What ABA Model Rule 1.6 Means for Your Firm’s IT Security

Article summary: Texas Disciplinary Rule 1.05 requires “reasonable efforts” to prevent unauthorized access, which translates to specific technical controls, not just good intentions. Law firms that haven’t mapped their IT environment to these obligations may be carrying compliance risk they won’t see until after a breach.

It’s a Friday afternoon when a ransomware attack locks a mid-size Texas litigation firm out of its case management system. 

Client files, billing records, court correspondence, and upcoming deadlines all become inaccessible. The firm doesn’t just have a technology problem. Under Texas Disciplinary Rule 1.05, it may also have a professional responsibility issue.

Confidentiality isn’t only a principle in Texas legal practice. It’s a rule with direct implications for how your IT environment is built and maintained.

Cybersecurity for law firms is now tied to your professional obligations, not just operational preference. Understanding what “reasonable efforts” actually requires is where most firms need to start.

The Texas Rule That Governs

Texas attorneys are governed by the Texas Disciplinary Rules of Professional Conduct, not the ABA Model Rules directly.

 The relevant rule for confidentiality is TDRPC Rule 1.05, which covers both privileged and unprivileged client information and requires attorneys to take reasonable precautions against unauthorized disclosure.

Texas Professional Ethics Committee Opinion 648 addresses email communication specifically. 

In some circumstances, a lawyer has a duty to consider whether unencrypted email is appropriate and to advise clients accordingly. Critically, the opinion states that a lawyer’s evaluation of technology practices must be ongoing, not a one-time setup.

Texas Ethics Opinion 680 addresses cloud computing. Attorneys may use cloud-based systems for client data provided they take reasonable steps to ensure confidentiality. This includes understanding the provider’s security measures and confirming the firm can retrieve its data if the service terminates.

ABA Model Rule 1.6(c) is a useful national context. 

It states that lawyers must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” 

While not binding in Texas, this framing is widely referenced and represents the direction state bar guidance has been moving.

What “Reasonable Efforts” Looks Like in Practice

The standard is not a fixed checklist. It’s a risk-proportionate assessment. 

ABA Formal Opinion 477R, widely cited by Texas practitioners as instructive guidance, outlines the relevant factors:

• The sensitivity of the client information involved
• The likelihood of unauthorized access if safeguards are not in place
• The cost and practicality of implementing stronger security measures
• The impact those measures have on the firm’s ability to represent clients

For a Texas law firm handling litigation, transactional, or family law matters, a reasonable baseline in today’s environment includes: 

• Multi-factor authentication on all accounts
• Encrypted email for sensitive client communications
• A documented incident response plan
• Formal vendor vetting for any third-party service that handles client data
• Regular staff training on phishing and data handling

The IT Controls That Directly Address Your Duty

Access controls and MFA

Your ethical duty starts with knowing who has access to client information and ensuring that access is appropriate. 

Role-based access control limits exposure by ensuring that attorneys and staff see only the data their roles require. Multi-factor authentication prevents unauthorized access even when credentials are stolen.

The 2023 ABA Cybersecurity Tech Report found that 29% of law firms reported experiencing a security breach. Small firms are not excluded from that number.

Firms with documented security configurations and active monitoring are better positioned to demonstrate they met their reasonable-efforts obligation when an incident raises questions.

Encrypted communications

Texas Opinion 648 creates an ongoing obligation to evaluate whether your communication methods are secure enough given the nature of the matter. 

For client communications involving settlement details, financial information, or anything that could harm the client if disclosed, encryption should be the default. 

And it should be built into the workflow rather than left to individual judgment.

Cloud and vendor due diligence

Before connecting any SaaS platform, document tool, or communication service to your firm’s workflow, there’s a vetting obligation under Texas Opinion 680. 

You need to understand the provider’s security measures, confirm your data remains accessible if the service ends, and get assurance of breach notification. 

This isn’t just IT policy. It maps directly to your professional responsibility.

For a practical framework on vetting tools, see our guide to ethics-based SaaS vetting for Texas law firms.

Incident response planning

ABA Formal Opinion 483 (instructive national guidance) makes clear that when a breach occurs, lawyers have notification obligations to clients whose information may be affected. 

Having a written incident response plan is how you fulfill that obligation under pressure, when decisions have to be made quickly and the right sequence matters.

If your firm doesn’t have a written plan, learn how to build a ransomware response plan today.

The Compliance Gap Most Firms Don’t Realize They Have

Most Texas law firms believe they’re covered because they have antivirus software and a basic password policy. That’s not what “reasonable efforts” means today. 

Threat sophistication, remote access, cloud adoption, and AI tool use have changed the risk landscape. 

Mapping your IT environment to your professional obligations isn’t a one-time audit. It’s an ongoing process. Texas Opinion 648 is explicit on that point. A lawyer’s evaluation of technology practices must be continuous as technology and threats evolve.

Digital Crisis helps Texas law firms run that assessment. We understand legal workflows and the ethics context, so the review isn’t generic IT advice. It’s mapped to what your firm actually needs to demonstrate compliance.

Call (713) 965-7200 or contact us here for a confidential IT security review.

Article FAQs

Does ABA Model Rule 1.6 directly apply to Texas attorneys?

ABA Model Rules are national guidance. Texas attorneys are governed by the Texas Disciplinary Rules of Professional Conduct. Confidentiality is addressed in TDRPC Rule 1.05. ABA formal opinions (including those interpreting Rule 1.6) are an instructive context and widely referenced by Texas practitioners, but Texas rules and Professional Ethics Committee opinions govern directly.

What happens if a Texas law firm suffers a data breach?

Beyond IT remediation, a breach involving client information may trigger professional responsibility obligations under TDRPC Rule 1.05, notification requirements under the Texas Identity Theft Enforcement and Protection Act, and potential malpractice or ethics exposure depending on the circumstances. Whether notification is required depends on what client information was accessed and how the representation was affected.

What is ABA Formal Opinion 477R?

Formal Opinion 477R, issued by the ABA in 2017, provides guidance on protecting client information transmitted electronically. It outlines a risk-based framework for evaluating what “reasonable efforts” means in practice, considering the sensitivity of data, likelihood of exposure, and cost of safeguards.