Drop box hack: The lawyers duty of confidentiality

At the end of August this year (2016), it was confirmed that popular cloud storage platform, drop box had been hacked. Over 68m users’ email addresses and passwords were accessed and leaked on to the internet. Surprisingly, the hack took place in 2012, but it was not known/confirmed until less than two months ago. If you did not get the memo, please change your password. The affected accounts are those whose passwords have not been changed since 2012.

The cloud storage platform, drop box is popular among legal practitioners. Client information along with other documents are usually stored on the cloud.

Does this create liability for the lawyer whose client’s information has been hacked? If yes, to what extent?

The law

Information exchanged between a lawyer and his client is confidential. As such, all lawyers are obliged to keep the affairs of their clients, past and present, confidential. The exception only lies where disclosure is required by law or your client.

A lawyer also has the duty not to put the client’s confidentiality at risk by acting. If a lawyer holds a client’s information, the lawyer must not risk breaching this client’s confidentiality by taking instructions or continuing to act for another client if:

  1. If the client’s information may be reasonably expected to be relevant to the fresh instructions
  2. If the client’s interests are adverse to the [potential]new client who is giving fresh instructions

However, if proper arrangements can be made to prevent a breach of the client’s confidentiality, then the lawyer can go ahead and take these new instructions from the new client. Such proper arrangements include:

  1. Seeking consent from your client (the old and new)
  2. If your client has agreed to your acting with knowledge that you cannot disclose their information
  3. Safeguards required by law, such as creating the “great wall” are implemented
  4. If it is reasonable in all circumstances to do so.

    The duty of confidentiality should be distinguished from legal professional privilege. The duty of confidentiality covers all confidential information about a client’s affairs some exceptions such as if compelled by a tax body, where children are involved, where your client is plotting to commit a crime, etc.,  while legal professional privilege protects certain communication between a lawyer and his client, even on compulsion by court. However, not all communication is subject to the legal professional privilege.

The duty of confidentiality goes on even after the retained. On the death of the client, a lawyer owes the duty of confidentiality to the deceased’s personal representatives.

The lawyer’s liability

Breach of client confidentiality attracts liability for the lawyer.

  1. The lawyer may be sued for negligence, proceedings which attract damages to the client if he or she successfully prosecutes the case
  2. The lawyer may also face disciplinary sanctions from the bar body. His practicing license may be recalled, he may be suspended from the bar, and he may even be fined.

How then do you ensure your client’s confidentiality? At the end of the day, the effort you made to safeguard the information is what matters

  1. Do not be over confident or careless with your client’s information. How do you do this? Don’t talk to your clients about their case in a public place, do not leave client information in an office which has no security, do not discuss your client’s matter with a friend, colleague or spouse, and keep your client’s cases out of social media.
  2. Ensure data security. Be mindful of the risks of sending files over the internet. Secure the transmission of important documents. Do not share passwords.  Keep you data in the cloud. Make good use of password managers.
  3. Ensure documents security. Put the shredder to good use. Keep the client’s files in a safe lockable cabinet. Never leave documents where anyone can find them such as a cyber café.
  4. Mind who handles your I.T. Do not hire Snowden.  Do good employee screening and make background checks on people who handle your I.T

I hope that is helpful to you and your practice. Keep your client’s information confidential. Client confidentiality is at the core of our profession. We must uphold it.


This article appears in our weekly digital magazine, The Deuteronomy, Vol 6, Issue 5 of October 30th, 2016 under the title, Drop box hack: The lawyers duty not to disclose a client’s information.

To receive The Deuteronomy in real time, click HERE


1 comment

Leave a comment

Your email address will not be published. Required fields are marked *