Texas Bar Journal • June 2026

When the Attorney Is the Risk

Cybersecurity duties inside the law firm.

Written by Majo Castro

As discussed in my prior articles, law firms are no longer merely victims of cyberattacks. Increasingly, they are the point of failure. Phishing, password reuse, unmanaged cloud tools, and well-intentioned but careless employees account for a significant share of law firm breaches.1 For Texas lawyers, that reality transforms cybersecurity from a technical concern into an ethical obligation grounded in the duties of competence and confidentiality.

In 2026, cyber-insurers will be the primary force “regulating” law firms. If a firm cannot prove it has multi-factor authentication (MFA), 24/7 endpoint detection and response (EDR) monitoring, and immutable backups, insurers are increasingly either denying coverage or imposing “sub-limits” that only cover a fraction of a ransomware demand.

Why Law Firms Are Prime Targets
As we know, law firms hold exactly the kind of information attackers want: litigation strategy, deal data, personal identifiers, financial records, and privileged communications. The FBI and cyber-insurance carriers consistently treat firms as high-value ransomware and data-theft targets because they combine rich data with weaker security controls than banks and other heavily regulated institutions.2

Small and midsize firms are often especially exposed.3 Research cited by the American Bar Association (ABA) and insurers shows that firms with under roughly 100 lawyers suffer a disproportionate number of successful incidents, frequently because they lack mature cybersecurity governance and rely heavily on third-party technology providers without robust oversight.

Ethical Duties Beyond the Firewall
Texas Disciplinary Rules of Professional Conduct 1.01 and 1.05 impose duties of competence and confidentiality whether client information is stored in a file room, on a laptop, or in the cloud.4 Those duties include taking reasonable steps to prevent unauthorized access, disclosure, or destruction of client data.

ABA Formal Opinion 477R explains that “reasonable efforts” are context-dependent and must account for the sensitivity of the information, the likelihood of disclosure, and the availability of additional safeguards. In modern practice, that requires lawyers to understand how firm systems, vendors, and workflows affect client data, not simply hand the problem to IT.5

A firm that permits personal email for client work, uploads documents to unapproved AI tools, or allows password reuse across systems is not just courting a breach. It is courting an ethics problem grounded in failures of competence, confidentiality, and supervision.

Malpractice, Enforcement, and Trust Risk
Cybersecurity failures increasingly translate into malpractice claims, disciplinary complaints, regulatory enforcement, and lost clients.6 Regulators and plaintiffs’ lawyers now routinely cite ABA opinions, NIST-aligned guidance, insurer materials, and state bar resources as evidence of what reasonable professional care requires in safeguarding client information.7

In 2023, the New York attorney general secured an eight-figure settlement from a law firm after a breach exposed tens of thousands of client records, focusing on the firm’s inadequate security controls and delayed notification. That enforcement posture reflects a broader trend: cyber incidents are treated as failures of governance and risk management, not unavoidable technical bad luck.8

The reputational harm can be as severe as the legal exposure. Corporate clients increasingly demand transparency about cybersecurity practices, and after a serious incident, many will terminate or pause engagements regardless of whether the firm believes it met a minimum technical standard.

Vendor and Technology Risk
Most firms now operate inside a dense ecosystem of cloud platforms, e-discovery providers, billing systems, and AI tools. These technologies improve efficiency, but each one expands the attack surface and introduces new avenues for data loss or misuse.

Bar associations are clear that lawyers remain responsible for client data even when third parties store or process it. California State Bar Formal Opinion 2020-203 explains that competence now includes understanding cybersecurity risks, vetting vendors, and implementing policies and training around technology use.9 New York City Bar Formal Opinion 2024-3 likewise requires lawyers to make reasonable efforts to ensure that vendors provide appropriate contractual and technical safeguards for client information.10

Using a well-known vendor does not discharge that responsibility. Firms must know where data is stored, how it is encrypted, who can access it, how long it is retained, and whether it is reused for analytics or AI model training. Those issues should be addressed explicitly in contracts, policies, and ongoing oversight.

Outsourcing IT Is Not Outsourcing Ethics
Engaging an external IT provider can strengthen a firm’s security posture, but it does not transfer a lawyer’s professional obligations. Under Texas rules and national ethics guidance, lawyers must supervise those who handle client information on their behalf, including non-lawyer vendors and managed service providers.

Supervision is active, not passive. It includes setting expectations in engagement letters and contracts, reviewing security controls, coordinating on incident response, and periodically confirming that vendor practices align with the firm’s policies and legal duties. When firms fail to do this, regulators increasingly treat vendor failures as law firm failures, as the New York state enforcement action illustrates.

What Can You Do Today?
To reduce legal, ethical, and business risk, firms should examine:

  1. Policies: Are there current, written rules governing data storage, sharing, remote access, personal devices, and approved technology, including AI tools?

  2. Training: Do lawyers and staff receive recurring training on phishing, social engineering, safe cloud and AI use, password hygiene, and incident reporting?

  3. Vendors: Does the firm know where vendors store data, how it is encrypted, who can access it, and whether it is analyzed or repurposed? Are these expectations reflected in contracts and revisited periodically?

  4. Access controls: Is multi-factor authentication enforced, are privileges limited by role, and are accounts promptly disabled when people leave?

  5. Incident readiness: Is there a tested incident-response plan that coordinates legal, forensic, IT, insurance, and client-notification steps?

In many firms, a big cybersecurity risk is no longer a sophisticated attacker overseas but an attorney or member of the company who underestimates how central cybersecurity has become to professional responsibility and compliance.

NOTES

  1. David G. Reis, Cybersecurity for Attorneys: Addressing the Legal and Ethical Duties (Nov. 2019), State Bar of Michigan, https://www.michbar.org/file/opinions/ ethics/cybersecurity.pdf.

  2. Internet Crime Report 2023, Federal Bureau of Investigation (2023), https://www.ic3.gov/ AnnualReport/Reports/2023_IC3Report.pdf.

  3. New developments in law firms’ obligations to protect against data breaches, Liberty Mutual Insurance (Jan. 15, 2021), https://business.libertymutual.com/insights/new-developments-in-law-firms-obligations-to-protect-against-data-breaches/.

  4. See TDRPC 1.01, 1.05.

  5. American Bar Association Formal Opinion 477R (May 2017), https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/ ethics-opinions/aba-formal-opinion-477.pdf.

  6. Supra note 5; see also Formal Opinion 2020-203, the State Bar of California Standing Committee on Professional Responsibility and Conduct, https:// www.calbar.ca.gov/sites/default/files/portals/0/ documents/ethics/Opinions/Formal-Opinion-No-2020-203-Data-Breaches.pdf.

  7. Supranote 6.

  8. Attorney General James Secures $200,000 from Law Firm for Failing to Protect New Yorkers’ Personal Data (Mar. 27, 2023), Letitia James New York State Attorney General, Office of the New York State Attorney General, https://ag.ny.gov/press-release/2023/attorney-general-james-secures-200000-law-firm-failing-protect-new-yorkers.

  9. Supranote 6.

  10. Formal Opinion 2024-3: Ethical Obligations Relating to a Cybersecurity Incident (July 18, 2024), New York City Bar, https://www.nycbar.org/reports/formal-opinion-2024-3-ethical-obligations-relating-to-a-cybersecurity-incident/.

DYLAN MOENCHMAJO CASTRO is the founder and managing attorney of Castroland Legal, a Texas-based firm concentrating on business and emerging technologies. She advises startups, MSPs, and law firms on regulatory compliance, helping modern organizations meet rising expectations around data protection and operational accountability.