Nearly every client representation involves receiving some type of confidential information from clients or about clients. How attorneys handle it, use it and safeguard it is critically important, as the consequences of unsanctioned disclosure may be severe.
It should be no surprise that an attorney who discloses client confidences and secrets without permission or purpose could face discipline from the Texas Bar and, separately, be the target of a legal malpractice claim. For example, a claim could result if an attorney discloses attorney-client communications to a third party or fails to adequately protect a business’s trade secrets.
Previously, maintaining confidences primarily centered on exercising caution with respect to conversations, that is, minimizing the risks of being overheard during innocent elevator talk or business lunches. But now, with more attorneys than ever before working remotely and conducting business on portable electronic devices, coupled with modern connectivity via the Internet, Twitter and Facebook, it has become more challenging for attorneys to protect client confidences and secrets. Data security has also become a vitally important issue for law firms.
In fact, evidence suggests that hackers targeting certain corporations may attempt to gain access to their secrets through law firms because they often find the law firms’ networks easier to penetrate. The prospect of a data breach is concerning and could have significant consequences for the clients whose confidential information has been compromised. However, the biggest risk for disclosure of confidential information may not be a sophisticated computer hacker, but a mistake made much closer to home.
What must be protected?
The starting point is to understand that “confidences and secrets” involve much more than just information protected by the attorney-client privilege or the work product doctrine. Instead, the scope of Rule 1.05 of the Texas Disciplinary Rules of Professional Conduct extends to “all information relating to a client or furnished by the client, other than privileged information, acquired by the lawyer during the course of or by reason of the representation of the client.”
As a result, the topics that could need to be protected could include the identity of a client, the termination of the relationship, and everything in between. With some exceptions, this obligation continues after the attorney-client relationship has ended and extends to employees and staff of the law firm.
There are three common areas of focus when it comes to client confidences and secrets: documents, oral communications, and electronic information. Each presents its own challenges, and the steps for preserving confidences and secrets will vary depending on the size, nature and type of practice.
Documents generated during the course of a representation often contain sensitive client information. Law practices therefore generally have a protocol for addressing the various categories of documents, including financial documents (such as billing records), file documents (generated during the course of the representation), and other related documents that might not be client specific.
In addressing these categories, a firm might consider document maintenance, retention, and destruction protocols or systems. For document maintenance, certain steps can be taken to ensure that confidential files are kept in secured areas that are not publicly accessible.
Many firms will adopt systems or internal protocols regarding how to handle client files. For some firms, this may mean adopting a document retention policy. Policies—whether formally written or part of the firm’s common practice—can cover many topics, including what the firm will do with original copies of documents, the right of the client to the documents, and the notification procedures that will be followed regarding the ultimate disposition of the documents. For most attorneys, determining the proper approach will require careful consideration of the facts and circumstances.
2. Oral communications
Communications about client matters outside of the law office are to be discouraged unless they occur in the course of providing legal services. Clients expect their business to remain confidential, and successful attorneys ensure it stays that way.
In addition to providing information on confidentiality to employees in writing, effective risk management may include training for law firm personnel regarding the importance of maintaining client confidences and secrets as well as the potential consequences for failing to do so. Examples of situations in which the issue may arise, such as in response to inquiries from the press, are helpful in defining the boundaries and explaining how to handle various situations. Although such training is not required by the ethical rules, it can provide a benefit because otherwise employees may not know the types of information that must be protected from disclosure.
In this regard, leading by example is important. Attorneys are encouraged to remember that staff members will follow their lead when deciding what information can be disclosed outside the firm.
3. Electronic information
In order to protect electronic information, there is no substitute for adequate security protocols prepared by professionals. Regardless of whether the practice belongs to a solo practitioner or a large law firm, bars are coming to expect that attorneys will adopt adequate security protocols to protect client information. This means that lawyers and firms can secure and update their computer systems and Internet access as is necessary to respond to constantly evolving threats.
In addition, specific policies can address and prevent circumstances where client information is left vulnerable. For example, law firms can determine whether to discourage (or even prohibit) employees from using personal email accounts to send or receive any “work” emails. Firms can also require encryption or multiple-level passwords for attorneys who are using firm systems out of the office, whether through mobile technology or other remote service.
Although maintaining client confidences and secrets may seem like a daunting task in light of the potential risks in today’s world, a law firm that takes a proactive approach using these suggested steps can establish a culture where client information is treated with the utmost care.
Shari L. Klevens is a partner at Dentons and serves on the firm’s US Board of Directors. She represents and advises lawyers and insurers on complex claims and is co-chair of Dentons’ global insurance sector team. Alanna Clair is a senior managing associate at Dentons and focuses on professional liability defense. Shari and Alanna are co-authors of “The Lawyer’s Handbook: Ethics Compliance and Claim Avoidance.”