| Damien Black

Lawyers, You Must Protect Client Information

Lawyers, by the nature of their profession, collect and possess a lot of client information, much of it considered highly sensitive or confidential. Because of this, attorneys have a responsibility under the American Bar Association Model Rules of Professional Conduct and their state’s corresponding rules to ensure their client information is safe – no matter where it is stored.


Ethics Basics – What’s Behind ABA Formal Opinion 477 and How Does It Impact Your Practice?


When it comes to representing a client, there are very few things you can talk about as an attorney that don’t fall under Model Rule 1.6 regarding confidentiality of information.


“A lawyer shall not reveal information relating to the representation of a client” unless the client gives informed consent, with some exceptions as in Rule 1.6(b). Those exceptions include to prevent reasonably certain death or substantial bodily harm; to prevent the client from committing a crime or fraud that is reasonably certain to result in substantial injury to the financial interests or property of another and in furtherance of which the client has used or is using the lawyer’s services; and to comply with other law or a court order.


So, what does this mean? Basically, everything in the case. Even though the rule is entitled “Confidentiality of Information,” that doesn’t mean just information subject to the attorney-client privilege. It applies to any information related to the representation of a client.


It is up to lawyers to protect their client’s information. Lawyers have a duty to resist disclosure, even if it is a government agency, such as the FBI, seeking the information. ABA Opinion 373 (2016) states that if a client decides to not comply with the demand or order from a subpoena for a client file, the lawyer should defend against the disclosure on any reasonable basis. In fact, if the lawyer’s efforts to resist disclosure are unsuccessful, the lawyer must consult with his or her client about the possibility of an appeal. And in the event the lawyer and the client can’t agree about whether to comply with the order, then the lawyer should consider withdrawing under Rule 1.16.


What is the takeaway from Rule 1.6? A lawyer is required under the rule to “not reveal information relating to the representation of a client,” so the lawyer should raise every possible non-frivolous defense in order to protect that information. And remember, that information is not just information subject to the attorney-client privilege. It applies broadly to the representation of a client.


Where is Your Client Information Stored?


If you are like most lawyers, you have client information in several places. It’s on the smartphone you use to email or text a client. It’s on your desktop, laptop or tablet. The information is on a server somewhere in the law firm and possibly in the cloud. That information is also inside your head, and if you are not careful, it could be inadvertently shared with others.


In 2017, Ty Cobb, a White House employee under President Donald Trump, and Trump’s lawyer, John Dowd, had lunch outside at a restaurant located next to the Washington Bureau of the New York Times. The two men discussed – apparently quite loudly – details of the investigation involving Russia, President Trump, his son-in-law, Jared Kushner, and others. They happened to be seated next to a New York Times investigative reporter.


Have you been guilty of having a conversation about a client matter or a case in a public place, within earshot of others? You never know who can overhear your conversation; it could be a reporter.


The Attorney’s Role and Responsibility for Security


In 2012, amendments accounting for technology were added to Model Rules 1.1 and 1.6. The amendment for Rule 1.1 requires that attorneys must keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.


The technology amendment to Rule 1.6 says, “information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.”


What is considered when determining reasonable efforts? Those factors include, according to Comment [18], sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients, (e.g., by making a device or important piece of software excessively difficult to use).


You as the lawyer may think you are doing enough to protect your client’s information, but your client may think you need to be doing more.


Impact of ABA Formal Opinion 477


Formal Opinion 477 acknowledges that times have changed since it released a formal opinion in 1999 allowing lawyers to use email to communicate with clients. Now, email is one of the most-used ways lawyers communicate with their clients. As such, the Model Rules of Professional Conduct needed to be updated to reflect this.


Formal Opinion 477 says:


“A lawyer generally may transmit information relating to the representation of a client over the internet without violating the Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.”


The opinion does not outright say what information requires additional security measures but does offer a “fact-based analysis.”


Attorneys should consider:


  • The sensitivity of the information
  • The likelihood of disclosure if additional safeguards are not employed
  • The cost of employing additional safeguards
  • The difficulty of implementing safeguards
  • The extent to which the safeguards adversely affect the lawyer’s ability to represent clients


In today’s world, given the highly sensitive and confidential client information law firms possess and store, attorneys and law firms need to proceed with the mindset of not if the firm will be hacked, but when it will be hacked. As such, firms should evaluate the technology they utilize to communicate with clients and ensure they are taking reasonable steps to protect client data.


For more on what steps attorneys can take to protect client information, including using encryption and cloud services, download our guide, “Technology Solutions Mitigate Risk of Data Disclosure.”


Special thanks to James J. Bell of Paganelli Law Group for his help with our guide.