Note: we're an IT shop, not your bar association or your malpractice carrier. This is practical guidance, not legal advice. Always check with your state bar's ethics rules and your malpractice carrier's specific requirements.
Solo and small law firms have a problem that big firms don't. The compliance bar is the same — Model Rule 1.1 still requires "reasonable efforts" to maintain technological competence, Model Rule 1.6 still requires confidentiality safeguards, your state retention rules don't shrink because you only have three lawyers — but you don't have a CIO, a compliance officer, or an in-house security team to hand it off to.
Here's what actually matters and what to skip.
What "reasonable efforts" looks like in practice
ABA Model Rule 1.6(c) requires lawyers to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to" client information. Texas Disciplinary Rule 1.05 mirrors this. "Reasonable" is intentionally vague but courts and bar opinions have given us decent boundaries:
- You don't have to use the most secure tools available
- You do have to use tools that are reasonable for the sensitivity of the data
- You should be able to articulate why you chose what you chose
- If you delegate to a vendor (cloud storage, billing software), you have to do reasonable due diligence on them
The technology-competence baseline
For a solo or small firm in 2026, "reasonable" technology safeguards generally means at minimum:
Email and communications
- Multi-factor authentication on every email account
- Domain-level email security (SPF, DKIM, DMARC records configured)
- A way to send encrypted email when transmitting truly sensitive information — built-in M365 message encryption is sufficient for most matters
- Documented protocol for what kinds of communication go in email vs. a secure portal
Documents and case files
- Client files stored in an access-controlled system (Microsoft 365, Google Workspace, Clio, MyCase, Smokeball, etc.) — not personal Dropbox or unmanaged file shares
- Encryption at rest (your cloud provider almost certainly does this — verify)
- Encryption in transit (HTTPS everywhere; verify your practice management tool)
- Permissions sized to actual need — paralegals don't need access to every matter
- Documented retention and destruction schedule per your state bar's rules (Texas: 5 years post-engagement minimum, often longer)
Devices
- Full-disk encryption on every laptop (BitLocker, FileVault) — both are free and built in
- A way to remotely wipe a lost device (Microsoft Intune, Google MDM, or Apple Business Manager)
- Auto-updating operating systems and browsers
- Endpoint protection (Defender for Business or equivalent)
Access and accounts
- A team password manager (1Password, Bitwarden, Dashlane) — eliminates shared passwords
- Documented offboarding for departing staff — accounts disabled, devices recovered, MFA seeds rotated
- Separate admin and daily-use accounts for the firm owner
Cloud vendor due diligence
When a state bar opinion says "reasonable due diligence on the vendor," what they mean in practice is:
- The vendor explicitly addresses confidentiality of client data in their terms
- They publish security documentation (SOC 2 report, ISO 27001, or equivalent)
- You can answer "where is my data physically stored, and who has access?" with a real answer
- You have a path to retrieve all your data if you stop using the vendor
Major practice-management vendors (Clio, MyCase, Smokeball, PracticePanther) all clear this bar. Generic consumer Dropbox or Google Drive used outside an organizational account often does not — not because the technology is bad, but because there's no contractual hook for confidentiality.
Quick test: can you produce a written security overview of your firm's IT setup in 30 minutes? If the answer is no, your "reasonable efforts" defense gets harder if something goes wrong.
The incident-response question
When (not if) something goes wrong — a phishing click, a stolen laptop, an unauthorized email forwarding rule — your obligations under Rule 1.4 (communication with clients) and your state's data breach laws kick in fast. Texas Business and Commerce Code § 521.053 requires notification "without unreasonable delay" if personal information is exposed.
That means you need:
- A documented incident-response plan (who to call, in what order)
- Logging that lets you actually reconstruct what happened
- A relationship with a competent IT/security person before the incident — not on day one of the crisis
What's not required (yet)
You don't currently need ISO 27001 certification, SOC 2 attestation, formal penetration testing, or a SIEM platform. Those are appropriate for firms handling truly sensitive matters at scale (mass tort, healthcare, regulatory work for public companies). For a five-lawyer general-practice firm, the baseline above plus working backups gets you "reasonable" defensibility.
How we set up small Texas law firms
Most of our small-firm clients in DFW end up with:
- Microsoft 365 Business Premium (built-in encryption, MFA, Intune device management, message encryption)
- 1Password Business or Bitwarden Teams
- A practice-management tool the firm chose for its workflow (we don't push specific vendors here)
- Datto SaaS Backup or Spanning for the M365 tenant
- BitLocker on every laptop, encrypted USB drives, no consumer cloud sync
- A one-page incident response plan in writing
- Quarterly review of access lists and connected apps
Total monthly cost for a 5-lawyer firm: typically $300–600. Less than one billable hour. Worth a lot more than that the first time something goes wrong.