Key Documents for Lawyers Developing Vendor-Neutral AI Strategies

California

• State Bar of California — Ethics Opinions Related to Technology
  Central hub for California ethics opinions addressing competence, confidentiality, and the use of technology in legal practice.

  Ethics Opinions Related to Technology | The State Bar of California

• California State Bar Formal Opinion No. 2010-179
  Foundational California opinion on cloud computing, reasonable security measures, and lawyer supervision of technology vendors.

  2010-179-Interim-No-08-0002-PAW.pdf

• California State Bar Formal Opinion No. 2020-203 (Data Breaches)
  Addresses lawyer duties to prevent, respond to, and remediate data breaches affecting client information.

  Formal-Opinion-No-2020-203-Data-Breaches.pdf

• California Department of Justice — CCPA / CPRA Privacy Resources
  Official California privacy-law guidance that informs expectations around data security and breach analysis, without displacing professional-responsibility duties.
  https://oag.ca.gov/privacy/ccpa

American Bar Association

• ABA Formal Opinion 477R — Securing Communication of Protected Client Information
  Explains when heightened security measures are ethically required based on the sensitivity of client information and risk context.
  ABA Formal Opinion 477R: Securing communication of protected client information

• ABA Formal Opinion 498 — Virtual Practice
  Addresses cloud-based practice management, remote work, and technology-enabled law firm operations.
  aba-formal-opinion-498.pdf

• ABA Formal Opinion 512 — Generative AI Tools
  Addresses lawyer competence, confidentiality, supervision, and communication duties when using generative AI and similar tools.
  aba-formal-opinion-512.pdf

Security & Risk Framework Evaluation

• OECD Privacy Guidelines
  Jurisdiction-neutral principles.
  https://www.oecd.org/digital/privacy/

• AICPA — SOC 2® Overview
  Explanation of what SOC 2 represents.

• SOC 2® - SOC for Service Organizations: Trust Services Criteria | AICPA & CIMA

• CIS Critical Security Controls v8 / v8.1
  Widely used across industries to evaluate safeguards.
  https://www.cisecurity.org/controls

• NIST Cybersecurity Framework (CSF) 2.0
  Risk-based framework covering governance, protection, detection, response, and recovery.
  https://www.nist.gov/cyberframework

• NIST SP 800-53 Rev. 5 — Security and Privacy Controls
  Canonical control catalog used by many technology vendors to map their security programs.
  https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

• NIST SP 800-53B — Control Baselines
  Defines baseline security expectations across different system types and risk environments.
  https://csrc.nist.gov/publications/detail/sp/800-53b/final

• NIST SP 800-61 Rev. 3 — Incident Response Guide
  Practical guidance underlying the CSF “Respond” and “Recover” functions, useful for evaluating whether vendors have a credible incident-response capability.
  https://csrc.nist.gov/publications/detail/sp/800-61/rev-3/final

• NIST Privacy Framework 1.0
  Risk-based approach to privacy governance that complements lawyer confidentiality obligations.
  https://www.nist.gov/privacy-framework