File Management and Ensuring Password Access

Managing accrued closed files can be a daunting task if an attorney has not employed file management or file retention and destruction policies. These practice tips, along with a review of the applicable rules and ethics opinions, can help ease the burden by outlining the implicated rules and ways to design file management policies that comply with the rules.

1. Applicable Rules and Ethics Opinions 
   Although no rule gives specific requirements for client file retention and destruction, the Texas Disciplinary Rules of Professional Conduct (TDRPC) and a few ethics opinions provide guidance, as does common sense.
   
   1. Texas Disciplinary Rules of Professional Conduct
      1. Rule 1.05 prohibits disclosure of confidential information of current or former clients except in certain circumstances set forth in the rule. This rule highlights the need to protect access to a client file from anyone who is not authorized to have access by client consent.
      2. Rules 1.09 and 1.10 prohibit a lawyer from taking adverse action against a former client related to the matter in which the lawyer represented the client. This emphasizes that former client files be tracked to determine if new matters might be adverse.
      3. Rule 1.16(d): A lawyer must take reasonable steps to protect a client’s interest when representation ends, including giving reasonable notice to the client, allowing time for the client to hire another attorney, returning documents or property to the client, and refunding any unearned fees. A lawyer may retain documents related to the client if permitted by law, provided it does not prejudice the client in the subject matter of the representation.
      4. Note Regarding Rule 1.14 and Rule 1.15: Rule 1.14 relates to how a lawyer should handle funds or other property that belongs to a client or third party. Ethics Opinion 627 clarifies that “other property” refers to property that is “similar to cash (such as bonds and stock certificates).” Every file should be culled to determine if any client property, which may include original documents, should be protected or returned to the client.
   2. Opinions of the Professional Ethics Committee of the Supreme Court of Texas
      
      
      1. Ethics Opinion 570: The client is entitled to obtain the contents of the file, including attorney notes and other work product related to the lawyer’s representation of the client, unless the lawyer is permitted or required to retain documents and can do so without prejudicing the interests of the former client in the subject matter of the representation.
      2. Ethics Opinion 627: While the TDRPC do not provide specific guidance regarding the disposition of client files, they do provide basic principles and values, such as not disclosing confidential information of current and former clients and not destroying a client’s file if there’s a reasonable likelihood that the client’s interest would be harmed. The opinion also clarifies that the attorney is responsible for the cost of storing the file, except the attorney can charge the client for storage if the client wants the file to be stored longer than required.
      3. Ethics Opinion 657: Generally, a lawyer can provide the file to the former client as it has been maintained or, at the lawyer’s expense, convert some or all of it to paper or to an electronic format. The file contents must be reasonably accessible to the ordinary client. If any information is kept in a special format that is not reasonably accessible to the ordinary client, the lawyer must bear the cost of converting the information to a reasonably accessible format or print the information in a format that can be read by the client. If the file contains anything with unique or significant value in its original form, it should be returned to the client in its original form.
2. File Management Practice Tips
   1. General Tips
      1. Name a Custodian: A custodian can assist if you are temporarily or permanently unable to practice law and is protected from liability. You can designate a custodian via the State Bar of Texas online portal in less than five minutes. See chapter 1, “Designating a Custodian Attorney,” for more information. 
      2. Passwords: Provide the location of passwords to computers, digital client file records, firm financial records, and other practice-related databases to your custodian. See section C., “Ensuring Password Access Practice Tips,” below for more information.
      3. Go Digital: Consider maintaining digital files and eliminating or minimizing paper files.
      4. File Procedure: Determine procedures for opening and closing client files, handling documents and correspondence, reviewing file contents, returning files to clients, and storing and destroying client files. Also see practice tip 3 below.
      5. Client List: Maintain a separate list of all clients, accessible by staff, with critical information, such as:
         1. The file number or identifier with the location of the file (paper and electronic).
         2. Whether the file is currently open or closed.
         3. The client’s name, latest address, phone number, and email address.
         4. A brief description of the matter and relevant court information.
         5. The attorney(s) and staff, if any, working on the file.
         6. A list of client property, items of intrinsic value, or original documents, such as estate planning documents, in the file and their locations.
         7. A record of funds held in your IOLTA account or any trust accounts.
   2. Create a File Retention Policy Appropriate for Your Practice
      1. At a minimum, your file retention policy should include the following information:
         1. How the client will be notified of your file retention policy. See practice tip 4 below.
         2. How the client can obtain their file once the case is closed. Address the cost of postage if the client cannot pick it up. Consider a policy of offering to return the client file at the close of representation and retaining an electronic copy.
         3. How and where the file will be stored.
         4. How long the file will be stored before destruction.
         5. Whether the client will be notified before destruction or only provided notice in the engagement letter and termination letter.
         6. What, if anything, the client will be charged for storage beyond the destruction date. See Ethics Opinion 657.
         7. What will be done if the client cannot be located to return the file or their property, or to consent to destroy the file. Consider the following options:
            
            (a) Making a report to the Texas comptroller regarding funds in the lawyer’s trust account when the lawyer has not been able to locate or identify the owner for longer than three years. See Ethics Opinion 602 and chapter 74 of the Texas Property Code. 
            
            (b) Depositing original wills with the applicable county or probate clerk. See chapter 252 of the Texas Estates Code. 
            
            (c) Petitioning the district court or, if the client has died, in statutory probate court in the county of residence for authority to destroy the file.
      2. Ask your professional liability carrier for file retention guidance. Some carriers have sample file retention policies that you can customize for your practice.
   3. Develop Procedures for Execution of the File Retention Policy Regarding: 
      1. Handling documents and correspondence during representation, including:
         1. Indexing physical files that involve a lot of physical documents and records,
         2. Securing physical files at the close of the business day,
         3. Scanning and filing any files or documents received within a specific number of business days, and
         4. Preserving email correspondence related to the case and archiving email accounts for departing employees.
      2. Reviewing and culling file contents, including:
         1. Reviewing the client file within a specific number of days of the conclusion of the client matter,
         2. Recording the date that the file was reviewed and culled,
         3. Culling any protected information from the client file,
         4. Keeping a copy of the client’s consent to destroy the file,
         5. Returning original documents and valuables to the client within a specific number of days along with a summary of the document retention policy and keeping a written record of what was returned, and
         6. Reviewing and culling closed files in storage that have not yet been reviewed.
      3. Notifying clients to retrieve their files or authorize file destruction in accordance with the rules.
      4. Determining how long to store the file if the client does not want it.
      5. Storing the file securely.
      6. Destroying the file in a way that protects all confidential information.
   4. Include File Retention Policy (and Custodian) Language in Your Retainer Agreement or Notice Letter and Termination Letter
      1. Sample file retention policy and custodian language for your engagement or notice letter:
         
         You agree that it is your responsibility to obtain your file upon termination of representation. We will notify you when it is available after your matter has concluded or will make it available to you within a reasonable time after your request. If your file is not picked up within [number] days after we notify you that it is available, we can assume that you do not want it. In that case, we will retain the file for [number] years and then destroy it in accordance with our file retention policy and procedures and the Texas rules of professional responsibility for lawyers. If you want us to retain your file beyond [number] years, you agree to pay the reasonable costs of storage. If you do not seek the return of your file when we notify you that it is available, you may request it at any time before its destruction. Other than the initial notification that your file is available, we will not send any further notices reminding you that it is available to be picked up or regarding when the file will be destroyed or that destruction has taken place. 
         
         If [I am/we are] temporarily or permanently unable to practice law due to unforeseen circumstances, you consent to a named custodian, a successor attorney in my practice, or an attorney licensed in Texas and in good standing with the State Bar of Texas acting as a custodian to review your client file, including confidential information, and determine what steps, if any, are needed to preserve any rights you may have in your case or to notify you and return your file to you or another attorney at your direction.
      2. Sample file retention policy and custodian language for your closing letter:
         
         Your file is ready to be picked up. If it is not picked up within [number] days, we will assume you do not want it. We will keep your file for [number] years, after which we will destroy it without further notice to you in accordance with our file retention policy and procedures and the Texas rules of professional responsibility for lawyers. If you want us to keep your file longer than [number] years, we are happy to do so but will need to charge you the reasonable cost for storage. If you don’t want your file at this time but later decide you want it, you can request it at any time before it is destroyed. 
         
         If you choose for us to store your file and [I/we] become temporarily or permanently unable to practice law due to unforeseen circumstances, you consent to a named custodian, a successor attorney, a personal representative of my estate, or an attorney licensed in Texas and in good standing with the State Bar of Texas reviewing your client file, including confidential information, to determine what steps, if any, are needed to preserve any rights you may have in your case, to notify you and return your file to you or another attorney at your direction, or to take action authorized under part XIII of the Texas Rules of Disciplinary Procedure.
   5. When a Client Relationship Terminates, Follow the Established File Retention Policy and:
      1. Review the file.
         1. Cull any protected information from the client file.
         2. Keep the client’s consent to destroy their file, which may be in the fee agreement.
         3. Return original documents and valuables to the client along with a summary of the document retention policy.
         4. Send the client a closing letter informing them that the attorney-client relationship is terminated and of their right to the file with deadlines to obtain it. If client funds are held in an IOLTA Account, account for the expended portion and return any excess to which the client is entitled.
      2. Return the file to the client when the representation ends or after an agreed time.
         1. If the file is completely electronic, returning it will be relatively easy. If paper, encourage the client to come get it or mail it at the client’s expense. You may want to make a copy at your own expense.
         2. If you keep the original file, ensure all valuables are returned to the client without delay. Tell the client when the file will be destroyed. If they wish for you to store the file beyond the date it can properly be destroyed, let the client know what amount, if any, will be billed to them for the extended storage.
      3. Storage
         1. Store in a fireproof, waterproof location that prevents an unauthorized person from accessing the contents of the file.
         2. Per Ethics Opinion 627, the cost of storing the file until it can be destroyed is borne by the attorney unless otherwise agreed by the client. However, if the client asks for the file to be stored longer than required, the cost of storage may be charged to the client.
      4. Destroy file only after:
         1. You remove all valuable property and original documents and return them to the client (including excess IOLTA funds).
         2. You confirm that the destruction of the file will not prejudice the client. If destruction will do so, preserve the file, or return it to the client (subject to limitations protecting the interests of other people or, in some situations, the interests of the client).
         3. The expiration of:
            
            (a) All applicable statutes of limitation for claims against the client and the lawyer, including malpractice claims. Do not ask a client permission to destroy the file before these limitation periods run. 
            
            (b) All rules, regulations, court orders, and laws requiring a retention period longer than the applicable statutes of limitation. 
            
            (c) In criminal matters, in addition to statute of limitation issues, a convicted client’s sentence and all appeals.
      5. Consider maintaining electronic files. They minimize the need for a paper file, reduce storage costs, and can be easily transferred to the client at the close of the case.
3. Ensuring Password Access Practice Tips
   
   Whether through a sale of practice, custodianship, or other disposition, a person with interest in a law practice (referred to collectively as “Authorized User”) may require password access for logging into electronic devices or digital resources, such as: 

   • Computers

   • Email

   • Banking and financial accounts

   • Cloud data storage

   • Cell phone and other electronic devices

   • Online libraries and research services

   • Social media

   • Online case filing service

   • Client and case management system, client-related data

   • Financial management services and other software (whether local or cloud-based)
     

   There is no simple solution for efficiently and safely ensuring digital access to the necessary devices, digital services, or other electronic resources. This password access discussion addresses some alternatives, presents pros and cons, and offers a few best practice recommendations.
   
   For information on how to access computers and digital files of a deceased or incapacitated attorney, see chapter 4, section C., “Accessing and Disposition of Client Files.” 
   1. Electronic Password List: Not Recommended
      1. Compiling a current list of passwords in a MS Word or Excel file or similar electronic format is fraught with problems. Anyone will struggle to keep the list updated with the most current passwords. For example:
         1. Passwords change frequently. Vendors require users to periodically update stale passwords, and users frequently change passwords because they forget their log-in credentials.
         2. New accounts or services would also need to be captured on the password list.
      2. Although you might be able to store an electronic list locally in a secure, encrypted location, each of the following potential data storage formats have significant drawbacks:
         1. Secure cloud storage may not be as secure as desired.
         2. Information stored online may be subject to data breaches, even if encryption reduces the risk.
         3. The cloud storage password must also be shared between the attorney and the Authorized User, whether before the need arises or contingently on an incapacitating event.
         4. Emailing the list to the Authorized User may be unsafe from threat actors or phishing.
         5. Physical storage media, such as a USB drive or portable data disk, can be misplaced, lost, or stolen. Other logistical impediments may make it difficult to access the media or update passwords and services.
   2. Paper List: Not Recommended
      1. While potentially more secure than an electronic password list in some respects, as the list is not directly hackable, this practice is not an optimal solution:
         1. Basic password protection protocols strongly advise against writing down passwords (but see https://tiptopsecurity.com/is-it-okay-to-write-down-my-passwords-how-to-do-it-right/ for contrary advice).
         2. Exercising due diligence to maintain the most current passwords and services is equally challenging for all the reasons listed in section C.1.a. above.
      2. If you elect to use this dubious practice, options for storing the list include:
         1. Giving it to the Authorized User (with the added risk of the list being lost or stolen).
         2. Keeping it in your personal safe.
         3. Placing it in a safe-deposit box, giving contemporaneous or contingent future access to the authorized representative.
   3. Password Manager: Much Better Option
      1. A password manager (a.k.a. password management app or digital wallet) is an online service or application that encrypts and securely stores a user’s passwords and other log-in information so that the user needs to remember only one master password to access all their other log-in credentials. It is probably the most recommended go-to solution by tech security experts in recent years. To begin using a password manager, a user commonly:
         1. Exports the passwords and credentials into a file from the user’s browser or other location.
         2. Imports that file’s contents into the password manager app on the web in encrypted cloud storage (a.k.a. vault).
         3. Only needs to memorize, or otherwise preserve, one master password (a.k.a. “single sign-on” or SSO) thereafter, grant the password manager app access to the vault, and automatically complete passwords and credentials.
      2. Practice Tip: Store log-in credentials to the attorney’s computer and/or laptop on the password manager to ensure access to files that are on the attorney’s physical computers but not available in the cloud.
      3. Password Manager Vendors: For information on several potential vendors, with helpful pros and cons for each, see https://www.pcmag.com/picks/the-best-password-managers. Prices vary. At present 1Password charges about $35 a year. Various major platform providers also provide this service, which you might already be using without knowing it, such as Apple’s iCloud Keychain or the free Google Password Manager. 
         
         Features and services for a password manager service, depending on the vendor, may include:
         1. Generating strong, complex passwords (rather than using the exact same password—or similar variations—across multiple websites, which we all know you do).
         2. Capturing passwords for desktop applications.
         3. Creating more than one vault (for example, different vaults for business, family, and personal purposes).
         4. Filling out forms automatically.
         5. Secure encrypted data storage for your files and other data (apart from just your passwords).
         6. Access to a personal virtual private network (VPN).
      4. Multifactor Authentication
         
         For added security, password management services typically offer multifactor authentication (MFA) to provide extra layers against hacking and phishing. MFA is sometimes referred to as two-factor authentication (2FA) when two steps are involved. An MFA or 2FA protocol requires one or more extra steps you can choose from to verify your identity, in addition to the master password (first step/factor), such as:
         • Entering a personal identification number (PIN).
         • Clicking a link sent to your email address.
         • Using thumbprint or facial recognition tools, or providing another biometric identifier.
         • Accessing a push notification on your phone.
         • Using a physical object in your possession, like a hardware security key (see practice tip 5 below).
      5. Password Manager Pros and Cons:
         1. Pros:
            (a) Emergency access: Crucially, many services (but not all!) offer the option to designate authorized users for emergency access to your password manager, which can be an efficient way to provide this access. For example, 1password has an “Emergency Kit,” which is a PDF file for storing in a safe place that contains your “secret key” and a space to record your master password for accessing this service. You have the same options (and drawbacks) as a paper password list for ensuring emergency access to this kit, including: 
            
            (1) Giving it to the Authorized User. 
            
            (2) Storing it in your personal safe. 
            
            (3) Placing it in a safe-deposit box. 
            
            (b) Court order: If the person does not have such emergency access to the password manager after an attorney’s incapacitating event, they might be able to obtain emergency access to the service by court order. For example, a custodian attorney may obtain an order for custodianship and court supervision under Texas Rule of Disciplinary Procedure (TRDP) 13.03 so that the custodian may “examine the client matters, including files and records of the attorney’s practice, and obtain information about any matters that may require attention.” Alternatively, a probate court can similarly provide an order for such access in a probate proceeding. However, some platforms and services expressly disclaim any obligation to provide a user’s passwords or log-in details. For example, see Google, “Submit a Request Regarding a Deceased User’s Account,” (last visited June 14, 2023) https://support.google.com/accounts/troubleshooter/6357590. 
            
            Note: Including language in your will or durable power of attorney is another option for ensuring access to client files. See “Sample Will Language” and “Sample Durable Power of Attorney Language” in  chapter 1, section F., “Forms and Resources for Designating a Custodian.” 
         2. Cons:
            (a) Compatibility: Before jumping in with the first service you find, verify whether the password manager service is compatible with your default browser, your specific devices, and any essential websites. 
            
            (b) Single point of failure: Requiring only a single master password for accessing all of your online accounts and credentials creates the concomitant problem of a potential single point of failure causing a lack of access if the master password is lost or stolen. When this happens, password manager apps often do not have recovery protocols to retrieve or reset the master password (to eliminate the risk that it is phished by someone posing as you). 
            
            (c) Security: While these services frequently offer some of the best-in-class encrypted cloud protection for password credentials, they are not flawless. At least one password manager company infamously sustained a serious breach in which customers’ encrypted vaults were stolen (https://www.theverge.com/2022/12/22/23523322/lastpass-data-breach-cloud-encrypted-password-vault-hackers), with an engineer’s employer vault hacked (https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/) a few months later. 
   4. Passkeys: Possibly a Great Option but Too Soon to Tell
      
      Passkeys purportedly offer a more convenient and safer alternative to passwords. A passkey is based on a user’s trusted devices and allows the user to sign in by unlocking their computer or mobile device with their fingerprint, facial recognition, a local PIN, or a hardware security key (see section C.5. below) instead of a password. Each of the user’s trusted devices will have its own passkey, and platforms should sync passkeys across multiple devices. Passkeys use a FIDO2 authentication protocol (Fast ID Online). Since there is no password to hack, it is resistant to phishing, and it is almost impossible for threat actors to hijack credentials, messages, or emails to log in, unless they have one of your devices in their possession already logged in. 
      
      Keep an eye on this emerging technology. Passkeys may become the next gold standard for security and electronic authentication, revolutionizing access to devices and credentialed websites by eliminating the need to recall passwords. Passkeys should soon work on most major platforms and browsers. 
      
      Finally, passkeys and password managers are not mutually exclusive, as current password manager vendors, such as 1Password and Dashlane have publicly announced they are going to support passkeys, meaning these services can work in tandem to provide multiple layers of password and device security. 
      
      For more information on passkeys see these resources:
      1. FIDO Alliance, “Passkeys,” https://fidoalliance.org/passkeys/ (last visited June 14, 2023).
      2. Google, “The Beginning of the End of the Password” (May 3, 2023), https://blog.google/technology/safety-security/the-beginning-of-the-end-of-the-password/.
   5. Hardware Security Key
      
      A hardware security key contains a private key code for authentication purposes that communicates with a device when the key is plugged into the device’s USB port. It may also (or instead) have the ability to connect with the device through near-field communication (NFC) protocol, so that a user needs only to bring the key near the device or tap the device. 
      
      A hardware security key (like the Yubikey and the Google Titan) can complement authentication for a password manager and other services, or even serve as the primary security for your devices. A hardware security key may also be referred to as a token, fob, dongle, FIDO key, physical security key, or universal 2nd factor (U2F) key. Purchasing a key directly from a manufacturer or on Amazon is relatively inexpensive, costing approximately $25 to $50. 
      
      As noted above, a hardware security key can either:
      1. Offer an extra layer or factor of security to protect passwords or ensure secure access (as part of MFA or 2FA), for example, in conjunction with a password manager or a passkey.
      2. Be used as a stand-alone tool for authentication to access hardware or certain services without the need to enter a password.
      Hardware Security Key Downside: The primary disadvantage for a physical security device is that it might be lost, stolen, or damaged. If there is no duplicate or alternate hardware key and you no longer possess the original U2F hardware key, it may be impossible to regain access. To alleviate this issue, you might consider obtaining two duplicate keys, one for yourself and another for the successor or in a secure place.
      
      If you use a hardware key in conjunction with a password manager, confirm that security protocols for each are compatible (for example, that the key and the password manager both support FIDO2 authentication for ease of use and up-to-date protection).
   6. Recommendations
      What are the best options for securing your passwords for easy access? Each attorney’s situation varies, and one solution may not fit all users, but the following framework offers a launching point:
      1. Use a password manager: Set up a password manager (see section C.3. above).
      2. Ensure emergency access: Take the steps necessary to ensure that your Authorized User has emergency access.
      3. Hardware security keys: For maximum security (according to one leading security expert), especially to protect sensitive client information and preserve confidentiality, consider obtaining one or more hardware security keys compatible with the password manager (see section C.5. above) to provide comprehensive access to your passwords, software, services, and devices—in conjunction with, or in lieu of, an emergency access kit. Keep this key in a safe, securely accessible location for the Authorized User. For the ultimate protection, consider storing the key in a safe or safe-deposit box.
      4. Consult an IT professional to determine the best security measures for your current technological configuration and anticipated needs. In appropriate circumstances, consider adding an IT expert as a crucial member of your succession planning team.
4. Forms and Resources for File Management
   1. Forms
      1. Sample Engagement Letter Language Regarding File Retention and Custodian
      2. Sample Closing Letter Language Regarding File Retention and Custodian
      3. Sample File Retention Policy
   2. Resources
      1. File Retention Policy Practice Tips Checklist
      2. File Retention Policies from Other States (may not be compliant with the TDRPC):
         1. Lawyers Mutual Liability Insurance Company of North Carolina
         2. California Lawyers Association sample policy
      3. Sample Best Practices from Other States:
         1. Washington State Bar Association—best practices and WBSA checklist
         2. State Bar of Michigan File Retention Toolkit guidance