Legacy Core™

Regulatory context

Law Firms

Attorneys and law practices handling client confidential information

Binding framework

ABA Model Rules 1.1 (Competence) and 1.6(c) (Confidentiality); California Rule of Professional Conduct 1.6

Every California attorney is under an active professional conduct obligation to make reasonable efforts to prevent unauthorized disclosure of client information — that is a bar ethics requirement, not a best-practice suggestion.

Key obligations (summary)

  • Technological competence including cybersecurity risks relevant to client data
  • Reasonable efforts to prevent unauthorized access or disclosure of client information
  • Competent response to breaches and client notification where required (ABA Formal Op. 483)
  • Assessment of electronic communication methods for client data (ABA Formal Op. 477R)

How Legacy Core fits

Legacy Core helps firms document and communicate cybersecurity readiness practices clients and carriers increasingly ask about. It is not a bar ethics opinion, malpractice safe harbor, or compliance certification.

Do not claim

  • · Legacy Core satisfies ABA or State Bar cybersecurity formal opinions
  • · California State Bar issued a 2025–26 cybersecurity formal opinion (not confirmed in research)

Primary sources

Confidence: HIGH. Last reviewed 2026-07-13.

Boundary

What a Legacy Core credential does not attest to

A Trust Badge documents demonstrated readiness against a dated Standards Release (assessment basis: NIST CSF 2.0 and CIS Controls v8). It is not a substitute for industry-specific legal or regulatory obligations.

  • FTC Safeguards Rule or WISP compliance (CPAs / tax preparers)
  • HIPAA compliance or OCR audit readiness (medical / dental)
  • ABA or State Bar ethics sign-off (attorneys)
  • SEC Regulation S-P compliance (investment advisers)
  • NAIC Insurance Data Security Model Law (including in California — not adopted)
  • CCPA cybersecurity audit certification (threshold-gated regulation)
  • Cyber insurance approval or claim guarantee
  • Penetration test, SOC 2, CMMC, or government endorsement

Legacy Core is aligned with NIST CSF 2.0 and CIS Controls v8. Legacy Core is not affiliated with, endorsed by, or accredited by NIST, CIS, or any government agency. Tracking a framework does not constitute a determination of legal or regulatory compliance.

Industry-specific obligations by vertical: Regulatory context guides

Law Firms — Regulatory Context | Legacy Core | Legacy Core