One of the cornerstones of the attorney-client relationship is the attorney’s obligation to safeguard a client’s confidences. An attorney who fails to do so can face severe consequences, including termination by the client, a bar grievance, or even a legal malpractice claim.
Revealing a client confidence can get an attorney in trouble even if there are few consequences of that disclosure. In other circumstances, however, the harm posed by a failure to safeguard confidences can be severe, such as when an attorney reveals the identity of a victim of domestic abuse to the press or fails to adequately protect a business’s trade secrets.
In years past, attorneys would take care to avoid having sensitive conversations in public places, like an elevator or a party. However, now, with more attorneys working remotely and on electronic devices and in the modern world of Facebook, Twitter and the internet, it has become more challenging for attorneys to protect client confidences and secrets. As it has for others, data security has become a vitally important issue for law firms.
Evidence suggests that hackers targeting certain corporations may attempt to gain access to corporate secrets through law firms because they often find the law firms’ networks easier to penetrate. Indeed, over the past several months, some prominent law firms have suffered highly publicized data breaches. The prospect of a data breach is concerning and could have significant consequences for the clients whose confidential information has been compromised. However, the largest risks for disclosure of confidential information are not sophisticated computer hackers, but rather can be avoided by ensuring that simple protocols, practices and procedures result in the protection of client confidences and secrets.
Indeed, it is far more likely that a client’s confidences and secrets will be revealed by something other than a sophisticated hacker.
The key for most attorneys is to appreciate that “confidences and secrets” is often much broader than the attorney-client privilege. The scope of Rule 1.6 of the Connecticut Rules of Professional Conduct extends to all “information relating to [the] representation of a client.” Accordingly, attorneys typically protect information ranging from the identity of a client to the termination of the relationship and everything in between. This obligation may also carry on after the attorney-client relationship has ended and extends to employees and staff of the law firm.
Generally, there are three areas where client confidences and secrets can be vulnerable to discovery: documents, electronic information and oral communications. What steps attorneys may consider to protect confidences in these three categories will likely vary depending on the type of practice and type of information.
Documents generated during the course of a representation often contain sensitive client information. Many law practices adopt protocols for addressing and storing the various categories of documents, including financial documents (such as billing records), file documents (generated during the course of the representation) and other related documents that might not be client-specific.
For example, a firm might consider document maintenance, retention and destruction protocols. For document maintenance, most firms will take reasonable steps to ensure that confidential files are kept in secured areas that are not publicly accessible. In practical terms, this means that confidential files should not be kept in lobby areas, hallways utilized by nonemployees or other public areas of the law firm that are not segregated and secure.
Document retention policies can also be confirmed in writing and specify the method, duration and place of retention. Clients can be advised at the outset of a representation (in the engagement letter or the fee contract) of the document retention rules, including specifically any policies regarding original copies of documents, the right of the client to the documents, and the notification procedures that will be followed regarding the ultimate disposition of the documents.
Document destruction policies can also be in writing. Although destruction policies can vary by firm, by state, and even by type of representation, it is most helpful that the policies be uniform. That is, firms that apply document destruction policies on an ad hoc basis, or at the discretion of an attorney or other employee, may face heightened scrutiny if questions arise regarding whether confidential information was lost.
The safer course is to have uniform rules regarding the length of time that documents will be maintained prior to destruction, and the notifications to clients that will be provided before a client document is destroyed. That doesn’t mean that there can never be exceptions to the policy. All situations are unique and will require careful consideration of the facts and circumstances.
For most law firms, adequately protecting electronic information involves a combination of internal policies and external expertise. Whether a solo practitioner or a large firm, the practice can take steps to ensure that computer systems and internet access are secure and updated. The range of the security may vary on the circumstances, but law firms should take serious stock of what confidential information they have in their possession. For example, a plaintiffs’ class action firm may be a target for hackers because that firm may have the medical records or Social Security numbers of hundreds of plaintiffs in their files.
Firms can also adopt internal policies aimed at protecting vulnerable client information. For example, many firms discourage employees from using personal email accounts to send or receive any “work” emails given the potential risk.
Communications about client matters outside of the law office should be discouraged unless it occurs in the course of providing legal services. Clients expect that their business is confidential, and attorneys should work hard to make sure it stays that way.
Employees may need instruction on the types of information that must be protected from disclosure. Many firms—regardless of the size—will consider protocols for how to respond to inquiries from the press or other outside entities so as to protect confidences.
Leading by example is also important. Attorneys should be encouraged to remember that staff members will follow their lead when deciding what information can be disclosed outside the firm. Thus, attorneys should avoid gossiping about clients or matters to people outside the firm, particularly in front of more junior attorneys or staff who may then believe that such conduct is appropriate.
Shari L. Klevens is a partner at Dentons in Atlanta and Washington, D.C., and serves on the firm’s U.S. board of directors. She represents and advises lawyers and insurers on complex claims and is co-chairwoman of Dentons’ global insurance sector team. Alanna G. Clair is a partner at the firm in Washington, D.C., and focuses on professional liability defense. Klevens and Clair are co-authors of “The Lawyer’s Handbook: Ethics Compliance and Claim Avoidance.”