Attorneys should think twice before allowing smartphone apps to access their contact list. Most attorneys recognize their obligation to protect this information, but they may not be aware of all situations where such information may risk exposure. According to a state ethics opinion, an attorney may not share stored contacts with a smartphone application if those contacts contain any confidential client information. In some situations, that may even include the client’s identity. ABA Litigation Section leaders remind practitioners that the principles behind maintaining the confidentiality of client information remain the same even with advances in technology.
September 21, 2022 Top Story
Lawyers Have Duty to Protect Client Contacts in Smartphones
Ethical duty of confidentiality extends to safeguarding client data from apps
By Mariah L. Sukalski
What Does Rule 1.6 require?
In Ethics Opinion 1240, the New York State Bar Association Committee on Professional Ethics considered an attorney’s duty under the New York Bar Association’s Rule 1.6 (NY Rule 1.6) to protect client information stored as contacts on smartphones. NY Rule 1.6 defines confidential information as “information gained during or relating to the representation of a client, whatever its source, that is (a) protected by the attorney-client privilege, (b) likely to be embarrassing or detrimental to the client if disclosed, or (c) information that the client has requested be kept confidential.”
Under the rule, attorneys must “make reasonable efforts” to prevent confidential client information from unauthorized disclosure. The rule provides exceptions where the client gives informed consent, there is implied disclosure, or under a set number of circumstances if reasonably necessary.
How Can Attorneys Protect Their Contacts?
Smartphones contain several potential confidentiality concerns. According to the opinion, attorneys must understand how smartphones work, including applications, online activity, or otherwise, before using them. Attorneys must also consider whether their smartphone use in these respects puts their clients’ confidential information at risk and must protect that information. The opinion emphasizes the need to pay attention to what applications access from the smartphone.
Another consideration is who or what is reviewing the information: human or machine review. For instance, the opinion provides that access cannot be granted “unless the lawyer concludes that no human being will view that confidential information, and that the information will not be sold or transferred to additional third parties, without the client’s consent.”
Contacts, as the opinion points out, potentially contain numerous pieces of identifying information about the person the contact represents: phone numbers, email addresses, work or residence addresses, employer, birthday, nicknames, and a notes section that could contain further information about the individual or how the phone owner knows the person. Indeed, even the client’s identity alone may be confidential. Smartphone applications that request access to the phone owner’s contacts may exploit that information for marketing, soliciting, or disseminating information.
The Committee advises that the ethical obligations under Rule 1.6(c) require an attorney to make reasonable efforts to prevent confidential client information from disclosure. When a smartphone application asks for access to an attorney’s contacts, the first step is to determine whether any are confidential under Rule 1.6. Besides reviewing the definition of “confidential information,” the opinion also advises attorneys to consider whether the smartphone could identify them as an attorney, their practice area, or their contacts as clients.
If there is confidential information in the contacts, the attorney cannot consent to sharing it. The only exceptions are where (1) the attorney concludes no person will view the confidential information, and (2) the information will not be sold or transferred by the application to additional third parties without client consent. Attorneys must review the application’s policies and practices to ensure they understand the risks and can decide whether the exceptions apply.
What Can the Decision Teach Us?
Litigation Section leaders suggest there is much to learn from the decision. “One of the big takeaways is to be very careful in terms of sharing any information online or giving any third parties access to your contacts, emails, things like that,” advises Michael S. LeBoff, Newport Beach, CA, cochair of the Section’s Professional Liability Litigation Committee. For example, LeBoff advises practitioners to consider the access allowed to devices such as jointly used computers, Amazon’s Alexa devices, or others with AI technology.
Even though technology is constantly evolving, Section leaders say attorneys must always assess the risk when faced with new concerns. “A cell phone is similar to a file folder that contains client information,” reminds John M. Barkett, Miami, FL, cochair of the Section’s Ethics & Professionalism Committee. “You do not want to lose it. You do not want to make it available for someone to peruse through it. You do not want someone looking over your shoulder or sitting next to you to read it. So, you have to protect it,” recommends Barkett.
Hashtags: #ethics #smartphone #clientconfidentiality
- Benjamin E. Long, “Social Media May Waive Confidentiality Says ABA”, Litigation News (June 14, 2018).
Copyright © 2022, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Litigation Section, this committee, or the employer(s) of the author(s).