When a partner asks whether a CRM is compliant, what they usually mean is something more specific. Will the firm be embarrassed. Will the bar association call. Will the malpractice carrier raise rates.
What the Rules Actually Say
Model Rule 1.6 requires that a lawyer make reasonable efforts to prevent the unauthorized disclosure of client information. The standard is not perfection; it is reasonableness, judged by the standards of practice in the jurisdiction.
That standard has shifted in the last decade. A firm that stores client data in plain email is now, plausibly, in violation. A firm that uses a properly configured CRM with encryption at rest, role-based access, and SOC 2 certification is, almost universally, compliant.
What to Verify
Before the firm chooses a platform, three questions:
- ●Where is data stored, and is it encrypted at rest and in transit.
- ●Who has access, and can the firm restrict it by user role.
- ●Is the vendor SOC 2 Type II certified, and can they produce the report.
If the answers are credible, the firm has met the reasonableness standard. If they are evasive, the firm should look elsewhere.
“The standard is not perfection. It is reasonableness.”
The Conflict Question
A separate concern: the CRM should support a reliable conflict-check workflow. This is less about the software than the practice — but the software either makes it easy or impossible. Choose the easy one.
The Last Word
Compliance is not a feature to be checked off. It is a posture maintained over years. The CRM the firm picks today should still be defensible, in front of disciplinary counsel, ten years from now.
Try the CRM built for lawyers
Automate intake, follow-ups, and reviews. 30-day free trial.