18 U.S.C. § 2258A, The REPORT Act, and a Problem Most Lawyers Haven’t Thought About
A Confession First
I’m going to start with a confession. Until recently, I had not spent much time thinking about 18 U.S.C. § 2258A. If you’re a lawyer who generally keeps up with tech and ethics issues and you’re thinking, “Same,” you’re not alone. Almost no one I talk to has this statute top of mind.
That’s a problem, because this law quietly sits underneath a lot of the tools lawyers use every day: email, cloud storage, file syncing, and practice management software. It can conflict with our confidentiality obligations in complex and uncomfortable ways. If you have not thought about it before, you are not failing some hidden competence test. Most of the profession has not thought about it either.
Child Sexual Abuse Material is a Horrific Problem
Before I go any further, I want to be clear about something. The reporting requirements in this statute exist for an important reason. Child sexual abuse material causes real harm to real people, and mandatory reporting by technology providers plays a critical role in identifying and stopping abuse. Nothing in this discussion is meant to question that purpose or to suggest that these materials should be tolerated, ignored, or quietly handled.
The issue I’m raising is not whether CSAM should be reported. It should be. The issue is how this reporting regime intersects with lawyers’ ethical obligations, often without lawyers fully realizing that the intersection exists.
The Short Version of the Law
Here’s the short version. Federal law requires certain technology providers to report suspected child sexual abuse material, or CSAM, to the National Center for Missing and Exploited Children. Not after a subpoena. Not after a court order. Proactively. Once a provider has “actual knowledge,” they are required to make a report. And when they report, they don’t just say, “Something looks off.” They send identifying information, technical data, and sometimes content itself.
In 2024, Congress expanded these obligations through the REPORT Act. The reporting duty is no longer limited to obvious image or video files. It now reaches a broader set of apparent offenses involving the sexual exploitation of children, including certain coercion, enticement, and trafficking-related conduct. That matters, because it widens the range of material that can trigger reporting in ways that are not always obvious at first glance.
You, the lawyer, are not the one doing the reporting. But the tools you chose may trigger that reporting obligation in the course of lawful provider compliance. That is where the ethical headache starts.
Who the Law Applies To (And Why That Matters)
Section 2258A applies to “providers” of electronic communication services and remote computing services. In plain English, that means things like email platforms, messaging services, and cloud storage. Gmail. Outlook. Google Drive. Dropbox. OneDrive. And yes, potentially components of legal practice management systems that rely on cloud storage and syncing.
Your firm isn’t the provider; you’re the customer, but you still decide what goes into that system.
If a provider obtains actual knowledge of apparent CSAM or other covered exploitation-related conduct, it must report that information to NCMEC’s CyberTipline as soon as reasonably possible, consistent with federal law. The REPORT Act didn’t soften that obligation, it reinforced it. (REPORT Act stands for Reducing Efforts to Overcome Preventing Online Exploitation Risks of Teenagers).
Those reports can include usernames, IP addresses, timestamps, URLs, and digital fingerprints of files. Providers don’t have a general duty to monitor everything on their systems, and the statute is careful about that. But once they know, once something is flagged or reviewed and crosses that “actual knowledge” threshold, the obligation kicks in.
It is important to understand that the penalties for failing to report are not small. They are large enough that the incentives are obvious, which is another way of saying providers are going to err on the side of reporting. Their legal obligations are not designed to accommodate a lawyer’s confidentiality analysis.
NCMEC, in turn, can share that information with law enforcement, including state, federal, and sometimes foreign agencies. There are limits on downstream disclosure, especially in criminal cases, but at that point the horse is already out of the barn.
No, There Is No Lawyer Exception
This is the part where people usually ask, “But surely there’s an exception for lawyers, right?” No. There isn’t.
There is no carve-out for attorney-client privilege. No special treatment for law firms. No “sensitive materials” exception. If the file is on the provider’s system and the provider acquires actual knowledge that it appears to fall within the statute, the reporting obligation applies.
There are some practical boundaries worth understanding. If you are working entirely on local, non-networked systems, think an encrypted external drive that never touches the cloud, Section 2258A never comes into play because there is no provider involved. The statute doesn’t apply to you personally as a lawyer.
But the moment that material is uploaded, synced, emailed, backed up to a cloud provider, or otherwise handled by a covered entity, you’ve placed it into a system governed by federal reporting requirements. At that point, the provider’s obligations are controlling, regardless of your intent or your client’s expectations.
Where This Collides with Rule 1.6
Now we get to the messy part. ABA Model Rule 1.6 requires lawyers to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of client information. Ethics opinions over the last decade have largely blessed the use of cloud services, as long as lawyers do appropriate diligence: security practices, contractual protections, confidentiality terms, and so on.
Those opinions often talk about disclosure required by “other law,” usually in the context of subpoenas or court orders. Section 2258A, particularly as expanded by the REPORT Act, is different. This isn’t compelled disclosure after process. It is mandatory reporting triggered by the provider’s knowledge, sometimes based on automated detection or internal review.
So here’s the uncomfortable question that I don’t think the profession has really grappled with yet. Once you understand how this statute works, and how much broader its reach now is, is it still “reasonable” to upload certain categories of material to the cloud as a default practice?
This Is Not a Niche Problem
This is not a hypothetical for a niche practice. Think about where this arises. Family law. Criminal defense. Immigration. Civil rights litigation. Cases where clients hand over photos, videos, or message histories without really thinking through what they contain, and sometimes without understanding that possession itself can be illegal.
The REPORT Act makes this even more complicated, because the trigger is no longer limited to clearly identifiable CSAM. Communications, attempts, or related evidence may now fall within a reporting framework that many lawyers still associate only with images and videos.
It is also the kind of issue that tends to surface at the worst possible time, right when you are trying to move quickly and get your arms around a situation.
If a lawyer receives potentially illegal material in the course of representation and uploads it to a cloud service knowing that the provider may scan, hash, or otherwise flag it, have they taken reasonable steps to protect confidentiality? Or have they placed that information into a system that is legally required to disclose it under federal law?
That is not an abstract ethics exam question. That is a real-world workflow decision, and it is exactly the kind of decision lawyers make without thinking because the default workflow now is “upload and sync.”
The Guidance Gap
Right now, most lawyers don’t even know this is an issue, and ethics guidance tends to reflect that reality. But Rule 1.6 is not frozen in time. It tracks what lawyers know or reasonably should know. Awareness changes the analysis, whether we like it or not.
I don’t have a clean answer here, and I’m suspicious of anyone who claims they do. If someone is telling you, confidently, that it is all fine and you don’t need to adjust anything, they are either missing the problem or declining to engage with it.
What Lawyers Can Actually Do
Now that you know about the relevant statutes, what do you do with this information?
In my opinion, at a minimum, you need to understand how your vendors handle flagged content and what notice, if any, they provide. Many providers offer no notice at all, because the law doesn’t require them to give you one. And even when a provider does provide notice in some contexts, you cannot assume you will get it in a timely fashion.
There are situations in which segregating material, keeping it off cloud systems entirely and handling it locally with strong encryption, may be the safest course in light of these reporting requirements. That’s inconvenient. It’s old-school. It may also become necessary. If you practice in an area where this risk is more than theoretical, you’ll want a plan that accounts for the possibility of mandatory reporting.
Obviously, I am fond of technology. On occasion, however, I suggest people skip modern technology and use older methods. I actually have been laughed at when I say such things in lectures, but I still think there are occasions when client confidentiality may require us to step back and consider whether the old ways are the best ways for certain types of data. Sometimes handing materials over on a segregated, encrypted hard drive or thumb drive is the way to go. Similarly, storing them on such devices may be safer than putting them into cloud storage.
Client communication matters too. Engagement letters and intake conversations should not pretend that cloud tools are consequence-free. Federal reporting laws exist, and clients should not be surprised later by disclosures their lawyer never warned them about. I am not suggesting a long, scary paragraph that no one reads. I am suggesting a sentence that reflects reality.
Why This Needs More Attention
And frankly, this is an area where bar associations and CLE providers need to step up. Not with panic, not with pearl-clutching, but with clear, realistic guidance. Because the first discipline case built on this issue is going to surprise a lot of very competent lawyers, and I would rather see the profession deal with it before that happens.
2258A in Court
As far as whether these laws have been vetted by the courts, the answer is yes. There have been cases in which Section 2258A has been challenged, and it has passed those challenges. One example is UNITED STATES v. REDDICK (2018).
Reddick uploaded images to a then existing cloud called Microsoft SkyDrive. Like many providers, Microsoft used a tool, “to automatically scan the hash values of user-uploaded files and compare them against the hash values of known images of child pornography.” The tool Microsoft used (and still uses) is called PhotoDNA.
In early 2015, PhotoDNA found suspicious materials in Reddick’s uploaded images. In turn, details were reported to NCMEC. The details included Reddick’s location information based on his IP address. NCMEC forwarded a report to the Corpus Christi Police Department.
A detective in Corpus Christi reviewed the report, viewed the images, and confirmed the presence of CSAM. The detective then obtained a “warrant to search Reddick’s home and seize his computer and related materials.” After finding more CSAM, “Reddick was indicted for possession of child pornography in violation of 18 U.S.C. § 2252A(a)(2) and (b)(1).”
Reddick’s counsel alleged that the search was warrantless due to how the detective obtained access to the CSAM. The Court found that the detective properly obtained a warrant based on the original CyberTip, basing its holding on Walter v. United States.
In short, courts have repeatedly upheld the mandatory reporting framework in Section 2258A and rejected broad Fourth Amendment challenges to provider reporting, even while recognizing limits on how law enforcement and NCMEC may later handle reported material.
Bottom Line
Section 2258A does not require lawyers to report their clients. But it does require many of the tools lawyers rely on to do exactly that, and the REPORT Act expanded the range of situations in which that can happen. If we pretend that distinction doesn’t matter, we are fooling ourselves.
Technology doesn’t just change how we practice. It changes the risk landscape underneath our ethical duties. Ignoring that doesn’t make it go away.
Note: Why Most Lawyers May Not Lawfully Possess CSAM
One important point bears emphasizing: most attorneys are not legally permitted to possess child sexual abuse material any more than non-lawyers are. There are narrow, highly controlled exceptions in certain criminal cases, typically involving court-authorized access rather than unrestricted possession, which I will not explore here.
Despite this, clients sometimes transmit such materials to their lawyers anyway, often without warning. That creates significant legal risk. As discussed above, the REPORT Act expanded what covered service providers must report, and therefore what categories of material may trigger mandatory reporting obligations.
What this means in practice is that an attorney may face serious consequences if CSAM is received, stored, or transmitted through a provider subject to mandatory reporting requirements, even when the lawyer’s intent is to represent a client. This is one reason attorneys must be extremely cautious about accepting electronic materials from certain clients and about immediately uploading client-provided files into cloud-based email, document-management, or case-management systems.
Special Disclaimer
This article is provided for informational and educational purposes only. It does not constitute legal advice, create an attorney–client relationship, or offer a comprehensive analysis of every issue related to federal reporting laws or cloud-service-provider obligations. Lawyers should independently evaluate their specific facts, jurisdictions, technologies, and ethical duties, and consult applicable rules, statutes, and professional guidance before making decisions regarding client data or the use of cloud-based tools.
Accordingly, attorneys should consider whether the issues discussed here may affect their own practices or their clients. Where appropriate, lawyers should consult ethics counsel, qualified IT professionals, and relevant vendors to determine how best to safeguard client information and comply with applicable legal and professional obligations.