Below are links to Useful Documents for Law Firms Developing AI & Cloud Strategies
Legal Ethics
California
State Bar of California — Ethics Opinions Related to Technology
Central hub for California ethics opinions addressing competence, confidentiality, and the use of technology in legal practice.Ethics Opinions Related to Technology | The State Bar of California
California State Bar Formal Opinion No. 2010-179
Foundational California opinion on cloud computing, reasonable security measures, and lawyer supervision of technology vendors.California State Bar Formal Opinion No. 2020-203 (Data Breaches)
Addresses lawyer duties to prevent, respond to, and remediate data breaches affecting client information.
American Bar Association
ABA Formal Opinion 477R — Securing Communication of Protected Client Information
Explains when heightened security measures are ethically required based on the sensitivity of client information and risk context.
ABA Formal Opinion 477R: Securing communication of protected client informationABA Formal Opinion 498 — Virtual Practice
Addresses cloud-based practice management, remote work, and technology-enabled law firm operations.
aba-formal-opinion-498.pdfABA Formal Opinion 512 — Generative AI Tools
Addresses lawyer competence, confidentiality, supervision, and communication duties when using generative AI and similar tools.
aba-formal-opinion-512.pdf
Privacy
California Department of Justice — CCPA / CPRA Privacy Resources
Official California privacy-law guidance that informs expectations around data security and breach analysis, without displacing professional-responsibility duties.
https://oag.ca.gov/privacy/ccpa]
Security & Risk Framework Evaluation
OECD Privacy Guidelines
Jurisdiction-neutral principles.
https://www.oecd.org/digital/privacy/
AICPA — SOC 2® Overview
Explanation of what SOC 2 represents.SOC 2® - SOC for Service Organizations: Trust Services Criteria | AICPA & CIMA
CIS Critical Security Controls v8 / v8.1
Widely used across industries to evaluate safeguards.
https://www.cisecurity.org/controlsNIST Cybersecurity Framework (CSF) 2.0
Risk-based framework covering governance, protection, detection, response, and recovery.
https://www.nist.gov/cyberframeworkNIST SP 800-53 Rev. 5 — Security and Privacy Controls
Canonical control catalog used by many technology vendors to map their security programs.
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/finalNIST SP 800-53B — Control Baselines
Defines baseline security expectations across different system types and risk environments.
https://csrc.nist.gov/publications/detail/sp/800-53b/finalNIST SP 800-61 Rev. 3 — Incident Response Guide
Practical guidance underlying the CSF “Respond” and “Recover” functions, useful for evaluating whether vendors have a credible incident-response capability.
https://csrc.nist.gov/publications/detail/sp/800-61/rev-3/finalNIST Privacy Framework 1.0
Risk-based approach to privacy governance that complements lawyer confidentiality obligations.
https://www.nist.gov/privacy-framework
Practical Due Diligence Tools
Multi-Jurisdiction Ethics List & General Ethics + Tech Primer
https://www.clio.com/blog/cloud-computing-lawyers-ethics-opinions/
https://www.clio.com/blog/lawyers-ethics-technology/
ABA Tech Report
https://www.americanbar.org/groups/law_practice/resources/tech-report/
https://www.legalfuel.com/download/quick-start-guide-on-cloud-computing/
Security Checklists & Questionnaires for SaaS Vendors
https://www.leanix.net/en/wiki/apm/saas-security-checklist-and-assessment-questionnaire
https://travasecurity.com/saas-security-assessment-questionnaire/
https://cloudsecurityalliance.org/research/guidance
https://ironcorelabs.com/blog/2021/checklist-fast-evaluation-of-saas-security/
Additional Reading
2024 Resource Guide by New York City Bar
https://www.nycbar.org/wp-content/uploads/2024/10/20221360_Small_Firm_Report_Resources_Guide.pdf