By Randy (J. Randolph) Evans, Esq., Shari L. Klevens, Esq. and Alanna Clair, Esq. of Dentons
Attorneys learn client confidences as part of the attorney-client relationship. Attorneys who fail to safeguard such information do so at their own peril, as the consequences for the improper disclosure of confidential information can be severe.
An attorney who discloses client confidences and secrets may face discipline from the State Bar of Georgia and, separately, may receive a legal malpractice claim from their client. For example, a claim could result if an attorney intentionally reveals the identity of a victim of domestic abuse to the press or fails to adequately protect a business’s trade secrets.
In the past, maintaining confidences largely only required special care to be taken with respect to conversations, i.e., to minimize the risks of being overheard during elevator talk or casual discussions.
Recently, however, with more attorneys working remotely and on electronic devices, and in the modern world of Facebook, Twitter and the internet, it has become more challenging for attorneys to protect client confidences and secrets. As it has for others, data security has become a vitally important issue for law firms.
Evidence suggests that hackers targeting certain corporations may attempt to gain access to corporate secrets through law firms because they often find the law firms’ networks easier to penetrate. Indeed, over the past several months, some prominent law firms have suffered highly publicized data breaches.
The prospect of a data breach is concerning and could have significant consequences for the clients whose confidential information has been compromised. However, the largest risks for disclosure of confidential information are not sophisticated computer hackers, but rather can be avoided by ensuring that simple protocols, practices and procedures result in the protection of client confidences and secrets.
The starting point is to understand that “confidences and secrets” involve much more than just information protected by the attorney-client privilege or the work product doctrine. The scope of Rule 1.6 of the Georgia Rules of Professional Conduct extends to “all information gained in the professional relationship with a client, including information which the client has requested to be held inviolate or the disclosure of which would be embarrassing or would likely be detrimental to the client, unless the client gives informed consent.”
Accordingly, the attorney must protect information ranging from the identity of a client to the termination of the relationship and everything in between. This obligation also carries on after the attorney-client relationship has ended and extends to employees and staff of the law firm.
Because attorneys are charged with making sure that others employed by the law firm maintain client confidences and secrets, the protocols, practices and procedures must ensure that all firm employees—not just attorneys—understand the obligation to protect client information. The firm’s policy should be in writing and accessible at all times by employees (for example, in an online employee handbook), not just upon hiring.
Generally, there are three zones for maintaining client confidences and secrets: documents, oral communications and electronic information. Each presents its own challenges, and the steps for preserving confidences and secrets will vary depending on the size, nature and type of practice.
Documents generated during the course of a representation often contain sensitive client information. Ideally, law practices should have a protocol for addressing the various categories of documents, including financial documents (such as billing records), file documents (generated during the course of the representation) and other related documents that might not be client-specific.
In addressing these categories, a firm might consider document maintenance, retention and destruction protocols. For document maintenance, reasonable steps should be taken to ensure that confidential files are kept in secured areas that are not publicly accessible. In practical terms, this means that files should not be kept in lobby areas, hallways utilized by nonemployees or other public areas of the law firm that are not segregated and secure.
Document retention policies should also be confirmed in writing and specify the method, duration and place of retention. Clients can be advised at the outset (in the engagement letter or the fee contract) of the document retention rules, including specifically any policies regarding original copies of documents, the right of the client to the documents, and the notification procedures that will be followed regarding the ultimate disposition of the documents.
Document destruction policies should also be in writing. The most important component of such a policy is uniformity. Generally, document destruction policies should not be applied on an ad hoc basis or at the discretion of an attorney or other employee. Such rules inevitably invite heightened scrutiny if questions arise regarding whether confidential information was lost.
The safer course is to have uniform rules regarding the length of time that documents will be maintained prior to destruction, and the notifications to clients that will be provided before a client document is destroyed. That doesn’t mean that there can never be exceptions to the policy. All situations are unique and will require careful consideration of the facts and circumstances.