Attorneys learn client confidences as part of the attorney-client relationship. Attorneys who fail to safeguard such information do so at their own peril, as the consequences for the improper disclosure of confidential information can be severe.
An attorney who discloses client confidences and secrets may face discipline from the State Bar of Georgia and, separately, may receive a legal malpractice claim from their client. For example, a claim could result if an attorney intentionally reveals the identity of a victim of domestic abuse to the press or fails to adequately protect a business's trade secrets.
In the past, maintaining confidences largely only required special care to be taken with respect to conversations, i.e., to minimize the risks of being overheard during elevator talk or casual discussions.
Recently, however, with more attorneys working remotely and on electronic devices, and in the modern world of Facebook, Twitter and the internet, it has become more challenging for attorneys to protect client confidences and secrets. As it has for others, data security has become a vitally important issue for law firms.
Evidence suggests that hackers targeting certain corporations may attempt to gain access to corporate secrets through law firms because they often find the law firms' networks easier to penetrate. Indeed, over the past several months, some prominent law firms have suffered highly publicized data breaches.
The prospect of a data breach is concerning and could have significant consequences for the clients whose confidential information has been compromised. However, the largest risks for disclosure of confidential information are not sophisticated computer hackers, but rather can be avoided by ensuring that simple protocols, practices and procedures result in the protection of client confidences and secrets.
The starting point is to understand that "confidences and secrets" involve much more than just information protected by the attorney-client privilege or the work product doctrine. The scope of Rule 1.6 of the Georgia Rules of Professional Conduct extends to "all information gained in the professional relationship with a client, including information which the client has requested to be held inviolate or the disclosure of which would be embarrassing or would likely be detrimental to the client, unless the client gives informed consent."
Accordingly, the attorney must protect information ranging from the identity of a client to the termination of the relationship and everything in between. This obligation also carries on after the attorney-client relationship has ended and extends to employees and staff of the law firm.
Because attorneys are charged with making sure that others employed by the law firm maintain client confidences and secrets, the protocols, practices and procedures must ensure that all firm employees—not just attorneys—understand the obligation to protect client information. The firm's policy should be in writing and accessible at all times by employees (for example, in an online employee handbook), not just upon hiring.
Generally, there are three zones for maintaining client confidences and secrets: documents, oral communications and electronic information. Each presents its own challenges, and the steps for preserving confidences and secrets will vary depending on the size, nature and type of practice.
Documents generated during the course of a representation often contain sensitive client information. Ideally, law practices should have a protocol for addressing the various categories of documents, including financial documents (such as billing records), file documents (generated during the course of the representation) and other related documents that might not be client-specific.
In addressing these categories, a firm might consider document maintenance, retention and destruction protocols. For document maintenance, reasonable steps should be taken to ensure that confidential files are kept in secured areas that are not publicly accessible. In practical terms, this means that files should not be kept in lobby areas, hallways utilized by nonemployees or other public areas of the law firm that are not segregated and secure.
Document retention policies should also be confirmed in writing and specify the method, duration and place of retention. Clients can be advised at the outset (in the engagement letter or the fee contract) of the document retention rules, including specifically any policies regarding original copies of documents, the right of the client to the documents, and the notification procedures that will be followed regarding the ultimate disposition of the documents.
Document destruction policies should also be in writing. The most important component of such a policy is uniformity. Generally, document destruction policies should not be applied on an ad hoc basis or at the discretion of an attorney or other employee. Such rules inevitably invite heightened scrutiny if questions arise regarding whether confidential information was lost.
The safer course is to have uniform rules regarding the length of time that documents will be maintained prior to destruction, and the notifications to clients that will be provided before a client document is destroyed. That doesn't mean that there can never be exceptions to the policy. All situations are unique and will require careful consideration of the facts and circumstances.
Communications about client matters outside of the law office should be discouraged unless it occurs in the course of providing legal services. Clients expect that their business is confidential, and attorneys should work hard to make sure it stays that way.
In addition to providing information on confidentiality to employees in writing, effective risk management may include training for law firm personnel regarding the importance of maintaining client confidences and secrets as well as the potential consequences for failing to do so.
Examples of situations in which the issue may arise, such as in response to inquiries from the press, are helpful in defining the boundaries and explaining how to handle various situations. Employees may not know the types of information that must be protected from disclosure.
Leading by example is also important. Attorneys should be encouraged to remember that staff members will follow their lead when deciding what information can be disclosed outside the firm.
In order to protect electronic information, there is no substitute for adequate security protocols prepared by professionals.
Regardless of whether the practice is a solo practitioner or a large law firm, clients expect that adequate security protocols exist to protect their information. This means that computer systems and internet access need to be secure and updated as is necessary to respond to constantly evolving threats.
Specific policies also should be enacted to prevent circumstances where client information is left vulnerable. For example, law firms should discourage employees from using personal email accounts to send or receive any "work" emails. It is also vital that employees are adequately trained regarding the law firm's technology so that they understand when they are outside of the law firm's secured environment.
Although maintaining client confidences and secrets may seem like a daunting task in light of the potential risks in today's world, a law firm that takes a proactive approach using these suggested steps can establish a culture where client information is treated with the utmost care.