Rule 1.6 Confidentiality of Information
(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).
(b) A lawyer may reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary:
(1) to prevent reasonably certain death or substantial bodily harm;
(2) to prevent the client from committing a crime or fraud that is reasonably certain to result in substantial injury to the financial interests or property of another and in furtherance of which the client has used or is using the lawyer’s services;
(3) to prevent, mitigate or rectify substantial injury to the financial interests or property of another that is reasonably certain to result or has resulted from the client’s commission of a crime or fraud in furtherance of which the client has used the lawyer’s services;
(4) to secure legal advice about the lawyer’s compliance with these Rules;
(5) to establish a claim or defense on behalf of the lawyer in a controversy between the lawyer and the client, to establish a defense to a criminal charge or civil claim against the lawyer based upon conduct in which the client was involved, or to respond to allegations in any proceeding concerning the lawyer’s representation of the client; or(6) to comply with other law or a court order.
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
COMMENT
. . .
Acting Competently to Preserve Confidentiality
[16] Paragraph (c) requires a A lawyer must to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons or entities who are participating in the representation of the client or who are subject to the lawyer’s supervision or monitoring. See Rules 1.1, 5.1 and 5.3. The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forego security measures that would otherwise be required by this Rule. Whether a lawyer may be required to take additional steps to safeguard a client’s information in order to comply with other law, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information, is beyond the scope of these Rules.
[17] When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule. Whether a lawyer may be required to take additional steps in order to comply with other law, such as state and federal laws that govern data privacy, is beyond the scope of these Rules.
The Commission's Explanation for the Proposal
Currently, Model Rule 1.6(a) states that a lawyer has a duty not to reveal a client’s confidential information, except for the circumstances described in Model Rule 1.6(b). The Rule, however, does not indicate what ethical obligations lawyers have to prevent such a revelation. Although this obligation is described in Comments [16] and [17], the Commission concluded that technology has made this duty sufficiently important that it should be elevated to black letter status in the form of the proposed Model Rule 1.6(c).
The idea of explaining a lawyer’s duty to safeguard information within the black letter of the Rule is not new. The proposed Model Rule 1.6(c) builds on a similar provision in New York, which itself has its roots in DR 4-101(D) of the old Model Code of Professional Responsibility. DR 4-101(D) had provided as follows:
(D) A lawyer shall exercise reasonable care to prevent his employees, associates, and others whose services are utilized by him from disclosing or using confidences or secrets of a client, except that a lawyer may reveal the information allowed by DR 4-101(C) through an employee.
The Commission concluded that a similar provision should appear in Model Rule 1.6 given the various confidentiality concerns associated with electronically stored information.
The proposal identifies three types of problems that can lead to the unintended disclosure of confidential information. First, information can be inadvertently disclosed, such as when an email is sent to the wrong person. Second, information can be accessed without authority, such as when a third party “hacks” into a law firm’s network or a lawyer’s email account. Third, information can be disclosed when employees or other personnel release it without authority, such as when an employee posts confidential information on the Internet. Rule 1.6(c) is intended to make clear that lawyers have an ethical obligation to make reasonable efforts to prevent these types of disclosures, such as by using reasonably available administrative, technical, and physical safeguards.
To be clear, paragraph (c) does not mean that a lawyer engages in professional misconduct any time a client’s confidences are subject to unauthorized access or disclosed inadvertently or without authority. A sentence in Comment [16] makes this point explicitly. The reality is that disclosures can occur even if lawyers take all reasonable precautions. The Commission, however, believes that it is important to state in the black letter of Model Rule 1.6 that lawyers have a duty to take reasonable precautions, even if those precautions will not guarantee the protection of confidential information under all circumstances.
The Commission examined the possibility of offering more detailed guidance about the measures that lawyers should employ. The Commission concluded, however, that technology is changing too rapidly to offer such guidance and that the particular measures lawyers should use will necessarily change as technology evolves and as new risks emerge and new security procedures become available. Nevertheless, the Commission is proposing new language to Comment [16] to identify several factors that lawyers should consider when determining whether their efforts are reasonable, including the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). Moreover, as explained above, the Commission has recommended that the ABA create a centralized user-friendly website that contains continuously updated and detailed information about data security.
In addition to setting out the factors that lawyers need to consider when securing their clients’ confidences, the proposed Comment language recognizes that some clients might require the lawyer to implement special security measures not required by the Rule or may give informed consent to the use of security measures that would otherwise be prohibited by the Rule. A nearly identical observation appears in Comment [17] in the context of security measures that lawyers might have to employ when transmitting confidential information. The Commission concluded that a similar thought should be expressed in the context of Comment [16], which pertains to the storage of such information.
Finally, the Commission’s research revealed that there has been a dramatic growth in federal, state, and international laws and regulations relating to data privacy. The Commission found that this body of law increasingly applies to lawyers and law firms and that lawyers need to be aware of these additional obligations. Thus, the Commission is proposing to add a sentence to the end of Comment [16] and Comment [17] that would remind lawyers that other laws and regulations impose confidentiality-related obligations beyond those that are identified in the Model Rules of Professional Conduct. Other Comments in the Model Rules instruct lawyers to consult law outside of the ethics rules, and the Commission concluded that a lawyer’s duty of confidentiality is another area where other legal obligations have become sufficiently important and common that lawyer should be expressly reminded to consider those obligations, both when storing confidential information (Comment [16]) and when transmitting it (Comment [17]).