What Attorneys Should Consider About Sharing Client Contact Information
3 minute read time
The New York State Bar Association's Committee on Professional Ethics Opinion No. 1240 discusses an attorney's duty to protect client information stored on a lawyer's smartphone. Often, users of smartphone apps are often asked to share the contents of the contact list on the phone. Although information is often sought for ease of operation and user satisfaction, those contacts are often later sold to third parties.
Rule 1.6(c) of the New York Rules of Professional Conduct (the "Rules") requires a lawyer to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure or use of, or unauthorized access to" the confidential information of current, former, and prospective clients. Rule 1.6(a), in turn, provides that confidential information "consists of information gained during or relating to the representation of a client, whatever its source, that is (a) protected by the attorney-client privilege, (b) likely to be embarrassing or detrimental to the client if disclosed, or (c) information that the client has requested be kept confidential."
Insofar as clients' names constitute confidential information, a lawyer must make reasonable efforts to prevent the unauthorized access of others to those names, whether stored as a paper copy in a filing cabinet, on a smartphone, or in any other electronic or paper form.
To that end, before an attorney grants access to the contacts on their phone, the attorney must determine whether any contact – even one – is confidential within the meaning of Rule 1.6(a). A contact could be confidential because it reflects the existence of a client-attorney relationship in which the client requested not be disclosed or which, based upon particular facts and circumstances, would be likely to be embarrassing or detrimental to the client if disclosed.
The Committee on Ethics concluded that, if "contacts" on a lawyer's smartphone include any client whose identity or other information is confidential under Rule 1.6, then the lawyer may not consent to share contacts with a smartphone app unless the lawyer concludes that no human being will view that confidential information and that the information will not be sold or transferred to additional third parties, without the client's consent. NYSBA Op. 1240 "Duty to protect client information stored on a lawyer's smartphone." www.nysba.org (Apr. 08, 2022).
Always check the particular cyber-related ethical rules in the jurisdiction(s) in which you practice.
It is not just the contact list on a cell phone that should be of concern to an attorney, but arguably the ethics requirements of Rule 1.6 cover the gamut of attorney-client communications. The ABA Model Rules of Professional Conduct (MRPC) should be interpreted in light of cybersecurity issues.
MRCP 1.1 requires competent knowledge and skill, and Comment 8 to that Rule requires a lawyer to keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology. MRPC 1.4requires that communication with a client be secured, that reasonable effort is made to prevent unauthorized disclosure (MRPC 1.6(c)), and that consideration of factors such as the sensitivity of the information be considered when- implementing safeguards (Comment 18).
ABA Formal Opinion 477 provides that, [A] lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security."
ABA Standing Committee on Ethics and Professional Responsibility Formal Opinion 483, "Lawyers' Obligations After an Electronic Data Breach or Cyberattack" requires that, when a data breach occurs involving or has a substantial likelihood of involving, material client information, lawyers must notify clients of the breach. The opinion further states that "As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach."
Protecting your firm's network and your client's private files is not just good business, it is an ethical requirement. For further industry-specific guidance, contact your Johnson Financial Group Commercial Insurance Advisor or find one today.