The Texas Bar on Technology Competence: What Lubbock Lawyers Actually Have to Know

The Texas Bar’s professional conduct rules and the ABA’s formal opinions have, over the past decade, made one thing clear: a Texas attorney’s duty of competence includes technology. You cannot ignore IT and security and still meet your obligations to your clients.

This post is for the solo or small-firm Lubbock practice that has been doing fine but suspects the rules have evolved underfoot. Plain language, no scolding, just what’s actually expected.

The relevant rules, briefly

Texas Disciplinary Rule of Professional Conduct 1.01 (“Competent and Diligent Representation”) requires “the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.” The Texas Center for Legal Ethics has interpreted this to include technology competence.

ABA Formal Opinion 477R (May 2017) is the practical bar. It explicitly addresses the duty to use reasonable security measures when communicating with clients electronically. Texas, like most states, looks to ABA opinions as persuasive authority.

ABA Formal Opinion 483 (October 2018) extends this to data breach response. If you have a breach involving client data, you have specific duties to notify affected clients and to take reasonable steps to mitigate harm.

Texas Disciplinary Rule 1.05 (Confidentiality of Information) is the longstanding privilege rule. Modern interpretation includes a duty not to handle privileged information so carelessly that it can be intercepted or accessed by unauthorized parties.

What “reasonable” actually means in 2026

The ABA opinions deliberately do not specify exact technical measures. The standard is “reasonable” — which the courts have begun to interpret with reference to widely available, commercially common controls.

In 2026, “reasonable” for a Texas law firm means at minimum:

• Multi-factor authentication on all accounts that touch client data. This is now a default expectation. A breach of an MFA-less account is rarely defensible.
• Encrypted email when sending privileged or sensitive material. Either a secure email service, an encrypted attachment, or transport-layer enforcement (forcing TLS for outbound).
• Endpoint protection beyond consumer antivirus. EDR, or at minimum a managed antivirus product with central reporting.
• A documented backup with tested restores. Losing client files to ransomware without a working backup is a disciplinary problem, not just a business problem.
• Vendor due diligence. If you use a cloud document management system, you need to have read their security documentation and be able to defend the choice.
• Written information security policies. Documented practices for password management, incident response, vendor oversight, retention and destruction.

This list is not exhaustive. It is the floor.

Common scenarios that raise eyebrows

We do work with several Lubbock and West Texas firms, and we see the same handful of issues over and over:

Shared email passwords. Almost every firm has at least one shared inbox where multiple staff log in with the same password. This violates the auditability expected under modern interpretation of 1.05. Fix: shared mailboxes via Microsoft 365 or Google Workspace, where individuals authenticate with their own credentials but all access a common mailbox.

Personal devices used for client communication. Attorneys answering emails from a personal iPad with no MFA, no remote-wipe capability, no encryption-at-rest verification. Fix: a real BYOD policy with mobile device management, or firm-issued devices.

Cloud storage without due diligence. “We just use Dropbox” is not, by itself, a problem. But you need to be on a Dropbox business or equivalent tier that supports audit logging, and you need to have read the security documentation. Free tier consumer Dropbox is not appropriate for client files.

No incident response plan. When a breach happens — and they do — you have approximately 72 hours to make a competent first set of decisions. Without a written plan, every decision in those hours is improvised.

Old equipment on the network. A 2012 receptionist computer that hasn’t been patched in years, sitting on the same network as the partner laptop with the active client files, is a vulnerability. Fix: segment guest and legacy equipment off the main work network.

What a real compliance posture looks like

A Lubbock firm that takes this seriously typically has, at minimum:

1. Microsoft 365 Business Premium or Google Workspace Business Standard, with MFA enforced and Conditional Access on remote login.
2. EDR on every endpoint, with a central console.
3. A managed firewall with VPN for remote access.
4. Backups, off-site, with tested restores.
5. A written WISP-equivalent security plan, even though Texas Bar doesn’t require the form a tax preparer’s WISP takes.
6. A documented incident response procedure with named contacts.
7. Annual staff security training with records.

We deploy this stack as part of Titanium and Carbon for our law firm clients. It also happens to be what cyber insurance carriers expect, which is not coincidental.

The realistic risk picture

The disciplinary risk for a Texas attorney getting hit with a tech-related complaint is real but historically rare. The bigger immediate risks are:

• Loss of client trust when a breach makes the local news.
• Cyber insurance non-renewal when carriers learn how the breach happened.
• Civil liability from clients whose data was exposed.
• Loss of work product that costs months to recreate.

Those are the consequences that have actually shut down small practices. The Bar disciplinary process is the smaller worry.

Two starting moves

If you suspect your practice is below the bar:

1. Run our Cyber Score. Free, two minutes, gives you a written gap report you can compare against the list above.
2. If your law-firm IT vendor can’t speak to ABA 477R or Texas DR 1.05 by name, that is itself a signal.

We work with several West Texas firms on this stuff. The Industries — Law Firms page describes the specific stack we deploy. If you want a quiet conversation about where your practice sits, the Free IT Blueprint Assessment covers it as part of a broader walkthrough.