Home – Attorney-client privilege: a checklist for digital communications

Attorney-client privilege: a checklist for digital communications

With rapid and ongoing changes in digital communications and storage technology―as well as our changing habits―come new risks to the sacred doctrine of attorney-client privilege.


If you have not done so already, your law firm, corporate legal department or government agency would be well served by taking immediate action to educate your legal team and adopt best practices. Then, it’s important to schedule regular reviews of those best practices and adjust themed based on later changes in communications and data storage technologies and applications.



To aid legal departments and law firms in making sure they continue to benefit from the protections provided by attorney-client privilege, we have put together a checklist, in part comprising best-practice tips from our recent Webinar on the subject, which featured Kay Baxter, a founding partner of Swetman Baxter Massenburg LLC; Daniel G. Wills of Swanson, Martin & Bell, LLP; and Amy Bures Danna with The Clary  Firm.   You can read complete coverage of the Webinar and view the full Webinar recording, complete with Microsoft® Powerpoint® slides.  



The checklist has two parts:  1) General Best Practices for Your Organization and 2) Specific Best Practices for Individuals.  This checklist is by no means all-inclusive, nor is it evergreen, but it offers a good place to start in ensuring your teams continue to enjoy the benefits of attorney-client privilege. 


Perhaps the best of the best practices―which are quick and relatively inexpensive to implement―would be immediately adopting encryption technology and password protocols. 


Note:  We frequently use the word “team” as a catchall term referring to your in-house legal department, agency legal team or law firm―or a combination of in-house counsel, outside legal professionals, witnesses, experts and support services working closely together on large matters.   We also use the acronym ACP for attorney-client privilege.  Finally, it is vitally important that you consult your state and local bar rules and other rules and opinions for guidance specific to your area.


We hope you find these tips useful in your business and practice.



  General Best Practices for Your Organization


1.  Conduct a risk assessment of all your organization’s devices, including computers, tablets, personal digital assistants (PDAs), mobile phones, flash drives, etc., and assess the sufficiency of  current safeguards.  

2.  Evaluate existing firewalls, antivirus software and other security measures, and make necessary upgrades.

3.  Implement teamwide password and encryption policies and procedures.

4.  Educate your teams or your clients on the basics of attorney-client privilege (ACP).  Familiarize your teams with these American Bar Association Model Rules of Professional Conduct :


    •     1.18 Duties to Prospective Client
    •     1.1 Competence (Shouldn’t this be first?)
    •     1.6 Confidentiality of Information
    •     4.2 Communication with Person Represented by Counsel
    •     7.1 – 7.4 Information About Legal Services


5.    Create a confidentiality policy and circulate it annually.  Consider assigning an attorney as the ACP lead for your firm or legal team.


6.    Educate your teams on both intentional and inadvertent disclosures.  Make sure they understand the risks of disclosure.


7.    Educate your teams on the risks of both internal threats (e.g. losing a flash drive) and external threats (e.g. spyware, malware and hackers). 


8.    Educate your teams on best practices for digital communication and storage.  Smaller companies (and firms) are particularly vulnerable since they do not have the same resources enjoyed by larger organizations. (Law firms can assist in educating their clients.)  Make sure corporate witnesses know the proper ways to communicate with counsel or others about matters.  


9.    Make sure legal teams are particularly careful with mobile devices, as they are not as easy to protect yet are capable of carrying incredible volumes of sensitive information, such as passwords and client data.


10.  Review your policies to ensure best practices are made clear to your teams. Review your organization’s or your client’s social media activity.  Adopt policies to address text and instant messaging and other Internet communications. Review your employee termination procedures to make sure their access to networks, devices and data are also terminated.


11.  Ensure that you―- or someone designated on your team or a consultant―have the competence to evaluate the nature of a potential threat to the system being used to transfer information.


12.  When employing cloud computing and storage, remain current on security safeguards and take reasonable steps to ensure cloud vendors use suitable methods to protect stored data.


13.  Configure all desktop and portable devices to lock after a defined period of non-use.


14.  Configure portable devices to allow your organization to remotely wipe them clean if they are lost or stolen.


15.  Use tracking devices that can report a device's location once connected to the Internet.


Specific Best Practices for Individuals



1.    Encrypt emails, documents and data on devices, and make sure teams do not use public wireless connections for sharing sensitive information without using encryption.   Encryption should be applied to USB flash drives as well as large storage banks. Keep encryption tools current.


2.    Use password protection on documents and devices, given the difficulty in protecting information on the Internet.  Frequently changed, 12-character passwords are recommended. Passwords should be applied to USB flash drives as well as large storage banks.  Don’t share passwords!


3.    Sanitize portable storage devices before discarding them.


4.    Terminate an employee’s access when he or she is terminated.


5.    Keep communication instructions simple.  For example, consider agreeing not to communicate with clients―or about cases and clients―?via text or instant messaging.  Instead, agree to call via landline or communicate via encrypted email. 


6.    Add the words “Attorney-Client Privilege” to email subject lines. 


7.    Do not merely assume your digital communications will be privileged.  Make sure they will be privileged before using a new method.


8.    Do not rely on personal email and devices to protect sensitive data.


9.    Create and store electronic documents only on the firm's network -- not on home systems.


10.  Scrub metadata accompanying documents before sending them to external email addresses.  This includes forwarding documents to your home email, a common practice.


11.  Avoid installing third-party mobile applications on smartphones.  They carry malware and other nefarious applications you do not want compromising your data.


12.  Put Bluetooth® devices in “non-discoverable” mode, protect pairing with passwords and pair with other devices only when in a trusted location.


13.  Be very careful with auto-fill functions in emails.  Too often the auto-fill function picks the wrong contact. 


14.  Never post sensitive information on social networking sites.


15.  Don't “friend” judges, clients, or other parties with a connection to your cases or clients?.


16.  Be careful what you include in your online profiles.


17.  Use disclaimers but be aware they will not cover you completely.


18.  Be careful not to upload contact information that might contain other people’s information.


19.  If you must use a public computer―such as in a hotel business center―make sure you log out of your email, close your browser and delete browser history, if possible.


20.  In litigation, consider securing clawback or snap-back agreements or orders which can reduce risk of waiver in the event of inadvertent disclosure.