Attorneys learn client confidences as part of the attorney-client relationship. An attorney who discloses client confidences and secrets may face discipline from the State Bar and, separately, may receive a legal malpractice claim from their client. For example, a claim could result if an attorney reveals a client's confidential business information, and the client suffers harm as a result.

In the past, maintaining confidences largely only required special care to be taken with respect to conversations, i.e., to minimize the risks of being overheard during elevator talk or casual discussions. Recently, with more attorneys working remotely and on electronic devices, and in the modern world of Facebook, Twitter and the internet, it has become more challenging for attorneys to protect client confidences and secrets.

Although data breaches are a significant risk, it is more likely for most lawyers that the breach of client information will occur in a more “beta” matter. Indeed, attorneys can safeguard confidential information by adopting simple protocols, practices and procedures aimed at protecting such information.

The starting point is to understand that “confidences and secrets” involve much more than just information protected by the attorney-client privilege or the work product doctrine. The scope of Rule 1.05 of the Texas Disciplinary Rules of Professional Conduct confirms that “confidential information” includes both “privileged information” and “unprivileged client information.” While “privileged information” is largely defined by case law and statute, “unprivileged client information” is broad. It is defined as “all information relating to a client or furnished by the client, other than privileged information, acquired by the lawyer during the course of or by reason of the representation of the client.”

Thus, attorneys who focus only on safeguarding and protecting privileged information may be leaving vulnerable other information that is also subject to Rule 1.05. Indeed, the attorney may have an obligation to protect a host of information ranging from the identity of a client to the termination of the relationship and everything in between.

Because attorneys are charged with making sure that others employed by the law firm maintain client confidences and secrets, the protocols, most law practices will guide all firm employees — not just attorneys — on the obligation to protect client information. It may be in the employee handbook, for example, to remind nonlawyers of these obligations.

In most law practices, there are three potential sources of client confidences and secrets: documents, oral communications and electronic information. Each presents its own challenges, and the steps for preserving confidences and secrets will vary depending on the size, nature and type of practice.

Documents

Documents generated during the course of a representation often contain sensitive client information. Many law practices have written protocols for how to store or maintain the various categories of documents, including financial documents (such as billing records), file documents (generated during the course of the representation) and other related documents that might not be client-specific.

In addressing these categories, a firm might consider document maintenance, retention and destruction protocols. For document maintenance, firms will store confidential client files in secured areas of the firm that are not publicly accessible. In practical terms, this usually means storing hard copy materials in an area that a nonemployee off the street could not access. Sometimes, for highly-confidential materials, it might mean restricting access to physical files to only certain members of the firm.

Firms can also advise their clients of their document retention policies. This can be included in the engagement letter. A policy can specify what will happen upon the conclusion of the representation to original copies of documents, the right of the client to the documents, and the notification procedures that will be followed regarding the ultimate disposition of the documents.

It is also common for firms to have document destruction policies. The most important component of such a policy is uniformity. If documents are destroyed on an ad hoc basis, it could raise questions about why a certain file was maintained when another one was destroyed.

That doesn't mean that there can never be exceptions to the policy. All situations are unique and will require careful consideration of the facts and circumstances.

Oral Communications

Communications about client matters outside of the law office should be discouraged unless it occurs in the course of providing legal services. Clients expect that their business is confidential, and attorneys should work hard to make sure it stays that way.

In addition to providing information on confidentiality to employees in writing, effective risk management may include training for law firm personnel regarding the importance of maintaining client confidences and secrets as well as the potential consequences for failing to do so. Examples of situations in which the issue may arise, such as in response to inquiries from the press, are helpful in defining the boundaries and explaining how to handle various situations. Employees may not know the types of information that must be protected from disclosure.

Leading by example is also important. Attorneys should be encouraged to remember that staff members will follow their lead when deciding what information can be disclosed outside the firm.

Electronic Information

In order to protect electronic information, there is no substitute for adequate security protocols prepared by professionals.

Evidence suggests that hackers targeting certain corporations may attempt to gain access to corporate secrets through law firms because they often find the law firms' networks easier to penetrate. Indeed, over the past several months, some prominent law firms have suffered highly publicized data breaches.

Regardless of whether the practice is a solo practitioner or a large law firm, clients expect that adequate security protocols exist to protect their information. Employees can also be trained regarding the law firm's technology so that they understand the risks of being outside of the law firm's secured environment.

In addition to an ethical requirement, taking steps to maintain confidences for electronic information may help a law firm land new business, as many corporate clients require some level of data security from their law firms.

Although maintaining client confidences and secrets may seem like a daunting task in light of the potential risks in today's world, a law firm that takes a proactive approach using these suggested steps can establish a culture where client information is treated with the utmost care.

Shari L. Klevens is a partner at Dentons and serves on the firm's US Board of Directors. She represents and advises lawyers and insurers on complex claims and is co-chair of Dentons' global insurance sector team. Alanna Clair is a partner at Dentons and focuses on professional liability defense. Shari and Alanna are co-authors of “The Lawyer's Handbook: Ethics Compliance and Claim Avoidance.”