[1] The lawyer is part of a judicial system charged with
upholding the law. One of the lawyer's functions is to advise
clients so that they avoid any violation of the law in the
proper exercise of their rights.
[2] The common law recognizes that the client's confidences must
be protected from disclosure. The observance of the ethical
obligation of a lawyer to hold inviolate confidential
information of the client not only facilitates the full
development of facts essential to proper representation of the
client but also encourages people to seek early legal
assistance.
[2a] Almost without exception, clients come to lawyers in order
to determine what their rights are and what is, in the maze of
laws and regulations, deemed to be legal and correct. Based upon
experience, lawyers know that clients usually follow the advice
given, and the law is upheld.
[2b] A fundamental principle in the client-lawyer relationship
is that the lawyer maintain confidentiality of information
relating to the representation. The client is thereby encouraged
to communicate fully and frankly with the lawyer even as to
embarrassing or legally damaging subject matter.
[3] The principle of confidentiality is given effect in two
related bodies of law, the attorney-client privilege (which
includes the work product doctrine) in the law of evidence and
the rule of confidentiality established in professional ethics.
The attorney-client privilege applies in judicial and other
proceedings in which a lawyer may be called as a witness or
otherwise required to produce evidence concerning a client. The
rule of client-lawyer confidentiality applies in situations
other than those where evidence is sought from the lawyer
through compulsion of law. The confidentiality rule applies not
merely to matters communicated in confidence by the client but
also to all information protected by the attorney-client
privilege under applicable law or other information gained in
the professional relationship that the client has requested be
held inviolate or the disclosure of which would be embarrassing
or would be likely to be detrimental to the client, whatever its
source. A lawyer may not disclose such information except as
authorized or required by the Rules of Professional Conduct or
other law.
[3a] The rules governing confidentiality of information apply to
a lawyer who represents an organization of which the lawyer is
an employee.
[4] The requirement of maintaining confidentiality of
information relating to representation applies to government
lawyers who may disagree with the policy goals that their
representation is designed to advance.
Authorized Disclosure
[5] A lawyer is impliedly authorized to make disclosures about a
client when appropriate in carrying out the representation,
except to the extent that the client's instructions or special
circumstances limit that authority. In litigation, for example,
a lawyer may disclose information by admitting a fact that
cannot properly be disputed, or in negotiation by making a
disclosure that facilitates a satisfactory conclusion.
[5a] Lawyers frequently need to consult with colleagues or other
attorneys in order to competently represent their clients’
interests. An overly strict reading of the duty to protect
client information would render it difficult for lawyers to
consult with each other, which is an important means of
continuing professional education and development. A lawyer
should exercise great care in discussing a client’s case with
another attorney from whom advice is sought. Among other things,
the lawyer should consider whether the communication risks a
waiver of the attorney-client privilege or other applicable
protections. The lawyer should endeavor when possible to discuss
a case in strictly hypothetical or abstract terms. In addition,
prior to seeking advice from another attorney, the attorney
should take reasonable steps to determine whether the attorney
from whom advice is sought has a conflict. The attorney from
whom advice is sought must be careful to protect the
confidentiality of the information given by the attorney seeking
advice and must not use such information for the advantage of
the lawyer or a third party.
[5b] Compliance with Rule 1.6(a) might include fulfilling duties
under Rule 1.14, regarding a client with an impairment.
[5c] Compliance with Rule 1.6(b)(5) might require a written
confidentiality agreement with the outside agency to which the
lawyer discloses information.
[6] Lawyers in a firm may, in the course of the firm's practice,
disclose to each other information relating to a client of the
firm, unless the client has instructed that particular
information be confined to specified lawyers.
[6a] Lawyers involved in insurance defense work that includes
submission of detailed information regarding the client’s case
to an auditing firm must be extremely careful to gain consent
from the client after full and adequate disclosure. Client
consent to provision of information to the insurance carrier
does not equate with consent to provide the information to an
outside auditor. The lawyer must obtain specific consent to
disclose the information to that auditor. Pursuant to the
lawyer’s duty of loyalty to the client, the lawyer should not
recommend that the client provide such consent if the disclosure
to the auditor would in some way prejudice the client.
Legal Ethics Opinion #1723, approved by the Supreme Court of
Virginia, September 29, 1999.
Disclosure Adverse to Client
[6b] The confidentiality rule is subject to limited exceptions.
However, to the extent a lawyer is required or permitted to
disclose a client's confidences, the client will be inhibited
from revealing facts which would enable the lawyer to counsel
against a wrongful course of action. The public is better
protected if full and open communication by the client is
encouraged than if it is inhibited.
[7] Several situations must be distinguished.
[7a] First, the lawyer may not counsel or assist a client in
conduct that is criminal or fraudulent. See Rule
1.2(c). Similarly, a lawyer has a duty under Rule 3.3(a)(4) not
to use false evidence. This duty is essentially a special
instance of the duty prescribed in Rule 1.2(c) to avoid
assisting a client in criminal or fraudulent conduct.
[7b] Second, the lawyer may have been innocently involved in
past conduct by the client that was criminal or fraudulent. In
such a situation the lawyer has not violated Rule 1.2(c),
because to "counsel or assist" criminal or fraudulent conduct
requires knowing that the conduct is of that character.
[7c] Third, the lawyer may learn that a client intends
prospective criminal conduct. As stated in paragraph (c)(1), the
lawyer is obligated to reveal such information if the crime is
reasonably certain to result in death or substantial bodily harm
to another or substantial injury to the financial interests or
property of another. Caution is warranted as it is very
difficult for a lawyer to "know" when proposed criminal conduct
will actually be carried out, for the client may have a change
of mind. If the client’s intended crime is perjury, the lawyer
must look to Rule 3.3(a)(4) rather than paragraph (c)(1).
[8] When considering disclosure under paragraph (b), the lawyer
should weigh such factors as the nature of the lawyer's
relationship with the client and with those who might be injured
by the client, the nature of the client's intended conduct, the
lawyer's own involvement in the transaction, and factors that
may extenuate the conduct in question. Where practical, the
lawyer should seek to persuade the client to take appropriate
action. In any case, a disclosure adverse to the client's
interest should be no greater than the lawyer reasonably
believes necessary to the purpose.
[8a] Paragraph (b)(7) recognizes the overriding value of life
and physical integrity and permits disclosure reasonably
necessary to prevent reasonably certain death or substantial
bodily harm. Such harm is reasonably certain to occur if it will
be suffered imminently or if there is a present and substantial
threat that a person will suffer such harm at a later date if
the lawyer fails to take action necessary to eliminate the
threat.
Withdrawal
[9] If the lawyer's services will be used by the client in
materially furthering a course of criminal or fraudulent
conduct, the lawyer must withdraw, as stated in Rule 1.16(a)(1).
[9a] After withdrawal the lawyer is required to refrain from
making disclosure of the client's confidences, except as
otherwise provided in Rule 1.6. Neither this Rule nor Rule
1.8(b) nor Rule 1.16(d) prevents the lawyer from giving notice
of the fact of withdrawal, and the lawyer may also withdraw or
disaffirm any opinion, document, affirmation, or the like.
[9b] Where the client is an organization, the lawyer may be in
doubt whether contemplated conduct will actually be carried out
by the organization. Where necessary to guide conduct in
connection with this Rule, the lawyer may make inquiry within
the organization as indicated in Rule 1.13(b).
Dispute Concerning a Lawyer's Conduct
[10] Where a legal claim or disciplinary charge alleges
complicity of the lawyer in a client's conduct or other
misconduct of the lawyer involving representation of the client,
the lawyer may respond to the extent the lawyer reasonably
believes necessary to establish a defense. The same is true with
respect to a claim involving the conduct or representation of a
former client. The lawyer's right to respond arises when an
assertion of such complicity has been made. Paragraph (b)(2)
does not require the lawyer to await the commencement of an
action or proceeding that charges such complicity, so that the
defense may be established by responding directly to a third
party who has made such an assertion. The right to defend, of
course, applies where a proceeding has been commenced. Where
practicable and not prejudicial to the lawyer's ability to
establish the defense, the lawyer should advise the client of
the third party's assertion and request that the client respond
appropriately. In any event, disclosure should be no greater
than the lawyer reasonably believes is necessary to vindicate
innocence, the disclosure should be made in a manner which
limits access to the information to the tribunal or other
persons having a need to know it, and appropriate protective
orders or other arrangements should be sought by the lawyer to
the fullest extent practicable.
[10a] If the lawyer is charged with wrongdoing in which the
client's conduct is implicated, the rule of confidentiality
should not prevent the lawyer from defending against the charge.
Such a charge can arise in a civil, criminal or professional
disciplinary proceeding, and can be based on a wrong allegedly
committed by the lawyer against the client, or on a wrong
alleged by a third person; for example, a person claiming to
have been defrauded by the lawyer and client acting together. A
lawyer entitled to a fee is permitted by paragraph (b)(2) to
prove the services rendered in an action to collect it. This
aspect of the Rule expresses the principle that the beneficiary
of a fiduciary relationship may not exploit it to the detriment
of the fiduciary. As stated above, the lawyer must make every
effort practicable to avoid unnecessary disclosure of
information relating to a representation, to limit disclosure to
those having the need to know it, and to obtain protective
orders or make other arrangements minimizing the risk of
disclosure.
Disclosures Otherwise Required or Authorized
[11] If a lawyer is called as a witness to give testimony
concerning a client, absent waiver by the client, paragraph (a)
requires the lawyer to invoke the attorney-client privilege when
it is applicable. Except as permitted by Rule 3.4(d), the lawyer
must comply with the final orders of a court or other tribunal
of competent jurisdiction requiring the lawyer to give
information about the client.
[12] The Rules of Professional Conduct in various circumstances
permit or require a lawyer to disclose information relating to
the representation.
See Rules 2.3, 3.3 and 4.1. In addition to these
provisions, a lawyer may be obligated or permitted by other
provisions of law to give information about a client. Whether
another provision of law supersedes Rule 1.6 is a matter of
interpretation beyond the scope of these Rules, but a
presumption should exist against such a supersession.
Attorney Misconduct
[13] Self-regulation of the legal profession occasionally places
attorneys in awkward positions with respect to their obligations
to clients and to the profession. Paragraph (c)(2) requires an
attorney who has information indicating that another attorney
has violated the Rules of Professional Conduct, learned during
the course of representing a client and protected as a
confidence or secret under Rule 1.6, to request the permission
of the client to disclose the information necessary to report
the misconduct to disciplinary authorities. In requesting
consent, the attorney must inform the client of all reasonably
foreseeable consequences of both disclosure and non-disclosure.
[14] Although paragraph (c)(2) requires that authorized
disclosure be made promptly, a lawyer does not violate this Rule
by delaying in reporting attorney misconduct for the minimum
period of time necessary to protect a client's interests. For
example, a lawyer might choose to postpone reporting attorney
misconduct until the end of litigation when reporting during
litigation might harm the client's interests.
[15 - 17] ABA Model Rule Comments not adopted.
Former Client
[18] The duty of confidentiality continues after the
client-lawyer relationship has terminated.
Acting Reasonably to Preserve Confidentiality
[19] Paragraph (d) requires a lawyer to act
reasonably to safeguard information protected under this Rule
against unauthorized access by third parties and against
inadvertent or unauthorized disclosure by the lawyer or other
persons who are participating in the representation of the
client or who are subject to the lawyer’s supervision. See Rules
1.1, 5.1 and 5.3. The unauthorized access to, or the
inadvertent or unauthorized disclosure of, confidential
information does not constitute a violation of this Rule if the
lawyer has made reasonable efforts to prevent the access or
disclosure. Factors to be considered in determining the
reasonableness of the lawyer’s efforts include, but are not
limited to, the sensitivity of the information, the likelihood
of disclosure if additional safeguards are not employed, the
employment or engagement of persons competent with technology,
the cost of employing additional safeguards, the difficulty of
implementing the safeguards, and the extent to which the
safeguards adversely affect the lawyer’s ability to represent
clients (e.g., by making a device or important piece of software
excessively difficult to use).
[19a] Whether a lawyer may be required to take
additional steps to safeguard a client’s information in order to
comply with other laws, such as state and federal laws that
govern data privacy or that impose notification requirements
upon the loss of, or unauthorized access to, electronic
information, is beyond the scope of this Rule.
[20] Paragraph (d) makes clear that a lawyer is not subject to
discipline under this Rule if the lawyer has made reasonable
efforts to protect electronic data, even if there is a data
breach, cyber-attack or other incident resulting in the loss,
destruction, misdelivery or theft of confidential client
information. Perfect online security and data protection is not
attainable. Even large businesses and government
organizations with sophisticated data security systems have
suffered data breaches. Nevertheless, security and data breaches
have become so prevalent that some security measures must be
reasonably expected of all businesses, including lawyers and law
firms. Lawyers have an ethical obligation to implement
reasonable information security practices to protect the
confidentiality of client data. What is “reasonable” will be
determined in part by the size of the firm. See Rules 5.1(a)-(b)
and 5.3(a)-(b). The sheer amount of personal, medical and
financial information of clients kept by lawyers and law firms
requires reasonable care in the communication and storage of
such information. A lawyer or law firm complies with paragraph
(d) if they have acted reasonably to safeguard client
information by employing appropriate data protection measures
for any devices used to communicate or store client confidential
information.
To comply with this Rule, a lawyer does not need to have all the
required technology competencies. The lawyer can and more
likely must turn to the expertise of staff or an outside
technology professional. Because threats and technology
both change, lawyers should periodically review both and enhance
their security as needed; steps that are reasonable measures
when adopted may become outdated as well.
[21] Because of evolving technology, and associated evolving
risks, law firms should keep abreast on an ongoing basis of
reasonable methods for protecting client confidential
information, addressing such practices as:
(a) Periodic staff security training and evaluation programs,
including precautions and procedures regarding data security;
(b) Policies to address departing employee’s future access to
confidential firm data and return of electronically stored
confidential data;
(c) Procedures addressing security measures for access of third
parties to stored information;
(d) Procedures for both the backup and storage of firm data and
steps to securely erase or wipe electronic data from computing
devices before they are transferred, sold, or reused;
(e) The use of strong passwords or other authentication measures
to log on to their network, and the security of password and
authentication measures; and
(f) The use of hardware and/or software measures to prevent,
detect and respond to malicious software and activity.