkedIn: linkedin.com/in/nicktigerjd

Pearl.com Website: pearl.com

Pearl.com Expert Application Portal: era.justanswer.com/

Pearl.com LinkedIn: linkedin.com/company/pearl-com

Pearl.com X: x.com/Pearldotcom

ABA Resources:

ABA Formal Opinion 512: https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/ethics-opinions/aba-formal-opinion-512.pdf

Hardware mentioned in the conversation:

Anker Backup Battery / Power Bank: anker.com/collections/power-banks

Software & Cloud Services mentioned in the conversation:

AT&T: att.com/
Pearl.com: pearl.com/
Sprint: thesprintgroup.com/
Timely: timely.com/
Verizon: verizon.com/

December 08, 2025

MTC: From Cyber Compliance to Cyber Dominance: What VA’s AI Revolution Means for Government Cybersecurity, Legal Ethics, and ABA Model Rule Compliance 💻⚖️🤖

December 08, 2025/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

In the age of cyber dominance, “I did not understand the technology” is increasingly unlikely to serve as a safe harbor.

🚨 🤖 👩🏻‍💼👨‍💼

In the age of cyber dominance, “I did not understand the technology” is increasingly unlikely to serve as a safe harbor. 🚨 🤖 👩🏻‍💼👨‍💼

Government technology is in the middle of a historic shift. The Department of Veterans Affairs (VA) stands at the center of this transformation, moving from a check‑the‑box cybersecurity culture to a model of “cyber dominance” that fuses artificial intelligence (AI), zero trust architecture (a security model that assumes no user or device is trusted by default, even inside the network), and continuous risk management. 🔐

For lawyers who touch government work in any way—inside agencies, representing contractors, handling whistleblowers, litigating Freedom of Information Act (FOIA) or privacy issues, or advising regulated entities—this is not just an IT story. It is a law license story. Under the American Bar Association (ABA) Model Rules, failing to grasp core cyber and AI governance concepts can now translate into ethical risk and potential disciplinary exposure. ⚠️

Resources such as The Tech-Savvy Lawyer.Page blog and podcast are no longer “nice to have.” They are becoming essential continuing education for lawyers who want to stay competent in practice, protect their clients, and safeguard their own professional standing. 🧠🎧

Where Government Agency Technology Has Been: The Compliance Era 🗂️

For decades, many federal agencies lived in a world dominated by static compliance frameworks. Security often meant passing audits and meeting minimum requirements, including:

Annual or periodic Authority to Operate (ATO, the formal approval for a system to run in a production environment based on security review) exercises
A focus on the Federal Information Security Modernization Act (FISMA) and National Institute of Standards and Technology (NIST) security control checklists
Point‑in‑time penetration tests
Voluminous documentation, thin on real‑time risk

The VA was no exception. Like many agencies, it grappled with large legacy systems, fragmented data, and a culture in which “security” was a paperwork event, not an operational discipline. 🧾

In that world, lawyers often saw cybersecurity as a box to tick in contracts, privacy impact assessments, and procurement documentation. The legal lens focused on:

Whether the required clauses were in place
Whether a particular system had its ATO
Whether mandatory training was completed

The result: the law frequently chased the technology instead of shaping it.

Where Government Technology Is Going: Cyber Dominance at the VA 🚀

The VA is now in the midst of what its leadership calls a “cybersecurity awakening” and a shift toward “cyber dominance”. The message is clear: compliance is not enough, and in many ways, it can be dangerously misleading if it creates a false sense of security.

Key elements of this new direction include:

Continuous monitoring instead of purely static certification
Zero trust architecture (a security model that assumes no user, device, or system is trusted by default, and that every access request must be verified) as a design requirement, not an afterthought
AI‑driven threat detection and anomaly spotting at scale
Integrated cybersecurity into mission operations, not a separate silo
Real‑time incident response and resilience, rather than after‑the‑fact blame

“Cyber dominance” reframes cybersecurity as a dynamic contest with adversaries. Agencies must assume compromise, hunt threats proactively, and adapt in near real time. That shift depends heavily on data engineering, automation, and AI models that can process signals far beyond human capacity. 🤖

For both government and nongovernment lawyers, this means that the facts on the ground—what systems actually do, how they are monitored, and how decisions are made—are changing fast. Advocacy and counseling that rely on outdated assumptions about “IT systems” will be incomplete at best and unethical at worst.

The Future: Cybersecurity Compliance, Cybersecurity, and Cybergovernance with AI 🔐🌐

The future of government technology involves an intricate blend of compliance, operational security, and AI governance. Each element increasingly intersects with legal obligations and the ABA Model Rules.

1. Cybersecurity Compliance: From Static to Dynamic ⚙️

Traditional compliance is not disappearing. The FISMA, NIST standards, the Federal Risk and Authorization Management Program (FedRAMP), the Health Insurance Portability and Accountability Act (HIPAA), and other frameworks still govern federal systems and contractor environments.

But the definition of compliance is evolving:

Continuous compliance: Automated tools generate near real‑time evidence of security posture instead of relying only on annual snapshots.
Risk‑based prioritization: Not every control is equal; agencies must show how they prioritize high‑impact cyber risks.
Outcome‑focused oversight: Auditors and inspectors general care less about checklists and more about measurable risk reduction and resilience.

Lawyers must understand that “we’re compliant” will no longer end the conversation. Decision‑makers will ask:

What does real‑time monitoring show about actual risk?
How quickly can the VA or a contractor detect and contain an intrusion?
How are AI tools verifying, logging, and explaining security‑related decisions?

2. Cybersecurity as an Operational Discipline 🛡️

The VA’s push toward cyber dominance relies on building security into daily operations, not layering it on top. That includes:

Secure‑by‑design procurement and contract terms, which require modern controls and realistic reporting duties
DevSecOps (development, security, and operations) pipelines that embed automated security testing and code scanning into everyday software development
Data segmentation and least‑privilege access across systems, so users and services only see what they truly need
Routine red‑teaming (simulated attacks by ethical hackers to test defenses) and table‑top exercises (structured discussion‑based simulations of incidents to test response plans)

For government and nongovernment lawyers, this raises important questions:

Are contracts, regulations, and interagency agreements aligned with zero trust principles (treating every access request as untrusted until verified)?
Do incident response plans meet regulatory and contractual notification timelines, including state and federal breach laws?
Are representations to courts, oversight bodies, and counterparties accurate in light of actual cyber capabilities and known limitations?

3. Cybergovernance with AI: The New Frontier 🌐🤖

Lawyers can no longer sit idlely by their as cyber-ethic responsibilities are changing!

AI will increasingly shape how agencies, including the VA, manage cyber risk:

Machine learning models will flag suspicious behavior or anomalous network traffic faster than humans alone.
Generative AI tools will help triage incidents, search legal and policy documents, and assist with internal investigations.
Decision‑support systems may influence resource allocation, benefit determinations, or enforcement priorities.

These systems raise clear legal and ethical issues:

Transparency and explainability: Can lawyers understand and, if necessary, challenge the logic behind AI‑assisted or AI‑driven decisions?
Bias and fairness: Do algorithms create discriminatory impacts on veterans, contractors, or employees, even if unintentional?
Data governance: Is sensitive, confidential, or privileged information being exposed to third‑party AI providers or trained into their models?

Blogs and podcasts like Tech-Savvy Lawyer.Page blog and podcast often highlight practical workflows for lawyers using AI tools safely, along with concrete questions to ask vendors and IT teams. Those insights are particularly valuable as agencies and law practices both experiment with AI for document review, legal research, and compliance tracking. 💡📲

What Lawyers in Government and Nongovernment Need to Know 🏛️⚖️

Lawyers inside agencies such as the VA now sit at the intersection of mission, technology, and ethics. Under ABA Model Rule 1.1 (Competence) and its comment on technological competence, agency counsel must acquire and maintain a basic understanding of relevant technology that affects client representation.

For government lawyers and nongovernment lawyers who advise, contract with, or litigate against agencies such as the VA, technological competence now has a common core. It requires enough understanding of system architecture, cybersecurity practices, and AI‑driven tools to ask the right questions, spot red flags, and give legally sound, ethics‑compliant advice on how those systems affect veterans, agencies, contractors, and the public. ⚖️💻

For government lawyers and nongovernment lawyers who interact with agencies such as the VA, this includes:

Understanding the basic architecture and risk profile of key systems (for example, benefits, health data, identity, and claims platforms), so you can evaluate how failures affect legal rights and obligations. 🧠
Being able to ask informed questions about zero trust architecture, encryption, system logging, and AI tools used by the agency or contractor.
Knowing the relevant incident response plans, data breach notification obligations, and coordination pathways with regulators and law enforcement, whether you are inside the agency or across the table. 🚨
Ensuring that policies, regulations, contracts, and public statements about cybersecurity and AI reflect current technical realities, rather than outdated assumptions that could mislead courts, oversight bodies, or the public.

Model Rules 1.6 (Confidentiality of Information) and 1.13 (Organization as Client) are especially important. Government lawyers must:

Guard sensitive data, including classified, personal, and privileged information, against unauthorized disclosure or misuse.
Advise the “client” (the agency) when cyber or AI practices present significant legal risk, even if those practices are popular or politically convenient.

If a lawyer signs off on policies or representations about cybersecurity that they know—or should know—are materially misleading, that can implicate Rule 3.3 (Candor Toward the Tribunal) and Rule 8.4 (Misconduct). The shift to cyber dominance means that “we passed the audit” will no longer excuse ignoring operational defects that put veterans or the public at risk. 🚨

What Lawyers Outside Government Need to Know 🏢⚖️

Lawyers representing contractors, vendors, whistleblowers, advocacy groups, or regulated entities cannot ignore these changes at the VA and other agencies. Their clients operate in the same new environment of continuous oversight and AI‑informed risk management.

Key responsibilities for nongovernmental lawyers include:

Contract counseling: Understanding cybersecurity clauses, incident response requirements, AI‑related representations, and flow‑down obligations in government contracts.
Regulatory compliance: Navigating overlapping regimes (for example, federal supply chain rules, state data breach statutes, HIPAA in health contexts, and sector‑specific regulations).
Litigation strategy: Incorporating real‑time cyber telemetry and AI logs into discovery, privilege analyses, and evidentiary strategies.
Advising on AI tools: Ensuring that client use of generative AI in government‑related work does not compromise confidential information or violate procurement, export control, or data localization rules.

Under Model Rule 1.1 (Competence), outside counsel must be sufficiently tech‑savvy to spot issues and know when to bring in specialized expertise. Ignoring cyber and AI governance concerns can:

Lead to inadequate or misleading advice.
Misstate risk in negotiations, disclosures, or regulatory filings.
Expose clients to enforcement actions, civil liability, or debarment.
Expose lawyers to malpractice claims and disciplinary complaints.

ABA Model Rules: How Cyber and AI Now Touch Your License 🧾⚖️

Several American Bar Association (ABA) Model Rules are directly implicated by the VA’s evolution from compliance to cyber dominance and by the broader adoption of artificial intelligence (AI) in government operations:

Rule 1.1 – Competence

Comment 8 recognizes a duty of technological competence.
Lawyers must understand enough about cyber risk and AI systems to represent clients prudently.

Rule 1.6 – Confidentiality of Information

Lawyers must take reasonable measures to safeguard client information, including in cloud environments and AI‑enabled workflows.
Uploading sensitive or privileged content into consumer‑grade AI tools without safeguards can violate this duty.

Rule 1.4 – Communication

Clients should be informed—in clear, non‑technical terms—about significant cyber and AI risks that may affect their matters.

Rules 5.1 and 5.3 – Responsibilities of Partners, Managers, and Supervisory Lawyers; Responsibilities Regarding Nonlawyer Assistance

Law firm leaders must ensure that policies, training, vendor selection, and supervision support secure, ethical use of technology and AI by lawyers and staff.

Rule 1.13 – Organization as Client

Government and corporate counsel must advise leadership when cyber or AI governance failures pose substantial legal or regulatory risk.

Rules 3.3, 3.4, and 8.4 – Candor, Fairness, and Misconduct

Misrepresenting cyber posture, ignoring known vulnerabilities, or manipulating AI‑generated evidence can rise to ethical violations and professional misconduct.

In the age of cyber dominance, “I did not understand the technology” is increasingly unlikely to serve as a safe harbor. Judges, regulators, and disciplinary authorities expect lawyers to engage these issues competently.

Practical Next Steps for Lawyers: Moving from Passive to Proactive 🧭💼

To meet this moment, lawyers—both in government and outside—should:

Learn the language of modern cybersecurity:

Zero trust (a model that treats every access request as untrusted until verified)
Endpoint detection and response (EDR, tools that continuously monitor and respond to threats on endpoints such as laptops, servers, and mobile devices)
Security Information and Event Management (SIEM, systems that collect and analyze security logs from across the network)
Security Orchestration, Automation, and Response (SOAR, tools that automate and coordinate security workflows and responses)
Encryption at rest and in transit (protecting data when it is stored and when it moves across networks)
Multi‑factor authentication (MFA, requiring more than one factor—such as password plus a code—to log in)

Understand AI’s role in the client’s environment: what tools are used, where data goes, how outputs are checked, and how decisions are logged.
Review incident response plans and breach notification workflows with an eye on legal timelines, cross‑jurisdictional obligations, and contractual requirements.
Update engagement letters, privacy notices, and internal policies to reflect real‑world use of cloud services and AI tools.
Invest in continuous learning through technology‑forward legal resources, including The Tech-Savvy Lawyer.Page blog and podcast, which translate evolving tech into practical law practice strategies. 💡

Final Thoughts: The VA’s journey from compliance to cyber dominance is more than an agency story. It is a case study in how technology, law, and ethics converge. Lawyers who embrace this reality will better protect their clients, their institutions, and their licenses. Those who do not will risk being left behind—by adversaries, by regulators, and by their own professional standards. 🚀🔐⚖️

Editor’s Note: I used the VA as my “example” because Veterans mean a lot to me. I have been a Veterans Disability Benefits Advocate for nearly two decades. Their health and welfare should not be harmed by faulty tech compliance. 🇺🇸⚖️

MTC

December 05, 2025

TSL Labs Bonus Podcast: Google’s Notebook LLM “Deep Dive” on December 1st, 2025, editorial on the the Lawyer’s Defense Against Holiday Scams and ‘Bargain’ Tech Traps!

December 05, 2025/ The Tech-Savvy Lawyer.Page/ Michael D.J. Eisenberg

Listen in as Google's Notebook LLM provides an AI-powered conversation unpacks our December 1st, 2025 editorial examining how the holiday digital marketplace transforms into a lucrative hunting ground for device compromise and credential theft. We explore why attorneys and paralegals—trained to spot hidden clauses and anticipate risk—often abandon professional skepticism when faced with shiny gadgets bearing 70% off stickers. Our discussion arms you with actionable strategies to protect your practice, safeguard client confidentiality, and prevent the kind of security breaches that trigger bar complaints and operational shutdowns. Whether you're a solo practitioner or part of a large firm, this episode delivers the technical insights you need without the jargon.

Join Google's Notebook LLM as we discuss the following three questions and more!

How do bargain tech deals create hidden professional liabilities that extend far beyond wasted money, and what specific technical deficits should lawyers avoid in discount hardware?
What free forensic tools can legal professionals use to distinguish genuine discounts from manipulated pricing schemes, and how do these tools apply procurement-level rigor to personal shopping decisions?
Which three active scam vectors target high-value professionals during the holiday season, and what mandatory four-point protocol ensures comprehensive protection against credential theft and device compromise?