← Blog Home

Ethics: Protect Your Electronic Contact List from Prying Eyes

3 min read

Ethics: Protect Your Electronic Contact List from Prying Eyes

Introduction to an Ethical Problem Most Attorneys Don’t Know About

In April of 2022, a headline caught our attention. It referenced a new legal ethics opinion issued by the New York State Bar Association’s Committee on Professional Ethics. Opinion 1240 has this digest statement: “If ‘contacts’ on a lawyer’s smartphone include any client whose identity or other information is confidential under Rule 1.6, then the lawyer may not consent to share contacts with a smartphone app unless the lawyer concludes that no human being will view that confidential information, and that the information will not be sold or transferred to additional third parties, without the client’s consent.”

So . . . what client information do you have in your Contacts – and how many apps have you granted the power to access your Contacts? If you are clueless about whether you have granted this access to various apps, you are part of a very large club.

What Do You Actually Store in Your Contacts?

All lawyers likely have the client’s name, office and cell numbers, email and physical address, and job title. But many keep other information in the Notes field of Outlook, including such things as nicknames, anniversaries, birthdays, spouse’s name, names of children, pet names. etc. If you click on “Details” in the ribbon, you have a specific form for entering certain details, but most lawyers, in our experience, simply dump the information into the Notes field when they create a new contact.

Because we do digital forensics, we can tell you that there is often a lot of information in the Notes field, including passwords, social security numbers, building access codes, and a lot of other private information which the attorney wants readily at hand.

Many lawyers have no clue that apps can potentially see all that information if you grant them access. A quick search on Google shows that Venmo, Facebook, Zoom, Snap, Slack, Tinder, Signal, Pinterest, Telegram, Chase Bank, Wayfair and even Samsung’s smart washer will ask you for access to your Contacts. The list of apps seeking access to your Contacts is undoubtedly huge.

Sometimes, apps will restrict access. In iOS, third-party apps with permission can access any contact field, except for the Notes section, which requires additional approval from Apple. The company added that restriction in 2019, but it declines to say how many or which apps are cleared to access Notes.

Some will access just the basics – name, phone numbers and email address. Others will take anything they can get. Disabling the app’s privileges doesn’t necessarily result in the app

deleting information it already has. An app may – or may not- give you instructions on how to delete previously obtained information.

Apps Have a History of Misconduct

It has often been said that data is “black gold.” So, if companies can get your data, they will. They will use it to advertise themselves, to sell their products, and for countless other purposes. They can also sell your data to others.

Several companies over the years have settled with the FTC over how they collected or used data without user consent.

All the way back in 2013, documents provided by Edward Snowden proved that the National Security Agency was collecting millions of contact lists, often from email and instant messaging accounts, to find hidden connections and relationships between targets.

Perhaps more significantly to lawyers, contacts have been leaked in data breaches. Once those Contacts are out there, there is no way to call them back. They almost certainly will be misused. Wire fraud and business email compromises are frequently the objectives.

Back to Ethics . . .

Like New York, most states have a rule similar to this one:

Rule 1.6(c) of the New York Rules of Professional Conduct (the “Rules”) requires a lawyer to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure or use of, or unauthorized access to” the confidential information of current, former and prospective clients. Rule 1.6(a), in turn, provides that confidential information “consists of information gained during or relating to the representation of a client, whatever its source, that is (a) protected by the attorney-client privilege, (b) likely to be embarrassing or detrimental to the client if disclosed, or (c) information that the client has requested be kept confidential.”

The opinion points out that the client is more likely to find that disclosure of the fact of a current or prior representation by a lawyer is embarrassing or detrimental where the representation involves or involved criminal law, bankruptcy, debt collection or family law. It strikes us that many high-level executives, politicians, celebrities, etc. would consider their contact information highly confidential and would not be happy to have it (however inadvertently) disclosed by their lawyers.

Final Words

As we previously noted, our digital forensics work has exposed us to many contact lists of clients, including those of attorneys. Contacts are frequently used, especially in the Notes section, to record in brief very sensitive personal data that attorneys want to be able to reference quickly. But besides being alluring to advertisers and the like, such information, in the

hands of cybercriminals, can be used to compromise clients in a host of ways. We applaud the New York opinion which shines a bright light on the sensitivity of Contact data and the duty of lawyers to protect all data which may be confidential.

Our advice? Whenever an app wants you to consent to sharing Contact data, JUST SAY NO!

Sharon D. Nelson, Esq., is the President of Sensei Enterprises, Inc., a digital forensics, cybersecurity and information technology firm in Fairfax, Virginia. Ms. Nelson is the author of the noted electronic evidence blog, Ride the Lightning and is a co-host of the Legal Talk Network podcast series called “The Digital Edge: Lawyers and Technology” as well as “Digital Detectives.” She is a frequent author (eighteen books published by the ABA and hundreds of articles) and speaker on legal technology, cybersecurity and electronic evidence topics. She was the President of the Virginia State Bar June 2013 – June 2014 and a past President of the Fairfax Law Foundation and the Fairfax Bar Association. She may be reached at snelson@senseient.com

Two Factor Authentication Isn’t the Panacea Many Think It Is

2 min read

Two Factor Authentication Isn’t the Panacea Many Think It Is

Let me be very clear, two factor authentication (2FA) is an essential security tool that everyone should be taking advantage of when and wherever...

Read More
How To Minimize The Risk Of Becoming A Victim Of Wire Fraud

4 min read

How To Minimize The Risk Of Becoming A Victim Of Wire Fraud

Updated 07/2023 Lawyers remain a high-profile target for scammers hoping to get away with wire fraud and the attack vectors they are using continue...

Read More
Why Taking Another Look at the Risk of Inadvertent Disclosure at Your Firm Might Be Worthwhile

2 min read

Why Taking Another Look at the Risk of Inadvertent Disclosure at Your Firm Might Be Worthwhile

A lawyer and non-lawyer business partner own a business. These two have a falling out and litigation ensues. The non-lawyer business partner and...

Read More