by Nicole Nuzzo

In the post-COVID era, remote work has become an expectation for most employees and a necessary evil for employers, applying equally to staff and attorney positions. All attorneys know of their obligation to practice law competently and to maintain confidentiality; they are perhaps the two most universally recognized rules of professional conduct.

That said, many attorneys view “competence” and “confidentiality” solely in terms of having the knowledge, skill, and experience to take on matters and keeping quiet at cocktail parties about client information. In doing so, they often overlook the equally important need to maintain competency and confidentiality in the day-to-day realities of practicing law remotely as the profession and technology continue to evolve.

This article addresses the ethical requirements and best practices of an attorney who chooses to work remotely. This article does not address the tall task of supervising lawyers who choose to permit remote work, which was addressed in the November 2025 Ethically Speaking column. See Todd Smith, Can I Speak to Your Manager: Ethical Considerations for Attorney Supervisors, Managers and Their Subordinates, Orange County Lawyer, November 2025, p.61.

Duty of Confidentiality
A lawyer may not reveal confidential information unless the client gives informed consent; the disclosure is impliedly authorized to carry out the representation; or one of the specific and limited exceptions applies, such as preventing violent criminal activity or prosecuting or defending a dispute between lawyer and client, for example. Mark L. Tuft et al., California Practice Guide: Professional Responsibility and Liability, Par. 7:85 (2024-2025 ed.). This rule also requires an attorney to take reasonable steps to protect confidentiality when using technology, transmitting information, or working remotely. Cal. Rules. of Pro. Conduct 1.6; Cal. State Bar, Formal Op. 2023-208 (2023).

Although predating widespread remote work/cloud practice, in 2010, the State Bar of California Standing Committee on Professional Responsibility and Conduct (COPRAC) addressed the question whether using a computer (accessible by others), third-party software, or public/home wireless networks violated the rules of professional conduct and opined that the practice itself did not necessarily violate any rules of professional conduct. Cal. State Bar, Formal Op. 2010-179 (2010).

COPRAC did caution attorneys that, prior to using any technology for storing or transmitting confidential client information, a lawyer must assess security, sensitivity, risk of unauthorized access, urgency of the situation, legal ramifications to third parties who may intercept, the client’s instructions and circumstances, and potential client harm from inadvertent disclosure. Thereafter, an attorney is required to take reasonable precautions to mitigate risks, such as encrypting emails, enabling firewalls, setting up password protection features on mobile devices, reviewing vendor practices, and ensuring that vendors are properly vetted. Importantly, COPRAC made clear there is no one-size-fits-all rule. Id. Rather, a lawyer must look at what is reasonable and reassess often as technological advances occur to ensure that a lawyer’s professional duties in the digital age are always met. Id.

In 2020, COPRAC again addressed remote work and the expansion of how lawyers were storing data. Cal. State Bar, Formal Op. 2020-203 (2020). The opinion focused on electronically stored confidential client information and a lawyer’s duties under Rule 1.6 when storing information in this fashion. Lawyers storing or transmitting client data electronically must identify risks of unauthorized access, take reasonable steps to secure the data, monitor systems, and respond appropriately to any breach. Id.

This opinion emphasizes the reasonableness of security and breach-response, which remains especially important for a remote law practice where a lawyer may be using cloud storage and VPNs. This opinion is clear, however, that there is not a bright line rule on the issue—again, emphasizing reasonableness. Id.

As remote work became more common, COPRAC updated its guidance in formal opinion 2023-208, which reiterates that remote or home-office practice is ethically permissible so long as all duties, including but not limited to confidentiality (Rule 1.6), competence (Rule 1.1), communication (Rule 1.4), and supervision (Rules 5.1–5.3) are maintained. Cal. State Bar, Formal Op. 2023-208 (2023).

Home-office environments impose unique risks due to shared devices, family and friend access, wireless printers, unsecured wireless networks, and more. A lawyer choosing to work in a remote or home office must address appropriate and reasonable safeguards of confidential client information such as encryption, use of VPNs, auto-logoff, and separate user accounts.

Duty of Competence
The California Rule of Professional Conduct 1.1 requires lawyers to maintain technological competence, meaning they must understand, among other things, relevant technology’s benefits and risks to provide effective representation, protect client data, and keep up with legal practice changes, often involving e-discovery, data security, email communication, electronic transmittal of data, and workflows, necessitating ongoing learning to handle digital tools and challenges. See Cal. Rules of Pro. Conduct r. 1.1, cmt. 1.

While the rule does not demand that every attorney become a technology expert, the rule does require attorneys to pursue continuing legal education to meet their ethical obligations and, when appropriate, to seek assistance from qualified professionals. Cal. State Bar, Formal Op. 2012-184 (2012); Cal. State Bar, Formal Op. 2010-179 (2010).

In determining what duties an attorney has to protect confidential information, a lawyer must competently determine what is reasonable. COPRAC’s formal opinion 2020-203 cites ABA formal Opinion No. 18-483 which provides a useful list of duties that explains the requirement of “reasonable efforts.” This includes but is not limited to monitoring for data breaches via external vendors and office resources, to act reasonably to stop a data breach if it were to occur, and to investigate what occurred so that lawyers can competently handle the situation and notify clients. Cal. State Bar, Formal Op. 2020-203 (2020) (citing ABA Formal Op. 18-483 (2018)).

It is important to note that there is no bright-line rule, and, again, COPRAC made clear that specific security measures are not necessarily required, and rather the precise measures taken will depend on the circumstances. In sum, a legal standard of “reasonable” security is emerging and should be competently addressed, which requires an attorney to have a basic understanding of the protections afforded by certain technology and, where necessary, to consult with a technology consultant or expert. Cal. State Bar, Formal Op. 2020-203 (2020).

Prudent attorneys should schedule regular meetings with their technology experts to ensure that reasonable security measures are being taken based upon the attorney’s practice, along with advancements and risks relating to technology used. An attorney may also consider including in their retainer agreement a disclosure to clients of the technology used, the risks associated with it, and measures the lawyer is taking to provide reasonable assurances and security to the client.

Nicole Nuzzo is founder of Nuzzo Law, APC. She has been designated as a Certified Family Law Specialist by the State Bar of California’s Board of Legal Specialization and is a member of the OCBA Professionalism and Ethics Committee. She can be reached at Nicole@nuzzolaw.com.