Legal professionals collaborating with AI analytics on screen and laptops

TL;DR: Texas attorneys are on the hook for client confidentiality under Texas Disciplinary Rule of Professional Conduct 1.05, and that obligation follows your data into every system you use — case management, email, the practice-management cloud, the AI tool somebody on staff started using last week. The State Bar’s ethics opinions cover the headline questions (cloud storage in Opinion 680, AI in Opinion 705), but they stop short of telling you how to lock down a network, run a client portal, or handle five years of archived files. This post is the practical layer underneath those opinions.

Key Points

  • Rule 1.05 makes you responsible for client data even when a vendor or cloud service is doing the actual storing.
  • Opinion 680 allows cloud storage, but only if you’ve done real due diligence on the vendor.
  • A client portal needs encryption in transit and at rest, MFA, granular access controls, and audit logs you’ll actually look at.
  • Your conflicts database holds the same confidential information your case files do. It should be protected the same way.
  • Rule 1.15 requires five-year retention of trust-account records. (Heads up if you’re reading older ethics opinions or articles: this was Rule 1.14 before the October 2024 amendments added new Rules 1.10 and 1.18, which shifted every rule after them up by one number.) Texas doesn’t mandate a retention period for closed client files, but five years is the common practice — it aligns with most Texas statutes of limitations on claims against lawyers and is what most malpractice carriers recommend. Your backup, archive, and destruction strategy is part of your ethics posture either way.

What Rule 1.05 Actually Requires From Your IT Infrastructure

Rule 1.05 governs confidentiality, not technology. But your technology is where client information lives now, so the rule reaches into every system that touches it — case management, email, document storage, the practice tools, the AI assistants.

If someone gets unauthorized access to any of that, you’ve likely violated 1.05 even if you never intended to disclose anything. The State Bar doesn’t care whether the breach started with a phishing click or with a vendor who had weak security. You’re responsible for reasonable safeguards either way.

There’s a side benefit to taking this seriously: cyber insurance carriers now expect the same controls. MFA, endpoint protection, regular security training — most carriers won’t write a policy without them. So your ethics posture and your cyber-insurance application end up answering most of the same questions.

The Vendor Due Diligence Problem

Opinion 680 (September 2018) lets you use cloud services if you take “reasonable precautions in the adoption and use of cloud-based technology.” That sounds tidy until you have to actually implement it. Here’s the short list we work from when a firm asks us to vet a practice-management or document-automation tool:

  • A current SOC 2 Type II report (not Type I, not “we’re working on it”)
  • Clarity on where the data physically lives
  • Encryption standards in writing, in transit and at rest
  • A contractual clause stating the vendor won’t use your client data to train AI models or for marketing
  • Cyber insurance, plus an obligation to notify you of a breach within a defined window

Most Austin firms we work with don’t have someone in-house to run this review. If that’s your firm, the answer is usually an MSP that’s done it before for legal clients. Otherwise you end up agreeing to terms nobody read on a tool a partner picked because they liked the demo.

Client Portal Security: More Than Just a Password

If you’re sharing documents with clients through a portal, every shared file is a potential disclosure point. A login screen by itself isn’t enough. You need:

  • Encryption in transit and at rest. TLS 1.2 or higher for transmission, AES-256 for storage.
  • Multi-factor authentication. Default-on, no exceptions. Comment 8 to Rule 1.01 obligates lawyers to stay current on the benefits and risks of relevant technology, and by 2026 that means MFA is the floor, not a nice-to-have. Cyber-insurance carriers also won’t write you a policy without it.
  • Granular access controls. Clients see only their own matters, and you can revoke access the day representation ends.
  • Audit logs. You need to know who accessed what and when — both for ethics compliance and for the day opposing counsel asks how a document was handled.
  • Automatic session timeout. 15 to 30 minutes of inactivity, then re-authenticate.

The portal is part of your confidentiality infrastructure. It deserves the same care as your internal case-management system, not less.

When Portals Fail Ethics Requirements

We’ve watched Austin firms use consumer-grade Dropbox accounts and bare Google Drive links to swap discovery documents. That’s a 1.05 problem sitting around waiting for a moment to arrive. If the link gets forwarded, if the client’s laptop is compromised, if the service quietly updates its terms next quarter — you’ve lost control of confidential information and there’s no calling it back.

Your engagement letter should spell out how you’ll transmit confidential information and what the client needs to maintain on their end. Putting it in writing protects the client and gives you something to point to as evidence of reasonable care if anything goes wrong later.

Conflict Checks and the Data You Forget About

Your conflicts database is full of confidential information: client names, opposing parties, adverse counsel, case types, the relationships between them. Most firms treat the conflicts tool like a back-office utility rather than a case-file-grade asset. It is a case-file-grade asset.

What to do about it:

  • Apply the same access controls and encryption you use for case files.
  • Audit access at least once a year. Former employees keep database access months after they’ve left more often than you’d guess.
  • Document how conflicts actually get run. If the process involves emailed spreadsheets or screen-sharing on Zoom, it needs to change.
  • Integrate it with your practice-management system rather than maintaining a second, less-secure copy of your client list somewhere else.

If you’re on a standalone conflicts tool, host it under the same security standards as everything else — and stop exporting client data to Excel files on individual laptops.

Retention and Deletion: The Ethics Issue Nobody Wants to Handle

Here’s the part most firms get wrong: Texas Rule 1.15(a) requires five-year retention of trust-account records — records of the funds in your trust or escrow accounts (including IOLTA) and other client property held by the lawyer — not client files generally. (Older ethics opinions and articles cite this as Rule 1.14 because the rules were renumbered when new Rules 1.10 and 1.18 took effect on October 1, 2024; the substance is the same.) The State Bar’s own published guidance is clear that no rule mandates a minimum retention period for closed client files. For closed client files specifically, the five-year norm isn’t from any single rule — it comes from extending the trust-account retention period by analogy, malpractice-carrier guidance, and Texas statutes of limitations on most claims against lawyers. Ethics Opinion 627 (2013) walks through the principles for deciding when destruction is permitted but explicitly declines to set a bright-line number of years. In other words: you should be retaining for at least five years, but the rule everyone cites isn’t the rule that actually requires it.

Retention creates ongoing confidentiality obligations either way, which means every backup tape, archived inbox, and old laptop in a closet is a 1.05 risk until it’s either secured or destroyed.

What a Compliant Retention Strategy Looks Like

You need a documented schedule: what gets kept, how long, where, who can access it, and how it’s destroyed when the clock runs out. For electronic records, that means:

  • Encrypted backups with restore procedures you’ve actually tested
  • A defined process for wiping devices before disposal or redeployment
  • An annual review of archived matters so you’re not keeping things forever by default
  • Destruction certificates for both paper and electronic records

Firms with more than one office need the policy to apply everywhere. We’ve walked into firms where the downtown office had tight controls and the satellite office in Round Rock had five years of paper files in an unlocked storage closet. Same firm, same client data, very different exposure profile.

Retention also runs into e-discovery. If you become a defendant, you have to identify and preserve relevant records quickly. That means knowing what you have and where it lives before the litigation hold is on the table.

AI Tools and Opinion 705: What You Can and Can’t Outsource

Opinion 705 (February 2025) covers generative AI tools. You’re allowed to use them. You’re still responsible for the work product, and you still can’t expose client information to the vendor in a way that breaks 1.05.

In practice:

  • Document review AI. Acceptable if the vendor doesn’t retain your data or use it for training, and if you verify the output instead of treating it as final.
  • Contract analysis tools. Same conditions, plus you need to confirm the tool isn’t quietly missing material provisions.
  • Generative AI for drafting. High risk unless you’re on an enterprise tier with terms equivalent to a BAA — and you’re editing the output rather than shipping it.

Nothing in Opinion 705 bans AI use. It just requires the same competence and confidentiality standard that applies to everything else you do with client information. You have to know how the tool works, what it does with your data, and whether it would pass the same vendor review you’d run on anything else.

For most small and midsize firms in Austin, the safer pattern right now is: don’t paste client information into public AI tools, and use AI mostly for research and templates rather than live client matters.

Frequently Asked Questions

Does Rule 1.05 require me to encrypt all client emails?

Not all of them. Rule 1.05 asks for reasonable safeguards, which scale with the sensitivity of the information and the risk of interception. Routine scheduling and general correspondence over standard email is generally fine. Financial records, medical information, trade secrets, anything privileged or particularly damaging if leaked — those go through encrypted email or a secure portal.

Can I use Microsoft 365 or Google Workspace for client files?

Yes, on the business or enterprise tiers, with appropriate data-protection terms in place — Microsoft’s Products and Services Data Protection Addendum and online services terms on the Microsoft side, and the equivalent agreements on the Google side. (If your firm handles healthcare-client matters that bring you under HIPAA, you’ll also need a Business Associate Agreement on top of that. The DPA isn’t a BAA.) The consumer versions don’t give you the confidentiality protections you need. You also need MFA enabled, retention policies configured, and a hard process for revoking former employees’ access on day one of their departure.

What happens if my vendor has a data breach?

You’re still on the hook under Rule 1.05. But if you did real due diligence picking the vendor and your contract requires prompt breach notification, you have something concrete to point to when explaining what you did. You’ll also need to notify affected clients, alert your malpractice carrier, and possibly report to the State Bar depending on what happened. Vendor selection and contract terms do a lot of quiet work for you in that scenario.

Do I need to tell clients I’m using cloud storage?

Opinion 680 doesn’t require upfront disclosure, but it’s worth including in your engagement letter — a short paragraph explaining you use cloud-based systems and what security measures are involved. Some clients will have objections, and you want to surface those before you’ve started storing their files. Government clients and clients in regulated industries may require explicit written consent.

How long do I need to keep email related to closed matters?

Emails that are part of the client file — substantive communications, strategy discussions, document exchanges — should be retained as part of the file. Texas doesn’t mandate a specific retention period for client files. The common practice is five years after the matter closes — that aligns with most Texas statutes of limitations on claims against lawyers, matches the Rule 1.15(a) trust-account retention period, and is what most malpractice carriers recommend. Administrative messages (scheduling, billing reminders) can follow a shorter schedule. What matters is having a written policy and applying it consistently, not deciding case by case.

Can I let clients access files through Dropbox or Google Drive links?

Only on business-grade accounts with the security controls turned on: password protection on shared links, expiration dates, access logs, encryption at rest. Consumer-grade file sharing with permanent public links is not a reasonable safeguard under 1.05. For most firms, a real client portal with granular access controls is the cleaner long-term answer.

Sources and Further Reading

Texas Disciplinary Rules of Professional Conduct

Professional Ethics Committee Opinions

State Bar of Texas resources

Technology and vendor terms

Last reviewed and updated: May 19, 2026

Related Posts

← Back to Blog
Share: