Gone are the days when lawyers could simply put their heads in the sand and practice law without understanding how client information is created, shared, and stored. With evolving communication and data storage technology, clients create, share, and store sensitive information—from trade secrets and intellectual property to business strategies and legal analyses—in many formats and in many places. Attorneys who are provided such sensitive client information must take certain steps to help ensure that it is kept confidential.
Securing client data and information is critical to protecting the attorney-client privilege and providing ethical legal representation to clients. Attorneys are generally governed by rules of professional conduct that prohibit them from revealing confidential client information without consent. The attorney-client privilege protects confidential communications between an attorney and client from disclosure. This privilege, however, can be waived when there is no reasonable expectation that the communication will remain confidential. A waiver of privilege grants litigation opponents access to information they otherwise would not be entitled to during the course of discovery.
Along with evolving communication and data storage technology, the legal landscape also continues to change. For example, in 2014’s sweeping unanimous decision, Riley v. California, the United States Supreme Court recognized the increased expectations of privacy and confidentiality for communications and information stored and transmitted on cell phones. As the Supreme Court specifically recognized, “One of the most notable distinguishing features of modern cell phones is their immense storage capacity. Before cell phones, a search of a person was limited by physical realities and tended as a general matter to constitute only a narrow intrusion on privacy. Most people cannot lug around every piece of mail they have received for the past several months, every picture they have taken, or every book or article they have read—nor would they have any reason to attempt to do so.” With cell phones, however, “[t]he sum of an individual’s private life can be reconstructed through a thousand photographs labeled with dates, locations, and descriptions; the same cannot be said of a photograph or two of loved ones tucked into a wallet.” In light of the fact that cell phones today broadcast with encrypted digital signals, a court would likely rule that an attorney has a reasonable expectation of privacy in discussions over a digital cell phone.
Furthermore, today’s fast-changing technology increases the risk of potential waiver. Fortunately, the Electronic Communications Privacy Act of 1986 (“ECPA”) criminalized the interception of e-mail transmissions and provides that interception does not result in the loss of the attorney-client privilege. States including New York and California have statutes expressly providing that the interception of email does not vitiate privilege. Cases from federal and state courts around the country over the last decade—such as Stafford Trading, Inc. v. Lovely (N.D. Ill. 2007), In re Lernout & Hauspie Sec. Litig. (D. Mass. 2004), and Bovis Lend Lease, LMB, Inc. v. Seasons Contracting Corp. (S.D.N.Y. 2002)—reinforce the protection of privacy and privilege for e-mail communication. Rulings in these cases have held that electronic communications between counsel and client remain privileged.
With the changing landscapes of law and technology, what can a law firm do to protect confidential client information in the digital age? Firms should create and implement the following policies:
- An information security policy that covers all information systems, including e-mail, voicemail, text messages, the Internet, computers, work stations, laptops, cell phones, software, passwords, remote access, and cloud computing.
- A social networking policy that covers firm hardware, software, and Internet sites, including Facebook, Twitter, LinkedIn, Google+, and other social networking sites, and prohibits transmitting unauthorized information relating to clients or the firm.
- According to the needs of each client, document management policies that cover the collection, transmission, maintenance, and storage of client information, including documents stored in hard copy, electronically, or remotely, or covered by a confidentiality agreement or court order.
These policies, if properly implemented and followed, will help law firms protect client information in the digital age.