🎙️ Ep. 139, From MyCase to Claude: Building a Secure, AI-Ready Tech Stack for Solo and Small Law Firms.

/ The Tech-Savvy Lawyer.Page/

My next guests are Gabriella "Gabby" Cabero, Senior Vice President of Product at 8am — the powerhouse behind MyCase, LawPay, CASEpeer, and DocketWise — and Majo Castro, founder and managing attorney at CastroMand Legal in Austin, Texas. 🌟 Gabby is a 16-year legal tech veteran who co-founded CASEpeer and now drives product strategy across one of the most widely adopted law practice management platforms in the country. Majo is a Venezuelan-born cybersecurity and AI attorney whose solo firm helps growing companies navigate AI implementation, data management, and cybersecurity — and she writes about all of it on her Substack, The Cyber Law Gal. 🛡️ This is a no-fluff, peer-to-peer conversation about the exact workflows that separate a modern LPM from a liability, why the Data Processing Agreement is the most important acronym in your practice right now, and what your employees are almost certainly already doing with AI — whether you've approved it or not.

Join Gabriella Cabero, Majo Castro, and me as we discuss the following three questions and more!

  1. What are the top three integrations or workflows a solo, small, or midsize firm should expect from a modern cloud-based LPM platform like 8am — and what's missing that signals a real red flag around efficiency, cash flow, or security?

  2. As AI gets baked into cloud LPM tools like 8am, what are the top three day-to-day tasks that will change most for solo and small firm lawyers — and what basic security or ethical guardrails should they put in place to use those AI features without putting client data at risk?

  3. For solo and small firms without a CISO or CTO, what are the top three cybersecurity mistakes you see over and over again?

In our conversation, we cover the following:

  • [00:00:00] 🪝 Show Hook — Gabby's critical warning: if your firm hasn't "adopted" AI, your employees probably already have — on free consumer tools

  • [00:00:00] Title read — Episode 139

  • [00:01:00] Host intro: why this conversation goes tactical on AI, security, and LPM workflows

  • [00:02:00] Guest introductions — Gabriella Cabero (8am/MyCase) and Majo Castro (CastroMand Legal / The Cyber Law Gal)

  • [00:03:00] Majo celebrates 1.5 years as a solo practitioner 🎉

  • [00:03:00] Ad: Five-star review request for The Tech-Savvy Lawyer.Page

  • [00:03:30] Tech setups — Gabby's MacBook Air (M4 chip), iPhone Max, Slack, Zoom, Google Drive, Claude Enterprise

  • [00:06:00] Gabby's portable USB-C external monitor for travel (Amazon, highest-rated)

  • [00:09:00] Majo's MacBook Pro 14" M4 (16GB RAM), performance issues, upgrade path discussion

  • [00:10:00] Michael recommends Onyx (free Mac maintenance utility); Michael's Mac Studio M3 Ultra with 256GB

  • [00:11:00] Mac Mini and Mac Studio as desktop alternatives; MacRumors Buyer's Guide tip

  • [00:13:00] Apple Business Account benefits — small discounts + white-glove service

  • [00:15:00] Majo's full setup: iPhone 16 Pro Max, Google Workspace + Gemini (team account with DPA), DJI Osmo Pocket 3, Hollyland wireless mic

  • [00:16:00] Q1: Top three LPM workflows — intake, secure client communication (client portal), and getting paid (trust accounting + automated invoicing)

  • [00:19:00] Majo on switching from QuickBooks to MyCase after discovering QuickBooks mishandles trust accounting

  • [00:20:00] 🎉 Gabby announces: AI case summary features are now LIVE in 8am/MyCase

  • [00:21:00] Cloud vs. local access debate — SaaS uptime, SLAs, and asking vendors for proof

  • [00:23:00] Michael's redundant backup strategy: Backblaze + Dropbox + local Mac Mini

  • [00:25:00] Cautionary tale: ransomware attack converts a server-based firm to the cloud overnight

  • [00:28:00] Majo's Google Drive third-party backup with 2-hour recovery window

  • [00:29:00] Q2: How AI changes daily workflows — drafting, case summaries, surfacing critical info fast

  • [00:30:00] Why reading vendor Terms of Service and activating Data Processing Agreements (DPAs) is non-negotiable

  • [00:31:00] 8am's SOC 2 Type 2 compliance; updated AI terms and opt-in controls coming

  • [00:32:00] SOC 2, HIPAA, end-to-end encryption as baseline vendor security requirements

  • [00:34:00] AI as the great equalizer — leveling the playing field for solo firms vs. BigLaw

  • [00:35:00] Majo's real data: ~12 hours saved last month across 27 consultations using Gemini for proposals

  • [00:36:00] Plaud and Pocket AI recording devices — data retention, PII, and DPA concerns

  • [00:37:00] Majo's stance on wearable AI recorders; Apple Watch comparison; one-party vs. two-party consent

  • [00:39:00] Plaud's terms say no AI training — but it's not a DPA; terms can change without notice 🚨

  • [00:40:00] Google Workspace DPA must be manually activated — most users don't know; creating user friction around protection

  • [00:41:00] Q3: Top cybersecurity mistakes — shadow AI, no MFA, undertrained employees

  • [00:42:00] Majo's checklist: DPA + no model training on client data + enterprise/team-tier subscriptions + MFA

  • [00:43:00] Gabby: employees are the #1 security risk; fractional IT and CISO options for small firms

  • [00:44:00] AI-powered phishing attacks on law firms will only intensify

  • [00:45:00] Majo's training method: positive AI policies + 45-second staff video explainers 🎬

  • [00:46:00] 🚨 Gabby's shadow AI reminder (Show Hook callback): audit your tech stack — your team already has

  • [00:47:00] Episode originally recorded at ABA Techshow; re-recorded after a technical snafu 😅

  • [00:47:00] Where to find Gabby: LinkedIn, X, 8am.com, Kaleidoscope conference (September — banner at 8am.com)

  • [00:48:00] Where to find Majo: LinkedIn (Majo Castro), CastroMand Legal, Substack: The Cyber Law Gal

  • [00:48:30] Outro — michaeldj@thetechsavvylawyer.page | next episode in ~two weeks

RESOURCES

Connect with Gabriella "Gabby" Cabero

Connect with Majo Castro

Mentioned in the Episode

Hardware Mentioned

MTC: PornHub Breach: Cybersecurity Wake-Up Call for Lawyers

/ The Tech-Savvy Lawyer.Page/

Lawyers are the first line defenders for their clientS’ pii.

It's the start of the New Year, and as good a time as any to remind the legal profession of their cybersecurity obligations! The recent PornHub data exposure reveals critical vulnerabilities every lawyer must address under ABA ethical obligations. Third-party analytics provider Mixpanel suffered a breach compromising user email addresses, triggering targeted sextortion campaigns. This incident illuminates three core security domains for legal professionals while highlighting specific duties under ABA Model Rules 1.1, 1.6, 5.1, 5.3, and Formal Opinion 483.

Understanding the Breach and Its Legal Implications

The PornHub incident demonstrates how failures by third-party vendors can lead to cascading security consequences. When Mixpanel's systems were compromised, attackers gained access to email addresses that now fuel sextortion schemes. Criminals threaten to expose purported adult site usage unless victims pay cryptocurrency ransoms. For law firms, this scenario is not hypothetical—your practice management software, cloud storage providers, and analytics tools present identical vulnerabilities. Each third-party vendor represents a potential entry point for attackers targeting your client data.

ABA Model Rule 1.1: The Foundation of Technology Competence

ABA Model Rule 1.1 requires lawyers to provide competent representation, and Comment 8 explicitly extends this duty to technology: "To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology". This is not a suggestion—it is an ethical mandate. Thirty-one states have adopted this technology competence requirement into their professional conduct rules.

What does this mean practically? You must understand the security implications of every technology tool your firm uses. Before onboarding any platform, conduct due diligence on the vendor's security practices. Require SOC 2 compliance, cyber insurance verification, and detailed security questionnaires. The "reasonable efforts" standard does not demand perfection, but it does require informed decision-making. You cannot delegate technology competence entirely to IT consultants. You must understand enough to ask the right questions and evaluate the answers meaningfully.

ABA Model Rule 1.6: Safeguarding Client Information in Digital Systems

Rule 1.6 establishes your duty of confidentiality, and Comment 18 requires "reasonable efforts to prevent [the inadvertent or unauthorized] access or disclosure” to information relating to the representation of a client. This duty extends beyond privileged communications to all client-related information stored digitally.

The PornHub breach illustrates why this matters. Your firm's email system, document management platform, and client portals contain information criminals actively target. The "reasonable efforts" analysis considers the sensitivity of information, likelihood of disclosure without additional safeguards, cost of safeguards, and difficulty of implementation. For most firms, this means mandatory multi-factor authentication (MFA) on all systems, encryption for data at rest and in transit, and secure file-sharing platforms instead of email attachments.

You must also address third-party vendor access under Rule 1.6. When you grant a case management platform access to client data, you remain ethically responsible for protecting that information. Your engagement letters should specify security expectations, and vendor contracts must include confidentiality obligations and breach notification requirements.

ABA Model Rules 5.1 and 5.3: Supervisory Responsibilities Extend to Technology

lawyers need to stay up to date on the security protocOls for their firm’s software!

Rule 5.1 imposes duties on partners and supervisory lawyers to ensure the firm has measures giving "reasonable assurance that all lawyers in the firm conform to the Rules of Professional Conduct". Rule 5.3 extends this duty to nonlawyer assistants, which courts and ethics opinions have interpreted to include technology vendors and cloud service providers.

If you manage a firm or supervise other lawyers, you must implement technology policies and training programs. This includes security awareness training, password management requirements, and incident reporting procedures. You cannot assume your younger associates understand cybersecurity best practices—they need explicit training and clear policies.

For nonlawyer assistance, you must "make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer". This means vetting your IT providers, requiring them to maintain appropriate security certifications, and ensuring they understand their confidentiality obligations. Your vendor management program is an ethical requirement, not just a business best practice.

ABA Formal Opinion 483: Data Breach Response Requirements

ABA Formal Opinion 483 establishes clear obligations when a data breach occurs. Lawyers have a duty to monitor for breaches, stop and mitigate damage promptly, investigate what occurred, and notify affected clients. This duty arises from Rules 1.1 (competence), 1.6 (confidentiality), and 1.4 (communication).

The Opinion requires you to have a written incident response plan before a breach occurs. Your plan must identify who will coordinate the response, how you will communicate with affected clients (including backup communication methods if email is compromised), and what steps you will take to assess and remediate the breach. You must document what data was accessed, whether malware was used, and whether client information was taken, altered, or destroyed.

Notification to clients is mandatory when a breach involves material client confidential information. The notification must be prompt and include what happened, what information was involved, what you are doing in response, and what clients should do to protect themselves. This duty extends to former clients in many circumstances, as their files may still contain sensitive information subject to state data breach laws.

Three Security Domains: Personal, Practice, and Client Protection

Your Law Practice's Security
Under Rules 5.1 and 5.3, you must implement reasonable security measures throughout your firm. Conduct annual cybersecurity risk assessments. Require MFA on all systems. Implement data minimization principles—only share what vendors absolutely need. Establish incident response protocols before breaches occur. Your supervisory duties require you to ensure that all firm personnel, including non-lawyer staff, understand and follow the firm's security policies.

Client Security Obligations
Rule 1.4 requires you to keep clients reasonably informed, which includes advising them on security matters relevant to their representation. Clients experiencing sextortion need immediate, informed guidance. Preserve all threatening emails with headers intact. Document timestamps and demands. Advise clients never to pay or respond—payment confirms active monitoring and often leads to additional demands. Report incidents to the FBI's IC3 unit and local cybercrime divisions. For family law practitioners, understand that sextortion often targets vulnerable individuals during contentious proceedings. Criminal defense attorneys must recognize these threats as extortion, not embarrassment issues. Your competence under Rule 1.1 requires you to understand these threats well enough to provide effective guidance.

Personal Digital Hygiene
Your personal email account is your digital identity's master key. Enable MFA on all professional and personal accounts. Use unique, complex passwords managed through a password manager. Consider pseudonymous email addresses for sensitive subscriptions. Separate your litigation communications from personal browsing activities. The STOP framework applies: Slow down, Test suspicious contacts, Opt out of high-pressure conversations, and Prove identities through independent channels. Your personal security failures can compromise your professional obligations under Rule 1.6.

Practical Implementation Steps

THere are five Practical Implementation Steps lawyers can do today to get their practice cyber compliant!

First, conduct a technology audit to map every system that stores or accesses client information. Identify all third-party vendors and assess their security practices against industry standards.

Second, implement MFA across all systems immediately—this is one of the most effective and cost-efficient security controls available.

Third, develop written security policies covering password management, device encryption, remote work procedures, and incident response.

Fourth, train all firm personnel on these policies and conduct simulated phishing exercises to test awareness.

Fifth, review and update your engagement letters to include technology provisions and breach notification procedures.

Conclusion

The PornHub breach is not an isolated incident—it is a template for how modern attacks occur through third-party vendors. Your ethical duties under ABA Model Rules require proactive cybersecurity measures, not reactive responses after a breach. Technology competence under Rule 1.1, confidentiality protection under Rule 1.6, supervisory responsibilities under Rules 5.1 and 5.3, and breach response obligations under Formal Opinion 483 together create a comprehensive framework for protecting your practice and your clients. Cybersecurity is no longer an IT issue delegated to consultants; it is a core professional competency that affects your license to practice law. The time to act is before your firm appears in a breach notification headline.

📖 WORD OF THE WEEK (WoW): Zero Trust Architecture ⚖️🔐

/ The Tech-Savvy Lawyer.Page/

Zero Trust Architecture and ABA Model Rules Compliance 🛡️

Lawyers need to "never trust, always verify" their network activity!

Zero Trust Architecture represents a fundamental shift in how law firms approach cybersecurity and fulfill ethical obligations. Rather than assuming that users and devices within a firm's network are trustworthy by default, this security model operates on the principle of "never trust, always verify." For legal professionals managing sensitive client information, implementing this framework has become essential to protecting confidentiality while maintaining compliance with ABA Model Rules.

The traditional security approach created a protective perimeter around a firm's network, trusting anyone inside that boundary. This model no longer reflects modern legal practice. Remote work, cloud-based case management systems, and mobile device usage mean that your firm's data exists across multiple locations and devices. Zero Trust abandons the perimeter-based approach entirely.

ABA Model Rule 1.6(c) requires lawyers to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." Zero Trust Architecture directly fulfills this mandate by requiring continuous verification of every user and device accessing firm resources, regardless of location. This approach ensures compliance with the confidentiality duty that forms the foundation of legal practice.

Core Components Supporting Your Ethical Obligations

Zero Trust Architecture operates through three interconnected principles aligned with ABA requirements.

legal professionals do you know the core components of modern cyber security?

  • Continuous verification means that authentication does not happen once at login. Instead, systems continuously validate user identity, device health, and access context in real time.

  • Least privilege access restricts each user to only the data and systems necessary for their specific role. An associate working on discovery does not need access to billing systems, and a paralegal in real estate does not need access to litigation files.

  • Micro-segmentation divides your network into smaller, secure zones. This prevents lateral movement, which means that if a bad actor compromises one device or user account, they cannot automatically access all firm systems.

ABA Model Rule 1.1, Comment 8 requires that lawyers maintain competence, including competence in "the benefits and risks associated with relevant technology." Understanding Zero Trust Architecture demonstrates that your firm maintains technological competence in cybersecurity matters. Additional critical components include multi-factor authentication, which requires users to verify their identity through multiple methods before accessing systems. Device authentication ensures that only approved and properly configured devices can connect to firm resources. End-to-end encryption protects data both at rest and in transit.

ABA Model Rule 1.4 requires lawyers to keep clients "reasonably informed about significant developments relating to the representation." Zero Trust Architecture supports this duty by protecting client information and enabling prompt client notification if security incidents occur.

ABA Model Rules 5.1 and 5.3 require supervisory lawyers and managers to ensure that subordinate lawyers and non-lawyer staff comply with professional obligations. Implementing Zero Trust creates the framework for effective supervision of cybersecurity practices across your entire firm.

Addressing Safekeeping Obligations

ABA Model Rule 1.15 requires lawyers to "appropriately safeguard" property of clients, including electronic information. Zero Trust Architecture provides the security infrastructure necessary to meet this safekeeping obligation. This rule mandates maintaining complete records of client property and preserving those records. Zero Trust's encryption and access controls ensure that stored records remain protected from unauthorized access.

Implementation: A Phased Approach 📋

Implementing Zero Trust need not happen all at once. Begin by assessing your current security infrastructure and identifying sensitive data flows. Establish identity and access management systems to control who accesses what. Deploy multi-factor authentication across all applications. Then gradually expand micro-segmentation and monitoring capabilities as your systems mature. Document your efforts to demonstrate compliance with ABA Model Rule 1.6(c)'s requirement for "reasonable efforts."

Final Thoughts

Zero Trust Architecture transforms your firm's security posture from reactive protection to proactive verification while ensuring compliance with essential ABA Model Rules. For legal practices handling confidential client information, this security framework is not optional. It protects your clients, your firm's reputation, and your ability to practice law with integrity.