This document provides an overview of requirements for safeguarding client information and file retention. It discusses the duty of confidentiality lawyers have regarding client information under Rule 4-1.6. The document also outlines factors to consider in determining reasonable protections for client data, such as the sensitivity of information and likelihood of disclosure without additional safeguards. It notes client files may be stored in the cloud or on third-party servers and addresses terms of service and encryption methods for secure communications. The document concludes with a discussion of attorney-client privilege and work product protections.

1. Safeguarding Client Information and
File Retention Requirements
Michael Downey
Downey Law Group LLC
August 2017

2. Safeguarding Client Information
2

3. 3
1/8/17, 9(45 PMChinese Nationals Charged With Hacking Firms to Steal M A Info | The American Lawyer
NOT FOR REPRINT
Click to Print or Select 'Print' in your browser menu to print this document.
Page printed from: The American Lawyer
Chinese Nationals Charged With Hacking
Firms to Steal M&A Info
Mark Hamblett, The Am Law Daily
December 27, 2016
Three Chinese nationals face federal charges for allegedly hacking into two major U.S. law firms in
a scheme to trade on information about imminent mergers and acquisitions.
U.S. Attorney Preet Bharara of the Southern District of New York announced Tuesday that Iat
Hong, Bo Zheng and Hung Chin have been charged with infiltrating the servers of two law firms in
2014 and 2015 and accessing nonpublic information about pending deals. According to Bharara's
office, the information was used in trades that reaped roughly $4 million in illegal profits.
The indictment unsealed Tuesday does not name the law firms, which are referred to as Law Firm
1 and Law Firm 2. According to the charges, Law Firm 1 advised Intel Corp. on its 2015 acquisition
of Altera Corp. for $16.7 billion and represented a company that was in deal talks with InterMune
Inc., which sold to Roche AG in 2014 for $8.9 billion.
The second major law firm advised Pitney Bowes Inc. in the 2015 acquisition of New York-based e-
commerce company Borderfree, the indictment states.
Based on those details the two firms appear to be Weil, Gotshal & Manges and Cravath, Swaine &
Moore, firms where cyberbreaches previously were reported. Weil represented Intel in the Altera
buy and Cravath is identified in securities filings as Pitney Bowes lead deal counsel.

4. 4

5. 5

6. 6

7. 7

8. DUTY of Confidentiality
8

9. Duty of Confidentiality – Rule 4-1.6
A lawyer shall not reveal information relating to
the representation of a client unless the client
gives informed consent, the disclosure is
impliedly authorized in order to carry out the
representation, or the disclosure is permitted by
Rule 4-1.6(b).
9

10. Duty of Confidentiality – Missouri Rule 4-1.6
• Information from any
source
• Relating to
representation
• Limit on "revelation"
• Limit on "use" in Rule
4-1.8
Client
Media reports Opposing
counsel
Pleadings
Adverse
party
Third party
Lawyer
10

11. The Myth of Privacy
"There can be no reasonable
expectation of privacy in a tweet
sent around the world."
People v. Harris (N.Y. Crim. Court 2012)
11

12. Internet vs. Privacy: "Helpful Venn diagram"
By David Hoffman, available at http://bit.ly/bqU5vU
The
Internet Privacy
12

13. 13

14. Protecting Information
Model Rule 1.6(c): "A lawyer shall make
reasonable efforts to prevent the inadvertent or
unauthorized disclosure of, or unauthorized
access to, information relating to the
representation of a client."
14

15. 15
What Are "Reasonable" Protections?

16. Evaluation of Safeguards
• Factors to be considered in determining the reasonableness
of the lawyer’s efforts include, but are not limited to,
– the sensitivity of the information
– the likelihood of disclosure if additional safeguards are not
employed
– the cost of employing additional safeguards
– the difficulty of implementing the safeguards (and)
– the extent to which the safeguards adversely affect the lawyer’s
ability to represent clients (e.g., by making a device or
important piece of software excessively difficult to use)
16

17. Rule 1.6(c) – Two More Caveats
• A client may require the lawyer to implement special security
measures not required by this Rule or may give informed
consent to forgo security measures that would otherwise be
required by this Rule.
• Whether a lawyer may be required to take additional steps to
safeguard a client’s information in order to comply with other
law, such as state and federal laws that govern data privacy or
that impose notification requirements upon the loss of, or
unauthorized access to, electronic information, is beyond the
scope of these Rules.
17

18. Where Is the Data?
18

19. The "Cloud"
19

20. "Data Farms"
20

21. Terms of Service
Google Docs (8/2017)
21

22. Secure Communications
• WhatsApp
• Apple-Apple iMessage texting (blue, not
green)
• FaceTime
22

23. Beating Security
23

24. Internet Access
24

25. 25

26. PrivatePublic
26
PKI
Email Encryption

27. 27
“A lawyer generally may transmit information
relating to the representation of a client over
the Internet without violating the Model
Rules of Professional Conduct where the
lawyer has undertaken reasonable efforts to
prevent inadvertent or unauthorized access…

28. 28
…However, a lawyer may be required to take
special security precautions to protect against the
inadvertent or unauthorized disclosure of client
information when required by an agreement with
the client or by law, or when the nature of the
information requires a higher degree of security.”

29. Seven Considerations
1. Understand the threat
2. Understand how client information is transmitted and stored
3. Understand and use reasonable security measures
4. Determine how client information should be protected
5. Label client information confidential
6. Train about information security
7. Conduct due diligence on technology
29

30. 30
“Thus, the use of unencrypted routine email
generally remains an acceptable method of lawyer-
client communication.
However, cyber-threats and the proliferation of
electronic communications devices have changed
the landscape and it is not always reasonable to
rely on the use of unencrypted email.”

31. Attorney-Client PRIVILEGE
31

32. Attorney-Client Privilege
• Confidential
• communications
• between an attorney and his [or her] client
• concerning the representation of the client
• are protected by the attorney-client privilege.
Diehl v. Fred Weber, Inc. (Mo. App. E.D. 2010)
32

33. DUTY of Confidentiality – Rule 4-1.6
Client
Court
Filings
Real Estate
Records
Newspaper
Depositions
Pleadings
Opposing
Party
Lawyer

34. Attorney-Client Privilege
• Confidential
• communications
• between an attorney and his [or her] client
• concerning the representation of the client
• are protected by the attorney-client privilege.
Diehl v. Fred Weber, Inc. (Mo. App. E.D. 2010)
34

35. Attorney-Client Privilege
Client Lawyer
Rendition of
Legal Services
35

36. "Necessary" Agents – Kovel
Client Lawyer
Agent
36

37. Joint Representation
Client 1 Client 2
Lawyer
37

38. DeBold v. Case (8th Cir. BAP 2005)
“When two or more persons, each having an interest in
some problem, jointly consult an attorney, their
confidential communications with the attorney, though
known to each other, will of course be privileged in a
controversy of either or both of the clients with the
outside world, that is, with parties claiming adversely
to both or either of those within the original charmed
circle.”
38

39. Joint Defense/Common Interest Privilege
39
Client 1 Client 2
Lawyer 1 Lawyer 2

40. Attorney-
Client
Privilege
Common
Interest
40

41. Adverse in Business Transaction
Seller
Buyer
41

42. Shared Interest in Evaluating Lawsuit
Seller
Buyer
Plaintiff
42

43. Work Product Protection – MO Rule 56.01(b)(3)
• Subject to the provisions of Rule 56.01(b)(4), a party may obtain discovery
of documents and tangible things otherwise discoverable under Rule
56.01(b)(1) and prepared in anticipation of litigation or for trial by or for
another party or by or for that other party's representative, including an
attorney, consultant, surety, indemnitor, insurer, or agent, only upon a
showing that the party seeking discovery has substantial need of the
materials in the preparation of the case and that the adverse party is
unable without undue hardship to obtain the substantial equivalent of the
materials by other means. In ordering discovery of such materials when
the required showing has been made, the court shall protect against
disclosure of the mental impressions, conclusions, opinions, or legal
theories of an attorney or other representative of a party concerning the
litigation.
43

44. Rule 56.01(b)(3) Parsed
§ [A] party may obtain discovery of documents and tangible things
otherwise discoverable under Rule 56.01(b)(1) and
§ prepared in anticipation of litigation or for trial
§ by or for another party or by or for that other party's representative,
including an attorney, consultant, surety, indemnitor, insurer, or agent,
§ only upon a showing
– that the party seeking discovery has substantial need of the materials
in the preparation of the case and
– that the adverse party is unable without undue hardship to obtain the
substantial equivalent of the materials by other means.
44

45. FRCP Rule 26(b)(3)(A) Parsed
• Documents and Tangible Things.
• Ordinarily, a party may not discover
• documents and tangible things that
• are prepared in anticipation of litigation or for trial
• by or for another party or its representative (including the
other party's attorney, consultant, surety, indemnitor, insurer,
or agent)
45

46. Work-Product Protection
A lawyer's involvement is
not required
46

47. Attorney-
Client
Privilege
Work-Product
Protection
47

48. Opinion Work Product – Full
Protection
§ In ordering discovery of [work product] when
the required showing has been made, the
court shall protect against disclosure of the
mental impressions, conclusions, opinions, or
legal theories of an attorney or other
representative of a party concerning the
litigation.
48

49. Waiver of Privileges
§ Martha Stewart is being investigated for insider
trading
§ Stewart prepares chronology of events around
ImClone stock sale
– Stewart sends chronology to her lawyers
– Stewart then sends chronology to her daughter
§ Is attorney-client privilege waived?
§ Is work-product protection waived?
49

50. Waiver
§ Attorney-Client Privilege
– Express waiver
– At-issue waiver
– Disclosure
• Work Product
– Express waiver (by client
or firm)
– At-issue waiver
– Disclosure – where
inconsistent with
purpose or litigation
advantage
50

51. Crime-Fraud Exception
• Key – communications are not (really) for the
purpose of giving or receiving legal advice, but
to commit a crime
• US v. Williams (8th Cir. 2013) – defendant
asked lawyer to smuggle cell phone into
prison
51

52. Accessing Third-Party
Information
52

53. 53
Rule 4-4.4 Respect For Rights
Of Third Persons
(a) In representing a client, a lawyer shall not use means that
have no substantial purpose other than to embarrass, delay,
or burden a third person, or use methods of obtaining
evidence that violate the legal rights of such a person.
(b) A lawyer who receives a document relating to the
representation of the lawyer's client and knows or reasonably
should know that the document was inadvertently sent shall
promptly notify the sender.

54. 54
Inadvertent Production
• Old Rule – recipient of metadata
– Notify producing party of production of privileged
information
– Refrain from reviewing privileged information
– Abide by producing counsel's instruction – at least
until a court orders otherwise

55. 55
New Rule 4-4.4(b)
A lawyer who receives a document relating to
the representation of the lawyer's client and
knows or reasonably should know that the
document was inadvertently sent shall
promptly notify the sender.

56. In re Eisenstein (Mo. 4/5/2016)
• Eisenstein represented Husband in divorce
• Husband accessed Wife's email without permission, and gave
Eisenstein documents including questions Wife's attorney had
prepared for direct examination
• Eisenstein did not produce the documents received from
Wife's email, until giving them to opposing counsel as exhibits
during trial
56

57. Consequences in Eisenstein
• Eisenstein was found to have used improperly
obtained information (violating Rule 4-4.4)
and concealing documents with evidentiary
value (violating Rule 4-3.4)
• Eisenstein received an indefinite (minimum 6
month) suspension
57

58. Improper Access – Rule 4-4.4(a)
• In representing a client, a lawyer shall not use
means that have no substantial purpose other
than to embarrass, delay, or burden a third
person, or use methods of obtaining evidence
that violate the legal rights of such a person.
58

59. Why Improper
• Illegal – may be incriminating client
– Evidence may be barred
– Lawyer may be disqualified
• Permitted – may use documents
59

60. File Retention
60

61. File Ownership
• “The client’s files belong to the client, not to
the attorney representing the client. The client
may direct an attorney or firm to transmit the
file to newly retained counsel.” In the matter
of Cupples, 952 S.W.2d 226, 234 (Mo. banc
1997).
61

62. Retention – Ordinary Client Records
Rule 4-1.22
62

63. Six Years – Unless Written Consent
• A lawyer shall securely store a client's file for six years after completion or
termination of the representation absent other agreement between the
lawyer and client through informed consent confirmed in writing. Such
informed consent confirmed in writing may be made between the lawyer
and the client at any point during the six years after completion or
termination of the representation. If the client does not request the file
within six years after completion or termination of the representation, the
file shall be deemed abandoned by the client and may be destroyed.
• The six year client file retention requirement shall apply to all client files
where the completion or termination of the representation occurs on or
after July 1, 2016. All client files where the completion or termination of
the representation occurs prior to July 1, 2016, shall be governed by the
previously required 10 years.
63

64. Beware Spoliation
• A lawyer shall not destroy a file pursuant to this Rule 4-1.22 if
the lawyer knows or reasonably should know that: (a) a legal
malpractice claim is pending related to the representation; (b)
a criminal or other governmental investigation is pending
related to the representation; (c) a complaint is pending
under Rule 5 related to the representation; or (d) other
litigation is pending related to the representation.
64

65. Keep Items With “Intrinsic Value”
• Items in the file with intrinsic value shall never be
destroyed.
• A lawyer destroying a file pursuant to this Rule 4-
1.22 shall securely store items of intrinsic value or
deliver such items to the state unclaimed property
agency. The file shall be destroyed in a manner that
preserves client confidentiality.
65

66. Remember What You Destroy
• A lawyer destroying a file pursuant to this Rule 4-1.22 shall
maintain the written record of the client's consent of
destruction for at least six years after completion or
termination of employment. Client files, except for items of
intrinsic value, may be maintained by electronic,
photographic, or other media provided that printed copies
can be produced. These records shall be readily accessible to
the lawyer.
66

67. Dissolution – Must Protect Records
Upon dissolution of a law firm, the lawyers shall make
reasonable arrangements for the maintenance of client files.
Upon the sale of a law practice, the seller shall make reasonable
arrangements for the maintenance of client files, which includes
written notice to a client as to the location of the client's file.
67

68. Retention – Trust Account Records
Rule 4-1.15(f)
68

69. Six Years – No Matter What
Complete records of client trust accounts shall be maintained
and preserved for a period of at least six years after the later of:
(1) termination of the representation, or
(2) the date of the last disbursement of funds.
Client trust account records may be maintained by electronic,
photographic, or other media provided that they otherwise
comply with Rules 4-1.145 to 4-1.155 and that printed copies can
be produced. These records shall be readily accessible to the
lawyer.
69

70. Required Trust Account Documentation (Missouri)
(1) receipt and disbursement journals
(2) client-specific ledgers
(3) fee agreements and similar
documents
(4) accounting statements showing
disbursements made
(5) bills and expenses sent to clients
(6) disbursement records
(7) check-book registers and bank
statements or the equivalents
(8) electronic transfer records
(9) account reconciliations
(10)credit-card transaction
information
70

71. Dissolution – Must Protect Records
Upon dissolution of a law firm or of any legal
professional corporation, the partners shall make
reasonable arrangements for the maintenance of client
trust account records. Upon the sale of a law practice,
the seller shall make reasonable arrangements for the
maintenance of client trust account records.
71

72. Michael Downey
Downey Law Group LLC
(314) 961-6644
(844) 961-6644 toll free
mdowney@DowneyLawGroup.com
Thank You