Why every law firm needs a computer‑use policy

1) Ethics and client trust. Lawyers must understand the benefits and risks of technology and keep client data secure. That is not optional. The ABA tells us to stay competent with tech and to take “reasonable efforts” to safeguard communications. That means your policy is not just HR paperwork. It is part of your ethical compliance plan. American Bar Association+2American Bar Association+2

2) Breach reality. If something goes wrong, you will have to investigate, remediate, and likely notify. A policy sets expectations before the fire drill and proves you took reasonable steps. ABA Journal

3) Monitoring rules exist. Some jurisdictions require you to tell employees that you monitor email, web, or messages. New York, Connecticut, and Delaware all have notice laws. Your policy and onboarding materials need to say so clearly. New York State Senate+2Justia+2

4) Labor law guardrails. If your rules are so broad that people think they cannot discuss wages or working conditions, you can run into trouble with the NLRB. Write your policy with that in mind. National Labor Relations Board+1

5) Privacy laws are catching up to the office. In California, employee data now lives under CPRA, which means notices and processes are needed. Your IT rules and your privacy notices should line up. Sullivan & Cromwell

What to put in the policy

Think like a lawyer writing jury instructions. Clear. Specific. No jargon that needs a decoder ring.

Scope and ownership

  • Computer Use Policies Security Firm‑owned equipment and accounts are for work. Small firms often allow “reasonable personal use” like checking a lunch delivery. If you allow it, set limits. If you do not, say so.
  • “No expectation of privacy.” Explain that the firm may access, monitor, log, and review activity on firm devices, networks, and accounts at any time, consistent with applicable law and any notice requirements. Provide the notice in onboarding and post it where people will see it. New York State Senate+2Justia+2

Acceptable and unacceptable use

  • Examples of permitted use. Work communications, research, approved cloud apps, client work.
  • Examples of prohibited use. Illegal downloads, circumvention of security, storing firm data on personal drives, harassment, discriminatory content, unlicensed software, crypto mining, anything that would embarrass the firm on the front page.

Security controls

  • Passwords, MFA, device encryption, VPN usage, screen‑locking, approved storage locations, and phishing reporting.
  • Software. Install only what IT approves. Updates are mandatory.
  • Data handling. No client data on personal cloud, USB sticks, or generative AI tools without approval and safeguards. Your ethical duty to secure communications lives here. American Bar Association

Internet and social media

  • Large firms often implement technical controls like secure web gateways or category filters that limit entertainment, shopping, adult content, and risky file‑sharing. Smaller firms may rely on policy plus spot checks. Either way, define the rule and the exceptions.
  • Spell out role‑based exceptions. Marketing needs social. Recruiting uses LinkedIn. Create an exception process so people are not tempted to work around controls.

Email, messaging, and collaboration tools

  • Business records live here. Prohibit auto‑forwarding to personal accounts.
  • Say what is logged. Say who can access logs and under what authority.

BYOD – Bring Your Own Device – and remote work

  • If you allow personal devices, require mobile device management or a secure container. Explain what the firm can and cannot see, and that a lost device may be remotely wiped.
  • Public Wi‑Fi requires VPN. Kitchen‑table laptops require the same controls as office machines. ABA virtual practice guidance backs you up. Practice Source

Incident reporting

  • How to report a lost laptop, malware click, or suspected breach. No blame for quick reporting. Lots of blame for hiding it.

Retention and off‑boarding

  • Return of equipment, account disablement, and data hand‑off procedures.
  • Wipe and disposal standards.

Acknowledgment

  • Require a signed acknowledgment on day one and again after any major update.

Consequences if someone breaks the rules

Make the ladder clear, then climb it consistently.

  • Coaching for minor first‑time issues.
  • Written warning for repeated or more serious violations.
  • Suspension or termination for serious misconduct, security bypasses, data exfiltration, or illegal activity.
  • Reporting obligations where required by law or ethics rules if client data is exposed. Keep this section neutral in tone. Firm culture matters, but consistency matters more.

Tone matters. Keep this section neutral and consistent with firm culture.

Sample language you can adapt

No privacy on firm's computerOwnership and Monitoring
All computers, mobile devices, networks, accounts, and software provided by the Firm are Firm property and are intended for business use. The Firm may access, monitor, log, and review any activity or data on Firm devices, accounts, or networks at any time, for any lawful business purpose, and consistent with applicable law. Employees should have no expectation of privacy when using Firm resources. The Firm provides prior notice of electronic monitoring and requires acknowledgment as part of onboarding.

Acceptable Use
Limited personal use is permitted if it is infrequent, does not interfere with work, does not consume significant resources, and complies with all Firm policies. Prohibited uses include illegal activity, harassment, attempts to bypass security, unlicensed software, storage of Firm data on personal services, and use of non‑approved cloud or AI tools for client information without written approval.

Security
Users must enable MFA, use strong passwords, lock screens when away, connect to Firm systems only through approved VPN, and promptly install updates. Firm data must reside only in approved locations. Lost or stolen devices must be reported immediately.

Discipline
Violations may result in coaching, written warning, suspension, termination, and, where applicable, legal action.

Check your jurisdiction’s monitoring notice rules and update the first paragraph accordingly. New York, Connecticut, and Delaware require specific notice.

Small firm vs. large firm reality

  • Large vs small firm computer use policiesSmaller firms. You can allow limited personal use, skip category blocking, and rely on culture plus periodic audits. Just keep the rules crisp and train quarterly.
  • Larger firms. You probably need technical enforcement: web filtering, endpoint protection, data loss prevention, and role‑based access. Document the exceptions so marketing and business development can still do their jobs.

Free, reputable templates can jump‑start your drafting. SANS hosts strong “acceptable use” and internet‑use templates, and SHRM offers HR‑friendly samples you can adapt. SHRM+3SANS Institute+3SANS Institute+3

Quick checklist

    • Scope covers firm devices, networks, and accounts
    • Business use defined; limits on personal use clarified
    • “No expectation of privacy,” plus required monitoring notices
    • Security requirements: MFA, encryption, VPN, patching
    • Software approval and update rules
    • Internet and social media rules, plus exception process
    • BYOD terms and remote work controls
    • Incident reporting steps and contacts
    • Retention, off‑boarding, and device return
    • Progressive discipline ladder
    • Employee acknowledgment captured and stored

A note for multi‑office firms

If you have people in California or overseas, align the policy with your privacy notices and data maps. California’s CPRA now covers employee data. In the UK and EU, workplace monitoring must be lawful, necessary, and proportionate, with clear notice and often a documented assessment. Sullivan & Cromwell+1

Turn policy into practice: a 30‑day rollout plan

Week 1: Draft and align. Map the policy to ethics, privacy, and HR requirements. Identify must‑have controls such as MFA, encryption, and VPN.
Week 2: Socialize. Brief practice leaders and admins. Set the exception process and owners.
Week 3: Train. Run a 30‑minute session that hits scenarios people will remember. Collect acknowledgments.
Week 4: Enforce. Turn on logging and alerting, then enable blocking on the highest‑risk categories. Publish a two‑page “how we monitor” explainer.

Policy‑to‑controls map

Policy rule Technical control Example action
No client files to personal email or cloud Data Loss Prevention (DLP) Block uploads to personal Gmail and Dropbox, quarantine attempts, alert IT
Only approved storage and collaboration Application allow‑list and CASB Allow M365 and NetDocuments, block unapproved AI or file‑sharing apps
No auto‑forwarding of firm email Mail hygiene and transport rules Disable external auto‑forwarding, review exceptions quarterly
Limit risky web categories Secure web gateway Restrict malware, adult, piracy, crypto mining, and anonymizers
Report incidents fast SIEM or endpoint alerts routed to a shared mailbox One‑click phishing report, incident ticket auto‑created

Technical enforcement with 2b1 Care

2b1 Care - DLP and Web FilteringHow it works. 2b1 Care enforces your policy with DLP and web content filtering. The platform can monitor, log, block, or quarantine activity that puts firm or client information at risk. Typical controls include:

  • DLP rules. Keep client and confidential data inside approved systems. Prevent auto‑forwarding to personal accounts. Block storage on unapproved services. Trigger automatic holds, reviews, or blocks when sensitive patterns appear.

  • Web filtering. Restrict high‑risk or non‑business categories. Allow documented exceptions for marketing, business development, and recruiting. Time‑limit all exceptions and review them periodically.

Deployment tips.

  • Smaller firms. Start in monitor‑only mode for 30 days, then enable blocking on the highest risks. Keep personal‑use rules simple and train monthly for one quarter.

  • Larger firms. Roll out by department, tie exceptions to roles, review DLP incidents weekly, tune rules quarterly, and document ownership across IT, InfoSec, and HR.

Final word

A good computer‑use policy is like courtroom procedure. Everyone knows the rules, the judge trusts the process, and surprises belong at birthday parties, not on servers. Keep the tone human, make training memorable, and back the words with controls that quietly do the right thing every day.

Legal note

This post is general information, not legal advice. Check local law and your bar’s ethics guidance before implementing or enforcing a policy. For core ethics touch points on technology and confidentiality, see ABA Model Rule 1.1 Comment 8 and ABA Formal Opinions 477R and 483. . ABA Journal+3American Bar Association+3American Bar Association+3

Helpful resources

Ready to lock the vault?

Policies set expectations. Enforcement prevents mistakes. If you want your rules to live in practice, not just on paper, we can help you configure DLP and web filtering that match your policy and your culture.

Call 2b1 Inc. at (415) 284‑2221 or fill out the form below to schedule a short consultation on turning your computer‑use policy into technical controls that actually work.

More Posts
Share Post