In 2012, the ABA House of Delegates added a single sentence to the comment on Model Rule 1.6. A lawyer's duty of competence, the comment said, includes keeping abreast of "the benefits and risks associated with relevant technology." Forty states have adopted some version of the rule since.
For most of those years, the rule was aspirational. State bars did not write opinions interpreting it. Disciplinary committees did not bring cases on it. Insurance underwriters did not ask about it. The rule existed; it did not bite.
That has changed in the last three years. Florida issued a binding opinion on technology competence in 2023. California followed in 2024. Illinois — relevant to me as a Chicago-area consultancy — published a formal opinion in late 2024 that read more like an audit framework than an ethics interpretation. Other states are following. The rule has teeth now.
This is the practical version of what changed.
What "competence" used to mean
For a decade after the 2012 amendment, competence with technology was understood loosely. A partner who could send email and use a DMS was competent. A firm that had a managed-service provider for IT was, by extension, also competent — the MSP was the technology, the firm was the law.
State bars did not push back on that reading because the loss patterns had not yet driven the question into focus. The leading cases on technology competence, where they existed, were about specific narrow questions: cloud storage of client material, the use of email for privileged communication, encryption obligations under specific contractual regimes. The frame was permissive: if the firm could articulate a reasonable decision, the decision stood.
What "competence" means now
The state opinions of the last three years have moved the frame. Competence is no longer about whether the firm made a reasonable decision. It is about whether the firm can demonstrate that it understood the decision when it made it.
The Illinois opinion is the clearest example. It does not say a firm must use any particular technology, or avoid any particular technology. It says a firm must be able to articulate — in writing, on request — why its current configuration is the one it chose, what the alternatives were, and what threat model the choice was made against. A firm that inherited its configuration from a managed-service provider and never reviewed it cannot make that articulation. That, in the Illinois opinion, is the failure of competence.
The frame is procedural. The duty is not to choose the right technology. The duty is to have done the work of choosing.
This matters because it changes what a firm has to be able to produce. A firm under the old reading could be competent by being lucky — having a reasonable configuration the firm could not actually explain. A firm under the new reading cannot. The documentation is the competence.
What the work looks like in practice
Three categories of decision are now load-bearing in this frame.
Document management. The DMS configuration — retention defaults, ethical-wall enforcement, audit-trail design, access controls — is the technical implementation of professional-responsibility obligations the firm holds anyway. A firm that cannot articulate why retention is configured the way it is, or how ethical walls are enforced at the system level, has not done the competence work.
AI and external services. The most aggressive enforcement frontier is the use of AI tools and cloud-based services that handle privileged material. A partner using a public model for legal research is making a decision about where privileged material flows. The duty of competence requires understanding that decision and being able to defend it. Most firms have no written policy on this. They will need one.
Vendor and sub-processor mapping. Every cloud-based tool a firm uses, from billing to time tracking to e-filing, is a place client data lives. A firm's duty of competence under the new frame includes knowing where the data lives, who has access, and what happens if any of those vendors has an incident. This work — written down, sub-processors mapped, contracts reviewed — is now the competence floor for firms operating under the more aggressive state opinions.
The argument that wins inside a firm
The argument that lands with partners is usually not the disciplinary risk argument. Disciplinary action under Rule 1.6 is rare and the worst-case outcomes are typically professional rather than catastrophic.
The argument that lands is the convergence argument. Three pressures are pointing at the same documentation work — enterprise client security questionnaires, cyber insurance underwriting, and the state-bar competence opinions. Each one, on its own, would justify the work. All three converging on the same firm at the same time make the work load-bearing.
A firm that produces the written technology posture once, with a defensible threat model and a quarterly review cadence, satisfies all three pressures at once. The same forty-page document answers the enterprise questionnaire, supports the cyber underwriting application, and demonstrates the firm has done the competence work the state bar now expects.
The cost of producing it once is real but bounded. The cost of trying to address the three pressures separately, in three different documents that contradict each other across vendors, is the trap most firms are still operating inside.
The Illinois opinion is, by design, an audit framework. It is also, in practice, a procurement framework, an insurance framework, and an enterprise-onboarding framework. The work is the same work. The firm that has done it once is operating against a rule that bites. The firm that has not is operating against the version of the rule from before that happened.

