What Texas Law Firms Need to Do for Information Security

ABA Rule 1.6 in 2026

ABA Model Rule 1.6(c) requires lawyers to make "reasonable efforts" to prevent unauthorized disclosure of client information. Texas Rule 1.05 mirrors it. What counts as reasonable has changed dramatically since the rule was last meaningfully updated in 2012 — institutional clients now run SOC-2-grade security questionnaires before retaining outside counsel, ransomware groups actively target law firms, BEC-driven wire fraud against trust accounts is a daily occurrence, and Texas State Bar Disciplinary Counsel has begun pursuing data breach matters under Rule 1.05. This 2026 guide covers what "reasonable" actually requires today, the ABA Formal Opinions that matter (477, 483, 498), the modern security baseline, the role of Privileged Access Management (PAM), and how Texas law firms can build a defensible information security program without overspending.

Talk to a Legal MSP 888.792.8080

SOC 2 Compliant

24/7 Support

30+ Years Experience

What We Offer

Comprehensive solutions tailored for Houston-area businesses

What Rule 1.6(c) Actually Says

ABA Model Rule 1.6(c) requires lawyers to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." Texas Rule 1.05 is substantively similar. The word "reasonable" is doing all the work — and what counts as reasonable in 2026 is dramatically more than what counted as reasonable in 2012 when the ABA added the comment 18 factors.

The Comment 18 Factors

ABA Comment 18 lists the factors for determining 'reasonable efforts': sensitivity of information, likelihood of disclosure if safeguards not employed, cost of additional safeguards, difficulty of implementing safeguards, and the extent to which safeguards adversely affect the lawyer's ability to represent clients. The factors are deliberately flexible — they accommodate solo practitioners, mid-size firms, and BigLaw differently. But they are not infinitely flexible: ignoring widely-available safeguards like MFA is no longer defensible.

ABA Formal Opinions That Matter

Formal Opinion 477 (2017) addressed secure communications and mobile device use. Formal Opinion 483 (2018) addressed lawyers' obligations after a data breach. Formal Opinion 498 (2021) addressed virtual practice and remote work. Together they establish that lawyers must understand the technology they use, must implement reasonable safeguards, and must respond to breaches with both notification and remediation. Reading these opinions is not optional for managing partners or COOs.

What Institutional Clients Demand

Major institutional clients — banks, insurers, healthcare systems, large corporates — now run security questionnaires before retaining outside counsel and during annual relationship reviews. The questions read like SOC 2 due diligence: encryption, MFA, access controls, incident response plans, vendor management, audit logs. Firms that cannot answer fail outside counsel guideline reviews and get dropped from the panel.

The Modern 'Reasonable' Baseline

In 2026, the practical floor for what counts as 'reasonable' includes: encryption of client data at rest and in transit, MFA on all attorney accounts and document management, documented access controls, an incident response plan with regular testing, vendor management for cloud services, regular phishing simulations, monthly security awareness, and increasingly Privileged Access Management (PAM) on attorney workstations to defend against the ransomware that hits law firms more than any other professional services category.

BEC and Wire Fraud — A Specific Problem

Real estate transactions, settlements, and trust account distributions involve large wire transfers that adversaries actively target through Business Email Compromise (BEC). Loss of client funds through BEC is now a top driver of legal malpractice claims. ABA Formal Opinion 483 implies a duty to implement controls reasonable to prevent foreseeable BEC — which means email security with anti-impersonation, DMARC at p=reject, conditional access, and out-of-band wire verification protocols.

Why Choose LayerLogix?

Serving businesses throughout the Greater Houston area including Houston, The Woodlands, Sugar Land, Spring, Conroe, Dallas, Fort Worth, Austin, San Antonio.

Defensible Compliance Posture

When a client asks "show me your information security program' or when bar discipline counsel asks 'what reasonable efforts did you take?" you have a documented answer. The cost of producing that answer in advance is dramatically less than the cost of constructing it after an incident.

Win Institutional Client Engagements

Most mid-size and small Texas firms lose institutional client opportunities they never know about because they fail outside counsel guideline security reviews silently. A real information security program — not a PDF policy document, an actual operational program — wins business that competitors cannot.

Lower Malpractice and Cyber Insurance Premiums

Lawyer Professional Liability and cyber insurance carriers now bake cybersecurity into pricing. Documented MFA, PAM, immutable backup, and incident response routinely reduce premium quotes 10-25% on renewal — frequently more than the engagement cost.

Reduced Wire Fraud Risk

BEC-driven wire fraud against trust account distributions is now a daily occurrence. A real BEC defense program (email security + staff training + out-of-band verification + DMARC) dramatically reduces successful fraud and the malpractice exposure it creates.

Bar Discipline Defensibility

Texas State Bar Disciplinary Counsel has begun pursuing data breach matters under Rule 1.05. Documented compliance with the modern reasonable efforts standard is your defense.

Our Process

Inventory client data — where is matter information stored? Document management, email, file shares, cloud apps, attorney mobile devices, paralegal workstations, eDiscovery platforms. You cannot protect what you have not mapped.

Read the bar guidance — ABA Rule 1.6 plus Comment 18, Texas Rule 1.05, ABA Formal Opinions 477, 483, and 498. Assign a partner or COO to own the program.

Risk assessment — formal risk assessment aligned to the Comment 18 factors plus the modern threat landscape (ransomware, BEC, supply chain attacks, insider misuse).

Document management hardening — enforce MFA, deploy granular access controls, audit logging, validate retention policies on NetDocuments/iManage/Clio.

Email security — Defender for Office 365 or Google Workspace equivalent, DMARC at p=reject, anti-impersonation, conditional access policies on email access from non-managed devices.

Privileged Access Management (PAM) — application allowlisting on every attorney and staff workstation. Single highest-leverage control for ransomware and BEC defense in a law firm context.

Wire fraud prevention program — out-of-band verification protocol for all wires above a defined threshold, staff training, vendor and trust account access controls.

Incident response plan — documented, tested, with carrier and outside counsel pre-engaged. Tabletop exercise at least annually.

Vendor management — security review of cloud service providers, eDiscovery platforms, and any vendor with access to client data. Annual reassessment cycle.

Annual program review — formal annual review of the program, training records, incident records, vendor reassessments. Document the review.

Frequently Asked Questions

What does 'reasonable efforts' actually require my firm to do in 2026?▼

Read together, ABA Comment 18 plus Formal Opinions 477, 483, and 498 establish that 'reasonable efforts' in 2026 includes (at minimum): encryption of client data at rest and in transit; MFA on all attorney accounts and document management systems; documented access controls; an incident response plan with regular testing; vendor management for cloud services; security awareness training; the ability to detect and respond to a breach within a reasonable timeframe; and increasingly Privileged Access Management (PAM) on attorney workstations. The floor moves up over time — what was reasonable in 2018 is no longer adequate.

Does my firm need a written information security program?▼

Effectively yes. The bar guidance does not use the words "Written Information Security Plan" the way the FTC Safeguards Rule does, but Formal Opinion 483 and the modern interpretation of Rule 1.6(c) effectively require documented policies, procedures, and an incident response plan. Institutional clients expect the same. Firms without a documented program cannot pass outside counsel guideline reviews.

What happens if my firm has a data breach?▼

ABA Formal Opinion 483 establishes the framework: (1) take reasonable steps to contain and remediate the breach; (2) determine which clients were affected; (3) notify affected clients with sufficient detail to make informed decisions; (4) consider whether to terminate or suspend representation if confidentiality cannot be restored. Plus state breach notification laws, possible bar discipline notification, possible cyber insurance notification, and possible litigation. Speed and documentation matter.

How does Privileged Access Management (PAM) help a law firm comply with Rule 1.6?▼

PAM (application allowlisting and ringfencing) blocks ransomware before it executes — and law firm ransomware events frequently result in client data exfiltration that triggers breach notification, malpractice exposure, and bar discipline review. PAM also satisfies multiple Comment 18 factors: implementing widely-available, cost-effective safeguards, applying access controls, controlling change to client-data-handling systems, and producing audit logs that demonstrate the firm's reasonable efforts.

How much does a real information security program cost a Texas law firm?▼

For a typical Texas firm of 25-75 attorneys plus support staff, a real program runs $145-$245 per user per month for full managed IT including PAM, email security, document management hardening, eDiscovery enablement, and incident response capability. Larger firms or firms with heavy litigation often add vCISO services ($4K-$15K/month) for client security questionnaire response and program leadership. The malpractice and cyber insurance premium reductions plus the reduced BEC and ransomware risk routinely offset the engagement cost.

Is bar discipline actually a real risk for IT security failures?▼

Yes — and the trend is clearly toward more enforcement. Texas State Bar Disciplinary Counsel and counterparts in other states have begun pursuing data breach matters under Rule 1.05/1.6. The cases that draw discipline typically involve obvious negligence (no MFA, no encryption, no incident response plan, ignored warnings) rather than novel attacks. Compliance with the modern reasonable efforts standard is the defense.

Ready to Get Started?

Contact LayerLogix today for a free consultation. We serve businesses throughout Houston, The Woodlands, Sugar Land, and the surrounding Greater Houston area.

Schedule Free Consultation Call 888.792.8080