Protecting client info in the age of law firm breaches

While most attorneys at least generally understand the attorney-client and work product privileges, not all attorneys focus on the technically separate (although related) obligation to maintain client confidences and secrets.

This obligation has taken on new importance in recent years, as law firms find themselves targeted by hackers who realize that firms may have extremely sensitive information regarding some of the largest companies in the world. Commentators have suggested that hackers targeting certain corporations may attempt to gain access to the corporations' information through their outside law firms' networks because they find them easier to penetrate. The prospect of a data breach could have catastrophic consequences for the clients whose confidential information has been compromised.

For example, if a law firm fails to protect a client's trade secrets, the client may suffer significant pecuniary damage if those secrets fall into a competitor's hands. Significant damage can also occur in other forms, such as where victims of domestic abuse have their identities inadvertently disclosed by their attorneys.

There are also significant risks for attorneys. The State Bar of California can discipline an attorney for the failure to maintain client confidences and secrets, or for the failure to ensure that others for whom the attorney has supervisory responsibility appropriately maintain client confidences and secrets. Separately, attorneys can face a legal malpractice claim from a client angered over the disclosure of sensitive information.

Given these risks, law firms may choose to enact protocols, practices,and procedures aimed at protecting client confidences and secrets. In considering appropriate steps, it is helpful to remember that "confidences and secrets" as a category of information generally involves much more than just information protected by the attorney-client privilege or the work product doctrine.

Business and Professions Code Section 6068(e) provides that an attorney is required to "maintain inviolate the confidence, and at every peril to himself or herself to preserve the secrets, of his or her client." The terms "confidence" and "secrets" are not limited to privileged information, but can encompass a wide range of information provided by a client to their attorney. This obligation can include the protection of information as basic as the identity of a client and, importantly, may carry on even after the attorney-client relationship has ended.

In light of these obligations and the seriousness of the potential consequences, law firms may choose to enact protocols that aim to protect information from falling into the wrong hands. These protocols can address the three zones of client confidences and secrets: documents, oral communications, and electronic information. Each zone presents its own challenges, and the steps for preserving confidences and secrets will vary depending on the size, nature and type of practice.

Documents

Documents generated during the course of a representation often contain sensitive client information. These might include financial documents (such as billing records), file documents (generated during the course of the representation), and internal firm documents that might not be client specific.

Although some firms are moving towards retaining information only in electronic format, many firms still retain boxes upon boxes of physical documents. Typically, these documents will be best protected when they are kept in secured areas dedicated to document storage, as opposed to conference rooms, lobby areas or other areas that are not segregated and secure.

Firms also may choose to confirm their document retention policy in client engagement letters. Issues that firms may address include the method, duration and place of retention, as well as the client's rights to the documents, and the notification procedures that will be followed regarding the ultimate disposition of the documents. Whether such protocols are appropriate may depend on the size and needs of the law firm and the firm's clients.

Oral Communications

Despite all of the new technology, some of the worst data breaches are decidedly low-tech. Indeed, too often attorneys divulge confidential client information either by directly discussing it with individuals outside of their firm or by referring to such information in public places where it is overheard by others.

Discussing confidential client matters outside of the office can create unnecessary risk. In order to discourage such communications, law firm personnel can be trained regarding the importance of maintaining client confidences and secrets as well as the potential consequences for failing to do so. Examples of situations in which the issue may arise, such as inquiries from outside the office or from the media, are helpful in defining the boundaries and explaining how to handle various situations. Some firms will direct attorneys not to speak with any member of the media regarding a case unless the firm's internal management (whether the in-house counsel or even public relations team) is involved or consents.

Often, the most effective way to create a culture where information is protected is to lead by example. Attorneys who routinely discuss confidential matters with others without regard for secrecy should not be surprised when others in the law firm think it is acceptable to do the same. Attorneys, by their behavior, can reflect that maintaining client confidences and secrets is of paramount importance.

Electronic Data

With the capabilities of electronic data storage, access to a firm's computer system can give a hacker access to virtually all client confidential information maintained by the firm. Accordingly, whether the practice is a solo practitioner or a large law firm, there is an increasing expectation by clients that the practice will have up-to-date security protocols to protect against a breach of the firm's computer systems. Often, it is helpful for firms to retain outside consultants to determine how to ensure that the firm's computer systems are secured.

Given the risks, law firms simply cannot afford to take a cavalier approach to maintaining client confidences and secrets.