Abstract: The duty of confidentiality has been a cornerstone of the attorney-client relationship for more than four centuries. Historically, this duty was not difficult to discharge. All a lawyer had to do to comply was not affirmatively share client information in public without consent. But that has all changed. The same technologies that provide unprecedented benefits of authorized access by lawyers and their clients create unprecedented risks of unauthorized access by others. As a result, although the duty of confidentiality was once synonymous with a duty to keep client confidences secret, today the duty necessitates that lawyers keep client confidences secure as well.
This critical shift did not go entirely unnoticed by the legal profession. In 2012, the American Bar Association adopted Model Rule of Professional Conduct 1.6(c) which requires lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to,” client confidences. This new rule had good intentions and was eventually adopted in some form by every state bar. Yet it has proven ineffective at protecting clients and difficult, if not impossible, to execute for lawyers. Worse, in the more than a decade since its adoption there has not been a single published disciplinary action for violating this duty in the digital context. Not one.
After telling the story of the legal profession’s adoption of a duty of data security and the shortcomings with the current approach to that duty, this Article seeks to outline its next chapter. Specifically, it argues that the lawyer’s duty of data security should not focus exclusively on the regulation of technological safeguards to prevent breaches and should focus instead on regulating the processes that lawyers must take to mitigate harm from potential breaches and the people that lawyers must consult when making data security decisions. This approach draws inspiration not only from professional responsibility scholarship but also from data security best practices from outside the legal profession that can help guide lawyers, protect clients, and incentivize enforcement by state bars despite constant technological innovation.
