2025 Year In Review • December 2025

Cybersecurity and Data Privacy

Written by Shawn E. Tuma

AI in the Practice of Law—Attorneys Are Ethically Responsible for Accuracy
Artificial intelligence (AI) is all the rage but, unfortunately, too many lawyers (and even a few judges) seem to forget that it is not infallible and will always give an answer, even if it has to make one up. Several courts at the state and federal level have local rules and standing orders to mandate an essential principle set out in Ethics Opinion 705,1 which is that AI should be used as a tool only and that a human stays in the loop and remains ethically responsible for verifying the accuracy and authenticity of all content.2

Disgruntled Former Employee Accessing Organization’s Dropbox to Provide Information to Investigator Violated Hacking Law and Is Not Protected by Immunity
The Texas Health and Human Services Commission (THHSC) was embroiled in a dispute with the Heidi Group (Heidi) and a disgruntled former employee of Heidi that retained access to Heidi’s Dropbox account (after authorization was terminated) and, over months, repeatedly accessed the account and passed sensitive financial information to THHSC at its investigator’s request. The court engaged in a lengthy analysis of several issues, two of which were holding: (1) Heidi had a reasonable expectation of privacy in its documents and files, which was violated;3 and (2) the former employee’s accesses to the Dropbox account were unauthorized accesses that violated Texas’ Harmful Access to Computers Act (HACA)4 and were not good-faith acts and, therefore, not protected by qualified immunity.5

TUTSA Does Not Preempt HACA When the Harm From the Hacking Is Distinct From the Use of the Information Hacked
El Paso Disposal sued its competitor Ecube Labs alleging that Ecube operated a fraudulent scheme involving a network of agents who posed as El Paso’s customers to allow them to obtain information giving them access to El Paso’s online customer portal more than 2,500 times to obtain confidential and trade secret information, including contract pricing and service terms to solicit defections. El Paso alleged, among other things, violations of HACA, which Ecube moved to dismiss arguing that the Texas Uniform Trade Secrets Act (TUTSA)6 preempted HACA. The court denied the motion finding TUTSA does not preempt a “HACA claim [that] is about the harm wrought by Defendant accessing their customer portal without authorization, rather than the damage done by the ensuing misappropriation of customer information from that portal.”7

Jury Awards $50,000 Against e-Discovery Vendor for Exceeding Collection Protocol in Violation of HACA
Parties to a case agreed to a collection protocol limiting what Consilio, an e?discovery vendor, could acquire from the plaintiffs’ personal Gmail account. Plaintiffs sued Consilio alleging that it disregarded the limits and downloaded the entire mailbox for the date range, capturing privileged communications, protected health information, Social Security numbers, and non?party family emails. A jury returned a $50,000 verdict against Consilio finding that it violated HACA by knowingly accessing a computer, computer network, or computer system without the effective consent of its owner.8

Notes

  1. Opinion 705, Professional Ethics Committee for the State Bar of Texas (Feb. 2025), https://www.legalethicstexas.com/resources/opinions/opinion?705/.
  2. See Garces v. Hernandez, No. 25?50342, 2025 WL 2401001, at *2 (5th Cir. Aug. 19, 2025) (per curiam), pet. cert. filed, 2025 WL 2401001, No. 25?5558 (Sept. 4, 2025).
  3. See Heidi Grp., Inc. v. Tex. Health & Hum. Servs. Comm’n, 138 F.4th 920, 936 (5th Cir. 2025).
  4. Tex. Bus. & Comm. Code § 143.001, et seq.
  5. Supra note 3 at 937.
  6. Tex. Civ. Prac. & Rem. Code § 134A.007(a).
  7. See El Paso Disposal, LP v. Ecube Labs Co. d/b/a Haulla Servs., 2025 WL 517656, *15-16 (W.D. Tex. Feb. 17, 2025).
  8. See Olson v. Consilio, LLC, No. 017?331812?22, 2024 WL 5314563 (17th Jud. Dist. Ct., Tarrant Cty., Tex.) (Nov. 26, 2024) (Final Judgment) and 2024 WL 5314535 (Jury Findings).

SHAWN E. TUMASHAWN E. TUMA is an attorney widely recognized in cybersecurity, data, and privacy law, areas in which he has practiced since the late ’90s. He is the managing partner in the Collin County office of Spencer Fane and is co-chair of the firm’s Cyber, Data, Privacy, & AI Practice Group.