Abstract calming illustration of a locked shield blending into soft network lines in muted blues and greens.
ArchivesLatestNews & Cases

The ABA Cybersecurity Handbook helps explain cyber risks for lawyers and law firms

By Lucas S.
8 Min Read

The information provided in this article is for educational and informational purposes only and does not constitute legal, financial, or tax advice. No attorney-client relationship is formed by reading this content. Laws and regulations vary by jurisdiction and change frequently; always consult with a qualified professional regarding your specific situation. The author and publisher assume no liability for any actions taken based on this information.

Contents
Key Facts
  1. Federal and state: Cybersecurity obligations affecting lawyers often come from a mix of state laws, federal sector-specific rules, and contracts or client requirements.
  2. Federal and state: The ABA publishes the ABA Cybersecurity Handbook as a resource for attorneys, law firms, and business professionals.
  3. Federal and state: ABA product descriptions for the handbook state that it covers the threat landscape and discusses legal requirements and ethical issues connected to cybersecurity.
  4. Federal and state: ABA cybersecurity materials identify the ABA Cybersecurity Legal Task Force as a source of ABA cyber resources, including books and policy materials.
  5. Federal and state: ABA policy materials state that Report and Resolution 118 was adopted at the 2013 ABA Annual Meeting in San Francisco in August 2013 and addressed intrusions into computer systems and networks used by lawyers and law firms.
  6. State level: The Federal Trade Commission states that all states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted breach notification legislation involving certain security breaches of personal information.
  7. State level: The Federal Trade Commission describes state breach notification rules as varying across jurisdictions and often affecting the timing and content of required notices.
  8. Federal level: Federal rules may impose security and reporting duties in certain industries, such as the Federal Trade Commission Safeguards Rule for covered financial institutions under 16 C.F.R. Part 314.

As of February 2026, cybersecurity and data-breach rules continue to change, and the details often depend on the state and the type of information involved.

Cybersecurity guidance for lawyers often comes from several layers of rules

Cybersecurity issues in legal work often involve more than “computer security.” A law office can hold client documents, financial records, and other sensitive information, and a cyber incident can create legal, professional, and business consequences at the same time.

Some sources are law, such as state breach notification statutes and certain federal regulations. Other sources are not law by themselves but can still matter in practice, such as bar-association publications and client-driven security requirements.

The ABA publishes the ABA Cybersecurity Handbook as a resource for attorneys, law firms, and business professionals. In the ABA’s product description for the third edition, the handbook is described as addressing the cybersecurity threat landscape, explaining how the technology works, and discussing legal requirements and ethical issues.

  • Cybersecurity threats and how common attack methods work at a general level.
  • Legal requirements that may come into play when organizations collect or store sensitive information.
  • Ethical issues discussed for lawyers and legal practices.
  • Considerations that can differ across types of legal practices, including small and large organizations.

ABA policy materials describe the ABA House of Delegates adopting Report and Resolution 118 at the 2013 ABA Annual Meeting in San Francisco in August 2013. Those same materials describe the resolution as condemning intrusions into computer systems and networks used by lawyers and law firms.

Abstract calming illustration of a quiet office desk with a closed laptop and soft geometric shapes suggesting privacy in muted neutral colors.

Even though resolutions do not automatically create a new state or federal law, they can help show what a national professional organization is focusing on and why certain topics appear in legal education and professional discussions.

Federal and state rules can apply differently during a data incident

In the United States, data security and breach response are often shaped by state laws and by federal rules that apply only in specific sectors. The result is often a patchwork, where obligations depend on the location of affected people, the type of information involved, and the type of organization that holds it.

State breach notification laws are a major piece of the picture for many organizations

The Federal Trade Commission explains that every state, the District of Columbia, Puerto Rico, and the Virgin Islands has enacted legislation requiring notification of certain security breaches involving personal information. The FTC also describes these laws as varying by jurisdiction and notes that they can affect items like the content and form of a notice.

Some federal rules apply in specific industries rather than across the board

Federal obligations can arise from sector-based laws and regulations. For example, the FTC has issued the Standards for Safeguarding Customer Information, commonly called the Safeguards Rule, in 16 C.F.R. Part 314 for certain financial institutions.

The FTC also notes that a data incident can trigger other legal frameworks depending on the kind of data involved, including rules that address certain health-related information in specific contexts.

Confusion is common because cybersecurity law is not one single statute

One common misunderstanding is the idea that “data breach law” is a single nationwide code. In practice, the rules are often jurisdiction-specific, sector-specific, or both.

Another frequent issue is mixing up (1) a security problem, (2) a legal notification duty, and (3) professional responsibility concerns. These topics can overlap, but they are not identical, and they can be governed by different authorities.

Reviews complaints and enforcement can follow separate tracks

After a cybersecurity incident, more than one process may exist at the same time. A state attorney general, a federal regulator, and private parties in civil litigation can each have different legal roles, different standards, and different remedies.

Separately, professional discipline systems are generally controlled by state bar authorities and state courts, and they can focus on professional conduct issues that are not the same as regulatory enforcement standards.

Sources

Share This Article
ByLucas S.
Follow:
I am an independent writer and researcher with a deep interest in law, public affairs, and how the U.S. legal system operates in the real world. Regarding the key facts about my work, my role consists of providing plain-English legal explanations and covering various lawsuits and legal disputes. My approach involves preparing articles using the primary sources listed on each page. I am not an attorney or a lawyer and I do not provide legal advice. The primary areas where I focus my research include explaining complex legal topics in plain English, translating official legal materials into accessible explanations, and following current lawsuits and court cases. You should consult a qualified professional for advice regarding your own situation.
Previous Article Calm, neutral illustration of a suburban street with soft lighting, no text, representing neighborhood disturbance and peace, minimal style Nuisance law explains when nuisances interfere with property use and comfort
Next Article Calming abstract illustration of New York skyline shapes and soft colors, no text This guide explains how a NY unemployment claim works in New York City and statewide
Most Popular

You Might Also Like