confidentiality Archives - Eric Cooperstein

A friend once told me that he was not comfortable using computers because he could not really understand how they worked. Compare it to a car engine, he said. A person does not need to be a mechanic to understand that gasoline gets sprayed into a cylinder, then it explodes, then a piston moves, etc. But all those electrons flying through chips, motherboards, cables, servers – who really understands how any of that stuff works?

One could say the same about client files and information. When a lawyer has a paper file with the pages neatly clipped in place and she puts that file in alphabetical order in a drawer of a big, sturdy, metal file cabinet, she knows exactly where it is and who has access to it (some lawyers claim to know exactly where their files are amongst multiple vertical stacks of paper in their offices, much as squirrels know where their nuts are buried. But I digress). The paperless lawyer knows their files are . . . where exactly? In a cloud someplace? Would that be a cumulus or a nimbostratus cloud?

None of us should be surprised that when lawyers combine our human tendency to be cautious or fearful of what we do not understand with our sacred obligation to safeguard confidential client information, it produces an abundance of anxiety. This is what most ethics discussions about confidentiality seem to focus on lately. Big fears about hackers, data breaches, HIPAA, e-mail security, metadata, the dark web, temporal anomalies, worm holes! One slip and Mrs. Lipschitz’s confidential divorce settlement will go viral and your law license will be shredded in a very public way.

Not so much. Don’t get me wrong. Lawyers certainly have an obligation to protect their client’s confidential electronic information. There can be big consequences for failing to do so: IT costs to fix breaches, pure embarrassment, hours lost to implementing new protections, worry over distressed clients and the unknown impact of unauthorized disclosures, and time lost to restoring data or recreating files. Breaches can turn your world upside down for days or weeks afterwards.

From an ethics perspective, however, hacks and attacks are not the types of confidentiality failures that typically get lawyers in trouble. Your duty under the Rules of Professional Conduct, as interpreted through ethics opinions in numerous U.S. jurisdictions, is to take reasonable measures to prevent hacks. Perfection is not required. Yes, lawyers should definitely have security systems in place that are reviewed and upgraded when necessary. They should use two-factor authentication to access critical systems, use a VPN if they intend to use wifi outside the office, and educate their employees to recognize and avoid phishing, spear-phishing, whaling, and other maritime-themed social-engineering e-mail scams. You cannot likely make your practice bulletproof from cybercrime but by taking reasonable precautions your law license should not be at risk. In fact, although lawyers are often the targets of hackers, there are very few discipline cases that arise from breaches, outside of “Nigerian Prince” and other certified check scams, which are less about confidentiality than they are about pure con artistry.

Instead, when it comes to confidentiality, it’s the small stuff that leads to discipline. It’s the slip of the tongue, the boastful indiscretion, or confused loyalty that is all about being human but not at all about the hazards of technology. In one case, a lawyer’s client in a personal-injury case backed out of a settlement and then fired the lawyer. The lawyer e-mailed the claims adjuster to convey what had happened. Reading between the lines, one suspects that the lawyer was concerned about what the adjuster would think of the lawyer and whether it might affect the lawyer’s future relationship with that adjuster. Part of the e-mail stated, “I advised [client] that he already accepted [the settlement] and there’s no rescinding his acceptance.”[1] That one sentence, devoid of any earth-shattering revelations, disclosed attorney-client privileged information and violated Rule 1.6, MRPC. The Minnesota Supreme Court affirmed the private admonition that had been issued to the lawyer.

This is typical of the level of violations in other cases. Saying just a little too much to a reporter without the client’s authorization. Responding to a client’s attempt to convince a credit-card processor to reverse a fee payment and offering gratuitous information about the client’s attitude or personal issues (fee disputes with clients are fertile ground for inappropriate disclosures of confidential information). Replying to a client’s one-star online review of your services by “setting the record straight” regarding what happened in the case. Recognizing the need to withdraw because of a conflict but disclosing the name of one client to the other.[2] Sending to the person who referred a client to you a copy of your e-mail defending your position in a fee dispute. Each of these scenarios resulted in a private admonition.

These situations have a common theme: emotion. Anger, resentment, embarrassment, frustration, hubris, and guilt lead lawyers to make mistakes. Perhaps they do bear some relationship to phishing schemes, which take advantage of lawyers being rushed or busy or gullible enough to click a link too quickly. It’s not the hackers who are going to get you; you’re more likely to get yourself. Pay attention to the small stuff to keep yourself out of trouble.

(Originally published in the January 2021 issue of Hennepin Lawyer)

[1] In re Panel File No. 41310, 899 N.W.2d 821, 824 (Minn. 2017).
[2] E. Cleary, “Summary of Admonitions” Bench & Bar of Minnesota (March 2000).

The New Jersey Court of Appeals has reversed the decision discussed in this article, finding that the attorney-client privilege trumps employer policy.

watch keyboard button11 Emailing clients at work may imperil privilege It is probably fair to say that most lawyers have grown accustomed to the convenience of emailing clients. Less disruptive than phone calls, more efficient, creates documentation of conversationsâ€”hard to believe anyone could ever practice law without email.

From an ethics perspective, there is generally no problem sending confidential or privileged communications through cyberspace; several ethics authorities (including the ABA) have said that email does not even need to be encrypted. Although one has to be careful about inadvertently sending a confidential email to the wrong person, that problem is created by the sender, not by email as a communication tool.

Work Zones. There has been a growing awarenessâ€”and a line of casesâ€”about the risks of sending privileged emails back and forth with clients who are using their employer-provided email accounts.

Depending on how diligent the employer is about announcing and reminding its employees of its policies, an employer can successfully decree that anything done on the employerâ€™s computer (including laptops) is subject to review by the employer and carries no expectation of privacy. As noted in a previous post, that can apply to otherwise confidential and privileged emails between an employee and his or her lawyer.

Web-based emails may not be safe. A recent New Jersey state district court decision, Stengart v. Loving Care Agency, Inc. (PDF link), took this principal one nasty step further. The court said that not only can the privilege be waived for emails sent using the employerâ€™s email program and computers, but it can also be waived for emails sent through a web-based email program while using the employerâ€™s computer. The employee had been emailing her lawyer using a Yahoo! account, which she accessed when using her company laptop. After the employee quit, the company imaged the laptopâ€™s hard drive, and later found temporary internet files reflecting her emails. The court followed the reasoning of a very similar federal district court decision.

If this ruling remains intact and is followed by other courts, attorneys could be significantly curtailed in their ability to communicate with clients during the work dayâ€”or at all. Some clients use their work desktop or laptop as their only computer. And if the rule applies to employer computers, I cannot see why it would not apply to Blackberrys and other email-enabled mobile devices provided by the employer. Essentially, to communicate with a lawyer during the work day, an employee would need to either bring his or her own computer to work or have a separate mobile device for their own email account.

It seems pretty clear that the highest risk for these types of unexpected privilege waivers will come in employment disputes, where the employer has a direct interest in getting as much information about the employee as it can. But one could easily envision situations in which a small employer in a small town decides to help out his buddy in his marriage dissolution by combing through the computer and emails of his buddyâ€™s spouse to see what they can dredge up.

Of course, a rule like this need not act as a total bar on emailing clients at work but lawyers should have a heightened awareness of the privacy (or lack thereof) that will be accorded to emails that need to be kept confidential, such as settlement discussions, case strategies, discussions of client wrongdoing, etc. In some situations, lawyers may have to forsake email in favor ofâ€”gasp!â€”the telephone!