Client Confidentiality as Data Security

61 Pages Posted: 14 Mar 2024

See all articles by Jonah Perlin

Jonah Perlin

Georgetown University Law Center

Date Written: February 15, 2024


The duty of confidentiality has been a cornerstone of the attorney-client relationship for more than four centuries. Historically, this duty was not difficult to discharge. All a lawyer had to do to comply was not affirmatively share client information in public without consent. But that has all changed in the age of cloud computing. In fact, the same technologies that provide unprecedented benefits of authorized access by lawyers and their clients create unprecedented risks of unauthorized access by others. As a result, although the duty of confidentiality was once synonymous with a duty to keep client confidences secret, today the duty necessitates that lawyers keep client confidences secure as well.

To be fair, this critical shift did not go entirely unnoticed by the legal profession. In 2012, the American Bar Association adopted Model Rule of Professional Conduct 1.6(c) which requires lawyers to take “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to” client confidences. Although this new rule had good intentions and was adopted in some form by every state bar, it is ineffective at protecting clients and difficult if not impossible to execute for lawyers. Worse, in the decade since its adoption there has not been a single published disciplinary action for violating this duty in the digital context. Not one.

After telling the story of the legal profession’s adoption of a duty of data security and the shortcomings with the current approach to that duty, this Article seeks to outline its next chapter. Specifically, it argues that the lawyer’s duty of data security should stop focusing on regulating the technological safeguards necessary to prevent breaches and should instead focus on regulating the processes that lawyers must take to mitigate harm from potential breaches and the people that lawyers must consult with when making data security decisions. This flexible approach draws inspiration from other contemporary data security frameworks and would better guide lawyers regardless of their practice area or level of technical knowledge, better protect clients regardless of the specific sensitivity of their data, and better permit enforcement by state bars despite inevitable technological innovations.

Keywords: data security, confidentiality, legal ethics, professional responsibility, data secrecy, legal practice, technology of law

JEL Classification: K40

Suggested Citation

Perlin, Jonah, Client Confidentiality as Data Security (February 15, 2024). Washington Law Review, Vol. 99 (forthcoming 2024), Georgetown University Law Center Research Paper No. Forthcoming, Available at SSRN:

Jonah Perlin (Contact Author)

Georgetown University Law Center ( email )

600 New Jersey Avenue NW
Washington, DC 20001

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics