Why Taking Another Look at the Risk of Inadvertent Disclosure at Your Firm Might Be Worthwhile
A lawyer and non-lawyer business partner own a business. These two have a falling out and litigation ensues. The non-lawyer business partner and other third parties have access to and are continuing to use one of the business’s shared calendars. The lawyer can therefore see when any of these folks schedule an appointment, to include appointments relating to the litigation. In the course of posting an appointment with the attorney who now represents the non-lawyer business partner, one of the third parties cut and pasted in information from an email between their attorney and the nonlawyer business partner. Of course, the lawyer was able to view this sensitive and privileged information.
While we commonly think about inadvertent disclosure in the context of sending an email to the wrong person or not being as attentive or thorough as called for during a document review process in response to a discovery order, the above story is an example of why it might be worthwhile to take another look at how an inadvertent disclosure might occur at your firm. After all, you can’t address a potential problem until you first recognize that a potential problem exists.
Perhaps a few additional questions based upon real-world situations that led to significant problems for other lawyers are called for. Think about the following. Does anyone in your firm ever place files on an unprotected file-sharing site, meaning no password is required for access? Are clients cautioned about the hazards of hitting “reply all” or forwarding emails related to their legal matter? Does your firm have a requirement that all “red line” changes be accepted or rejected, and all embedded comments removed prior to sending out any Word document in native format? Are all network access privileges revoked once a lawyer or staff person leaves your firm? Does everyone at your firm know how to properly redact a digital document? Do you know if any lawyers or staff allow family members or others to access devices they use for work, for example, a home computer or smart phone?
In this digital age, there are a plethora of ways an inadvertent disclosure might occur. Given a lawyer’s duty under ABA Model Rule 1.6(c) to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client,” regardless of the size of your firm, it would seem prudent to periodically take a little time to consider how your firm’s current use of technology might create a risk of inadvertent disclosure. Then, any new risk identified should be responsibly addressed through the implementation of a firmwide policy or procedure coupled with an explanation as to the whys behind the change and, of course, any necessary training.
I do get that there is an associated headache factor here. Taking time to think through how someone at your firm might slip up means you really do need to understand the inherent risks that come with the digital tools and tech devices in use at your firm. (Also see Comment 8 to ABA Model Rule 1.1 Competence.) For some, this may not be the easiest of tasks. However, it seems to me that the time spent trying to avoid a problem is time better spent than the time spent having to deal with the fallout of an actual problem that was never addressed — all for want of any effort to look for it.
Authored by: Mark Bassingthwaighte, Risk Manager
Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, an attorney’s professional liability insurance carrier. In his tenure with the company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented over 600 continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.