A hurricane pushes water through your downtown office. A ransomware note appears on every screen on a Monday morning. A solo practitioner has a stroke, and no one can reach the client files, the trust account, or the calendar. These disasters share one feature that may surprise some lawyers: the Texas Disciplinary Rules of Professional Conduct do not have a disaster exception. A lawyer’s duties to clients continue while the water recedes, while she negotiates with a hacker, and after she is no longer able to practice. In a 2018 opinion, the American Bar Association confirmed that competence, diligence, communication, and the safekeeping of client property all remain in force when an office is destroyed or inaccessible.[1]

Disaster preparedness is a component of a lawyer’s duties to her clients. This article walks through the duties at stake and then translates them into concrete measures for three scenarios — natural disasters, cyber incidents, and the lawyer’s own sudden unavailability.

The Applicable Disciplinary Rules

Five disciplinary rules undergird a disaster plan:

  1. Competence – Texas Disciplinary Rule of Professional Conduct (“TDRPC”) 1.01 requires competence in representation, which increasingly includes competence in the technology used to provide that representation. Lawyers should have a reasonable understanding of their on- or off-premises file storage, their remote access tools, their cybersecurity measures, and any other technology used for representing clients.
  2. Diligence – TDRPC 1.01 also addresses diligence. A reasonably diligent lawyer will have a plan to continue with the representation of the client, including a plan to meet deadlines in the face of a disaster or to seek extensions where proper.
  3. Confidentiality – TDRCP 1.05’s confidentiality requirements extend to taking reasonable steps to protect client information from destruction and exposure, even when the source of the destruction or exposure is force majeure or criminal.  
  4. Safekeeping of Property – Under TDRCP 1.15, a lawyer must maintain client files, original documents, and trust-account funds and records not only during the course of representation and for a requisite time afterwards, but also in the face of a disaster.
  5. Supervision – Lawyers in supervisory capacities under TDRCP 5.01 and 5.03 must take reasonable steps to ensure that all those being supervised handle client matters and data in compliance with the Rules. This obligation includes educating the supervised lawyers and staff on the disaster preparedness plan so that it is properly followed.

When a Natural Disaster Strikes

Hurricanes along the coast, flooding and tornadoes inland, wildfires, and extreme weather like the 2021 freeze have all taught that paper and on-site servers do not survive water, fire, or extended outages. But a well-designed backup does.

Start with data. Maintain a complete, encrypted backup of client files and important documents in an off-site location, ideally a reputable cloud storage service, and update it regularly. That will keep a destroyed office from resulting in unrecoverable files. ABA Opinion 477R frames this as a confidentiality and safekeeping obligation. If files cannot be reconstructed after a loss, the lawyer must notify affected clients.[2] In order to be able to do this, keep a current, exportable list of client names and contact information that lives outside the office network, so clients can be reached even when systems are down. Communication is a duty, and lawyers cannot communicate with a list trapped on a flooded server.[3]

Give special attention to documents of intrinsic value like original wills, deeds, promissory notes, and similar instruments that cannot simply be reprinted from a backup. These belong in fireproof and water-resistant storage, ideally off-site, with a record of what is being held and for whom. The same goes for trust-account records. Lawyers should keep digital copies of trust account records so that they can document balances and account for client funds even if the originals are lost. If a flood or fire does destroy materials, a contemporaneous inventory is what allows lawyers to reconstruct files and to give clients the honest, specific notice the rules require rather than a vague apology.

Plan for the physical practice. Lawyers should identify an alternate workspace and confirm that their team can work remotely. Lawyers should know how to reach client funds and trust records if their bank branch, their office, or their bookkeeper is unavailable, because the duty to safeguard those funds does not pause.[4] Finally, build in a diligence backstop. If a disaster will keep lawyers from providing timely service a client urgently needs, lawyers must assess whether they should associate co-counsel or, in the extreme case, withdraw to avoid prejudicing the client.

Put the Plan in Writing Before the Disaster.   The State Bar of Texas and the ABA have a number of resources available to assist lawyers in preparing for and dealing with the aftermath of a disasters, including the drafting and implementing a Disaster Readiness Plan.  It is important to take steps now to put the plan in place before disaster strikes.

When Hackers Take Digital Hostages

A data breach is a disaster that arrives without weather warnings, and the ABA treats it as its own ethics problem. ABA Opinion 483 “Lawyer’s Obligations after an Electronic Data Breach or Cyberattack” imposes a simple expectation to prepare before disaster happens.[5] Concretely, that means developing an incident response plan (“IRP”) in advance so that decisions are made before you are in the middle of a crisis.[6] This plan is a written playbook identifying who calls the IT provider, who notifies the cyber and malpractice insurance carrier(s), who assesses what data was affected, and who communicates with clients.[7]   

These preparation duties flow from the duties of competence and confidentiality. Lawyers may use cloud storage and email confidential information, but only with reasonable precautions and ongoing attention to a vendor’s security.[8] The ABA’s guidance on securing client communications rejects a one-size-fits-all rule in favor of reasonable, risk-sensitive measures with stronger protection for more sensitive matters.[9] In practical terms, lawyers should consider using multifactor authentication, encrypting sensitive data, deploying current software and updates, applying access controls so staff see only what they need, and acting reasonably diligent when handing data to outside vendors, including backup providers, e-discovery services, and even AI programs. Also, data security training is paramount because the most common breach still begins with a click, and supervisory lawyers are responsible for that training.

When a breach occurs, the lawyer or practice must take prompt action to stop it and mitigate the damage, to investigate what client information was accessed or lost, and to notify affected current clients. Texas law also adds a separate obligation that lawyers sometimes overlook. Under the Identity Theft Enforcement and Protection Act, a firm that maintains Texans’ sensitive personal information must notify affected individuals without unreasonable delay and no later than 60 days after determining a breach occurred, and must report to the Texas Attorney General within 30 days when 250 or more Texans are affected, with civil penalties for noncompliance.[10] A single ransomware event can therefore trigger both ethical notification duties and this statutory one, which is another reason the response plan should be written down before the disaster arrives.

Planning in Advance for Disability or Death

The disruption clients are least prepared for is the sudden loss of the lawyer which can occur from injury, illness, or death. For solo and small-firm practitioners especially, the absence of a plan can leave clients with no access to their files, their funds, or their deadlines, and can leave a grieving family to untangle a practice they do not understand.

The Texas Rules of Disciplinary Procedure (“TRDP”) have tools to help. TRDP 13.04 allows a lawyer to designate, in advance, a custodian attorney—a licensed Texas lawyer who can step in temporarily to protect client interests by securing files, seeking continuances, and returning files and property as clients direct. Designating a custodian confers the same liability protection as a court-appointed one, and it spares those affected the extraordinary step of a court assuming jurisdiction over the practice when no one has agreed to take responsibility.

A workable succession plan does a few things: it names the successor or custodian and a backup in a signed, written agreement; it tells them person where to find the file inventory, passwords, trust-account information, and the client contact list; and it accounts for client consent, since the successor will see confidential information. Once the custodian attorney is in place, a lawyer may use his engagement letter to obtain client consent for sharing client information with that custodian attorney in the event the succession plan is enacted. The State Bar of Texas Law Practice Management Division and Texas Lawyers Insurance both offer succession-planning resources to help you build one. Treating succession planning as an ethical imperative for the protection of clients is now the settled expectation.

A Suggested Checklist

No single plan fits every practice, but firms should consider implementing the following:

  • A written disaster preparedness plan that addresses how the lawyer will comply with the continued duties of communication with clients, diligence in representation, and protection of client property despite the natural disaster.
  • A written cyber incident response plan naming who contacts IT, the malpractice carrier, regulators, and clients.
  • A designated custodian or successor attorney under Part XIII of the Texas Rules of Disciplinary Procedure, with a signed agreement and client consent addressed in engagement letters.
  • Encrypted, off-site (cloud) backups of client files and key documents, updated on a regular schedule.
  • A current client contact list that lives outside the office network and is quickly exportable.
  • Multifactor authentication, encryption, patching, access controls, and documented staff security training.
  • Vendor due diligence for any service that touches client data, with confidentiality expectations in writing.
  • Assured access to trust-account funds and records if the office, bank, or bookkeeper is unavailable.
  • An alternate workspace and tested remote-access capability for the whole team.
  • A short protocol for promptly notifying clients of a closure, relocation, or data incident affecting their matters.

At the End of the Day

Disasters are not a remote possibility. Natural disasters, cyber incidents, and lawyer incapacity or death will occur. Disaster preparedness is not a separate body of obligations layered on top of a law practice. It is what competence, diligence, communication, confidentiality, and safekeeping look like when the worst happens. Build the plan once, keep it current, and store it where the lawyer and her custodian can reach it, and she will have done the thing the rules require which is ensuring that her clients are protected even on the day she cannot protect them herself.

Insured members who have questions about planning for disaster can contact our Attorney Helpline (800-252-9332 or rskmgmt@tlie.org) Monday through Friday during business hours and speak to one of the members of our loss prevention team.

[1]ABA Standing Comm. on Ethics & Prof’l Responsibility, Formal Op. 482 (2018) (Ethical Obligations Related to Disasters) (“ABA Opinion 482”).

[2] ABA Standing Comm. on Ethics & Prof’l Responsibility, Formal Op. 477R (2017) (Securing Communication of Protected Client Information) (“ABA Opinion 477R”).

[3] See generally ABA Opinion 477R.

[4] See State Bar of Texas Proff’l Ethics Comm. Op. (“Texas Ethics Op.”) No. 648 (transmitting confidential information via email); Texas Ethics Op. No. 572 (sharing confidential information with contractors).

[5] ABA Standing Comm. on Ethics & Prof’l Responsibility, Formal Op. 483 (2018) (Lawyers’ Obligations After an Electronic Data Breach or Cyberattack) (“ABA Opinion 483”).

[6]ABA Opinion 483.

[7] See, “What will you do when your law firm is breached” by Sharon D. Nelson and John W. Simek found on the State Bar of Texas website for suggestions of what elements to include in an IRP.

[8]Tex. Ethics Op. 680 (2018) (use of cloud-based storage for client confidential information).

[9]ABA Standing Comm. on Ethics & Prof’l Responsibility, Formal Op. 477R (2017) (Securing Communication of Protected Client Information).

[10]Tex. Bus. & Com. Code § 521.053 (Identity Theft Enforcement and Protection Act; breach-of-system-security notification).

By Rob George