Alanna Clair. left, and Shari Klevens

Many attorneys are well-versed in the scope and obligations of the privilege shared between attorney and client. However, sometimes attorneys overlook the additional obligation set by the ethical rules for attorneys to protect confidential information obtained during the course of the representation. Such information may not always be “privileged,” even if it is “confidential.” Indeed, the scope of Rule 1.6 of the Connecticut Rules of Professional Conduct extends to all “information relating to the representation of a client.”

As a result, seemingly ordinary facts, such as the actual identity of a client, may warrant protection from inadvertent or unauthorized disclosure. Additionally, with a few exceptions, the attorney’s duty to maintain confidential information survives the attorney-client relationship and extends to employees and staff of the law firm. And the failure to protect such information can result in severe consequences both from licensing bodies and the client.

Attorneys who reveal client confidences and secrets may face discipline from the Connecticut Bar and, perhaps even worse, be on the receiving end of a legal malpractice claim. For decades, maintaining confidences was a simple matter involving keeping elevator chatter and lunch discussions to a minimum. But with the rise of teleworking and increasing reliance on portable electronic devices, it is more challenging now than ever for attorneys to protect client confidences and secrets. Undoubtedly, data security has become a vitally important issue for law firms.

Hackers pose a risk to law firms. Recent data even suggest that hackers view law firms as the gateway to their clients’ information because the perception is that law firms’ networks are easier to penetrate. For clients, the prospect of a law firm data breach is especially concerning. Still, by implementing simple protocols, practices, and procedures designed to protect client confidences and secrets, client confidential information can be protected from targeted threats and other disclosure.

Generally speaking, there are three types of information that can be implicated by client confidences and secrets: oral communications, documents, and electronic data. Each presents its own challenges, and the steps for preserving confidences and secrets will vary depending on the size, nature, and type of practice.

1. Oral Communications

Communications about client matters outside of the law office can be unnecessary (and, therefore, avoidable), unless they are needed to obtain legal support or render legal services. Clients expect their business to stay confidential; attorneys are typically retained to ensure that it remains confidential. Indeed, news stories about lawyers overheard at lunches discussing client business suggest that this continues to be an area of risk for attorneys.

Attorneys can set an example for more junior attorneys and staff working on their matters by maintaining client confidences and discouraging team members from discussing client representations outside of the firm. The consequences of such disclosures can be great. Attorneys can also review the types of situations in which the issue may arise, such as inquiries from the press or casual cocktail party conversation, in defining the boundaries and determining how to handle the situation.

2. Documents

Client documents and those generated during the course of a representation often contain confidential, proprietary, and sometimes personal information. Given the sensitive nature of the information, law practices may have a protocol or internal practice for addressing the various categories of documents, including financial documents (such as billing records), file documents (generated during the course of the representation), and other related documents that might not be client-specific.

Whether documented in a formal policy or simply part of a firm’s routine protocols, firms can address document maintenance, retention, and destruction issues. Some firms will store hard copy confidential files in secured areas that are not publicly accessible. Other policies can consider the method, duration, and place of retention. In conjunction with the ethical rules, attorneys may decide how to handle original copies of documents, the right of the client to the documents, and the notification procedures that could be followed regarding the ultimate disposition of the documents.

Because many situations are unique and may require careful consideration of the facts and circumstances, firms may be in the best situation to identify what practices or written protocols work best for their clients.

3. Electronic Data

In order to protect electronic data, there is no substitute for adequate security protocols prepared by professionals. Regardless of the size or nature of the law practice, clients expect that adequate security protocols exist to protect their information. In response to this issue, most firms secure and update their computer systems and internet access in response to evolving threats.

In addition, specific policies can address and prevent circumstances where client information is left vulnerable. For example, some law firms choose to limit or disallow employees from using personal email accounts to send or receive any “work” emails. Others will train employees regarding the law firm’s technology to help reduce the risk of disclosures outside of the law firm’s secured environment.

Experts in the field can help law firms and attorneys determine what level of protection works best for their practice and whether specific policies (regarding passwords or encryption) could be adopted for mobile devices. The biggest risk is for attorneys to assume that they are not vulnerable or that they do not possess confidential information that could be valuable to hackers or other bad actors.

Maintaining client confidences and secrets may seem like a daunting task. But given the potential risks brought by changing technology and heightened client expectations, law firms that take a proactive approach by considering these suggested steps can establish a culture and practice where client secrets are treated with the utmost care.