A paralegal at a three-attorney firm sends a draft settlement agreement to a client through her personal Gmail. A junior associate pastes deposition notes into ChatGPT to draft a summary. A partner stores client files in his personal Dropbox because the firm’s document management system “feels slow.” None of these people thought they were doing anything wrong. And that’s exactly the problem.

The Problem: Most Law Firm AUPs Were Written for a Different Era

If your firm has a technology acceptable use policy (AUP) at all, there’s a good chance it came from one of three places: a bar association template from 2015, a document your IT provider handed over when they set up your network, or a policy another attorney friend emailed you years ago.

Those sources aren’t inherently bad. But the technology at small law firms has changed dramatically - and most policies haven’t kept pace.

Personal devices are now a standard part of how attorneys and staff communicate with clients. Cloud-based file storage and practice management tools have replaced on-premise servers at many firms. And generative AI tools like ChatGPT, Copilot, and Google Gemini are being used by staff at firms that have no idea it’s happening.

An outdated AUP doesn’t just leave gaps in your security posture. It leaves gaps in your accountability structure. If a breach occurs - or a bar complaint gets filed - and you can’t demonstrate that you had a clear, enforced policy in place, the absence of that documentation works against you.

Here’s what’s typically missing from the policies we see when we onboard a new law firm client: any mention of personal devices, any mention of cloud storage rules, and any mention of AI. In 2025, those aren’t edge cases. They’re everyday realities.

Why This Matters for Law Firms Specifically

Attorneys operate under some of the most specific technology obligations in any profession. The ABA’s Model Rule 1.6 requires competent measures to prevent unauthorized disclosure of client information - and the ABA’s formal opinions have made clear that “competent” includes understanding the technology your firm uses.

California attorneys answer to the State Bar of California, which has issued its own guidance on competence and technology under California Rules of Professional Conduct Rule 1.1. The CCPA adds another layer: if your firm collects personal information from California residents (and if you practice in California, you almost certainly do), you have data handling obligations that require documented policies.

Beyond bar rules, there’s the practical exposure. Small law firms are frequent targets for phishing attacks and business email compromise. Cybercriminals know that attorneys handle high-value wire transfers and sensitive documents - and that many small firms run lean IT operations. The IBM Cost of a Data Breach Report consistently shows that organizations without documented security policies face higher breach costs and longer recovery times.

A technology AUP isn’t just an IT formality. It’s a legal document that establishes baseline expectations for everyone who touches your firm’s systems. It matters in the event of a breach. It matters in a disciplinary proceeding. It matters if a client sues for malpractice following a data exposure. Don’t treat it like a checkbox.

How to Build an AUP That Actually Fits a Small Law Firm in 2025

A well-constructed AUP for a small law firm doesn’t need to be 40 pages long. It needs to be specific, readable, and signed. Here are the provisions it must address:

Approved and prohibited devices. Define what devices may be used to access firm systems and client data. If you allow personal devices - and most small firms do - spell out the requirements: screen locks, up-to-date operating systems, enrollment in mobile device management (MDM) if applicable, and prohibition on storing client files locally on personal hardware.

Email and client communication rules. Name your approved platforms. If your firm uses Microsoft 365 or Google Workspace for Business, say so. Make clear that personal email accounts - Gmail, Yahoo, personal Apple Mail - may not be used for client communications or to transmit confidential information. This provision alone addresses one of the most common data exposure scenarios we see.

Cloud storage and file sharing. Name your approved platforms explicitly - and explicitly prohibit the alternatives. Personal Dropbox, personal Google Drive, iCloud, and similar consumer-grade services are not appropriate for client files. Your policy should name what’s approved and state clearly that everything else is off-limits, no exceptions.

AI tools and generative AI platforms. This is the section most firms are missing entirely. Your AUP must address the use of AI tools - and specifically must prohibit the input of client names, case details, privileged communications, or any confidential information into unapproved generative AI platforms. Tools like ChatGPT and Google Gemini are not confidential environments. Data submitted to them may be used for model training. If your firm hasn’t approved a specific AI tool after reviewing its data handling terms, it doesn’t belong in your workflow.

Password and access requirements. Set minimum standards: multi-factor authentication (MFA) on all firm systems, no shared passwords, no reuse of firm credentials on personal accounts.

Incident reporting. Tell staff what to do when something goes wrong - a suspicious email, a lost device, an accidental disclosure. The faster you know, the faster you can respond.

Consequences. An AUP without consequences isn’t enforceable. State clearly that violations may result in disciplinary action, and for attorneys, may implicate professional conduct obligations.

What to Look for in an IT Partner for Policy Development

Your IT provider should be doing more than keeping the lights on. If you’re evaluating a managed services provider (MSP) to help your firm develop or update its AUP, ask these questions:

  • Have you worked with law firms specifically? Do you understand attorney-client privilege, bar rules, and the applicable state ethics requirements?
  • Can you help us identify every platform and tool currently in use at the firm - including shadow IT and personal devices - before we write the policy?
  • Do you offer annual policy review as part of your service? Technology changes fast. A policy written today needs to be revisited.
  • Can you help us implement acknowledgment tracking, so we have a record of every person who has read and signed the AUP?
  • Do you have a process for flagging when a new tool (including an AI tool) needs to be evaluated before staff starts using it?

An IT partner who can’t answer these questions clearly probably hasn’t worked much with professional services firms.

The Bottom Line

Your firm’s technology acceptable use policy is a legal and operational document - not a formality. If it doesn’t address personal devices, cloud storage, and AI tools, it doesn’t reflect how your firm actually operates in 2025. Write the policy your firm needs. Get it signed. Review it every year. And make sure the people who need to follow it have actually read it.


Frequently Asked Questions

What should a law firm’s acceptable use policy include?

A law firm AUP should cover approved and prohibited devices, rules for client communications and email, approved cloud storage platforms, AI tool restrictions, password and MFA requirements, and an incident reporting process. It should also state consequences for violations. The policy needs to reflect how your firm actually operates - not how it operated five years ago.

Do small law firms need a technology acceptable use policy?

Yes. Bar rules in most states, including California Rules of Professional Conduct Rule 1.1, require attorneys to maintain competence in the technology they use to handle client matters. An AUP is one of the primary ways firms document that they’ve set and enforced reasonable standards for handling confidential information. It also matters if a breach occurs and you need to demonstrate that reasonable safeguards were in place.

Can law firm staff use ChatGPT or other AI tools for client work?

Not without a formal review and approval process. Consumer-facing AI tools like ChatGPT are not confidential environments. Inputting client names, case facts, or privileged communications into an unapproved AI platform may violate Model Rule 1.6 and equivalent state rules. Firms should evaluate any AI tool’s data handling terms before approving it for use, and the AUP should explicitly prohibit unapproved AI platforms for client-related work.

How often should a law firm update its acceptable use policy?

At minimum, annually - and any time a significant new tool, platform, or technology is adopted at the firm. AI tools, new cloud services, and changes in remote work practices all create policy gaps if the AUP isn’t updated to address them. Many firms also find it useful to review the policy after any security incident, even a minor one, to identify whether the policy needed to be clearer.


If you’re working through acceptable use policy and cybersecurity compliance challenges at your firm, let’s talk. One82 works exclusively with CPA firms, law firms, and financial advisory companies in the Bay Area - we know your world.