Contents
The attorney-client privilege protects confidential communications made between privileged individuals (i.e. an attorney, a client, or an agent) for the purpose of obtaining or providing legal assistance for the client. Most communications or exchanges between an attorney and client are covered by the attorney-client privilege. Privileged communications include any expression undertaken to convey information in confidence for the purpose of seeking or rendering legal advice.
The underlying principle of attorney-client privilege is to provide “sound legal advice [and] advocacy.” Relying on the inherent security of the privilege, a client may speak frankly and openly to legal counsel, disclosing all relevant information to the attorney without fear that the information may later be used against them, thus allowing the attorney to effectively and efficiently represent the client.
The attorney-client privilege is both a professional conduct requirement for attorneys and an evidentiary standard applied by courts. Professional conduct obligations while representing clients in the digital space are the primary focus of this article. Note that the article provides a generalized overview and does not constitute legal advice.
While varying in substantive and procedural parameters, privilege requirements apply to attorneys in all jurisdictions. While the exact parameters may vary, disclosure—whether intentional or inadvertent—to a third party will generally remove or invalidate privilege.
In the past, clients would meet with their counsel in person, and most client information was maintained at a law firm’s office in paper files. In that context, the application or waiver of privilege is fairly straightforward. Maintaining attorney-client privilege in the context of today’s variety of electronic communication mechanisms and platforms is far more nuanced. As the use of various technologies, including immersive digital environments, increases, it is particularly important for attorneys to stay informed and proficient in their use. Additionally, new organizational technologies that enable financial and human capital organization in the form of decentralized autonomous organizations can create issues for attorneys attempting to represent these entities, both in identification of the client and maintenance of privilege.
Identifying the Client: Generally
The client must be a legal person, whether an individual or a legal organization registered with the state, like a corporation. In the corporate context, the client is the corporation. Even though the stockholders own the corporation, and the directors, executives, and employees are directly involved in the attorney-client relationship, may act upon the advice received, and can incur personal liability for their actions taken pursuant to that advice, only the corporate entity — the legal fiction that is the creation of the state — is considered the client.
The application of the attorney-client privilege to communication between unincorporated entities, such as partnerships and trade associations — or more importantly, DAOs—and their legal counsel, gives rise to the question: who or what personifies the represented entity? For an association or partnership, the ‘who is the client’ question is usually answered differently than for a corporation. This is also likely the case for DAOs that are not incorporated or associated with a legal entity.
Courts have previously found that the attorney for an association or partnership and each member have a direct attorney-client relationship, just like they have with other unincorporated groups that have no existence apart from their members. However, courts have been wary of making a blanket pronouncement about the extent to which members of unregistered organizations can hold privilege on behalf of the organization, preferring to make case-by-case decisions based on assessment of whether confidentiality could reasonably be expected by the members of the association under the particular circumstances of each consultation. This uncertainty can make representation difficult from the perspective of an attorney representing an association, DAO, or other organization without an associated legal entity. It is arguably hard to maintain privilege with an unincorporated organization when the determination is dependent on jurisdictional rules or after-the-fact court rulings.
Identifying the Client: DAOs
The DAO is a non-entity technological structure that facilitates social coordination and collective online decision-making. DAOs are, by definition, community-led with no central leadership and built on a blockchain using smart contracts. Unlike traditional corporate structures, DAOs do not inherently maintain fictional legal personhood, which can complicate the representation of the DAO by attorneys.
In the ongoing CFTC action against Ooki DAO, the CFTC alleges that Ooki DAO is an unincorporated association — also sometimes characterized as a general partnership. The California Evidence Code recognizes members of unincorporated associations as holders of privilege against third parties. In this type of case, an attorney who represents members of an unincorporated association will usually be considered to represent each individual member of the association in matters of association business. A visual representation of the attorney-client relationship in the context of who holds privilege is provided using a modified version of Paradigm’s DAO Legal Entity Matrix, below.
What this means is that each member of an unincorporated association has an attorney-client relationship with the association’s attorney, and each member can claim the privilege or waive it, at least with respect to an external challenge to privilege. The ability to maintain privilege during internal disputes is less likely, if not non-existent. Where a DAO has been ‘wrapped’ in a limited liability company registered with a jurisdiction, privilege will be held by the entity.
In a third iteration, where the DAO directs a siloed entity but is not considered “wrapped,” privilege will be held only by the entity, and privileged information can be disclosed only to the specifically named DAO LLC member(s) directing the entity. There is also the potential that the DAO LLC is considered a member of the unincorporated association/partnership and privilege is held with the other members.
The structure and who holds privilege is particularly important because in some instances where it may be appropriate to disclose certain information to all members of a fully wrapped DAO, disclosing that same information to members of a partially wrapped DAO could waive privilege. There is also the additional nuanced question of the extent to which DAO members of a fully wrapped DAO (where the DAO contract is the sole member of the LLC) can maintain privilege if confidential information is disclosed in non-secure forum or Discord channels. In that situation, it may be most appropriate for the DAO entity to appoint leadership to interact with attorneys to ensure privilege is maintained.
Ultimately, when representing DAOs, a group of founders, or individuals organized as — or having defaulted to — a partnership, it is important to identify the client(s) and scope of representation in any engagement documents and to rigorously maintain siloed lines of communication. It may also be necessary to assess privilege requirements in more than one jurisdiction where remote communications may be occurring.
Protecting Attorney-Client Privilege in the Metaverse
As with remote legal practice, as commerce extends in the metaverse, the legal profession will need to keep pace with technology. This topic was thoughtfully addressed by LexDAO members Elizabeth Shubov and Scott Stevenson J.D. in Five Guidelines for Maintaining Attorney-Client Privilege in the Metaverse. With the development and increased adoption of immersive work environments by Microsoft, Meta, Roblox, and web3 companies, the risks associated with data exposure and the unintentional waiver of attorney-client privilege protections have become more critical. As meetings in the metaverse become commonplace, a client without proper guidance may unknowingly waive their right to claim the attorney-client privilege. To ensure privilege is protected and maintained, attorneys and organizations need to be cognizant of the technology they are using and put in place appropriate controls, including maintaining up-to-date internal procedures, cybersecurity protocols, and training for both staff and clients to prevent accidental disclosure.
Best Practice Considerations for Digital Practice
In the United States, Comment 8 to the American Bar Association (ABA) Model Rule of Professional Conduct 1.1 (Lawyers Duty of Competence) outlines an attorney’s obligation to maintain technological competency in legal practice. The Comment reads:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
While the ABA Model Rules are only guidelines, iterations of their general requirements can be adopted on a jurisdiction-by-jurisdiction basis. For example, the majority of U.S. states have made it a requirement for lawyers to be “technologically competent” and keep up with changes in law practice and legal technology consistent with Model Rule 1.1 Comment 8.
The requirements of Model Rule 1.1 Comment 8 are particularly important in post-COVID remote practice and practice in the metaverse. Technology offers convenience and efficiency but also creates potential ethical landmines for attorneys who fail to understand the technology they are using. ABA Formal Opinion 498 provides a thorough discussion of the legal and ethical issues of virtual tools, along with generalized guidance as to how to avoid or minimize ethics problems in digital practice. Technological competence requires understanding the benefits and disadvantages of technology, and a focus on client confidentiality is fundamental to maintaining an ethically compliant remote or virtual workspace.
Opinion 498 discusses technologies that have become more commonplace, such as virtual meeting and document platforms, and the need for greater supervision of both employees and vendors that might allow inadvertent disclosure. To protect attorney-client privilege, law firms must educate their clients and staff on how the privilege works so that they can avoid intentional and inadvertent disclosures, as well as the risks that come with the disclosure of confidential information. The standard for the protection of client information and communications is usually “reasonable care,” but what constitutes reasonable care is not always an easy question to answer and includes a variety of factors. To that end, the following internal controls and best practices should at least be considered when using technology to communicate with clients, whether electronically or in the metaverse, in order to remain compliant with professional conduct obligations:
Client Agreement and Education
First and foremost, clients should be educated regarding their role as clients and their ability to waive the privilege that they hold. Clients can waive privilege by forwarding an email to a friend or family member, by using unsecured platforms, by posting privileged information on social media or in online forums, or simply by entering into a discussion with an external party. Education can range from a brief discussion with an experienced client, to a written disclosure acknowledged by the client. Regardless of the mechanism, client education is important and necessary to ensure attorney-client privilege is maintained.
Attorneys should also consider including third-party technology disclosures in their fee agreements. This allows clients to make an informed decision regarding what and how vendors are handling their confidential information. This issue is addressed in ABA Formal Opinion №483 which provides:
Model Rule 1.4 requires lawyers to keep clients “reasonably informed” about the status of a matter and to explain matters “to the extent reasonably necessary to permit a client to make an informed decision regarding the representation.” Model Rules 1.1, 1.6, 5.1 and 5.3, as amended in 2012, address the risks that accompany the benefits of the use of technology by lawyers. When a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their obligations under these Model Rules.
Should there be a data breach or other vendor issue, a client will not be surprised when they are put on notice of the breach and apprised of their rights, if any, against the vendor.
Finally, many clients also want to communicate via text message or other messaging services. In the DAO and crypto space, many communications take place using Discord, Telegram, and Signal. Attorneys that correspond with clients via texting or other messaging systems should remember that not all of those messaging systems are end-to-end encrypted. Implementing a strict protocol governing the appropriate use of messaging with clients is advisable to protect and preserve privilege.
Internal Policies and Procedures
Attorneys should implement internet usage policies to clarify the circumstances, if any, under which employees are allowed to use the internet, open attachments, download from the internet, or use social media. Potential internal controls could include:
- Employing password protection on devices and individual documents, this includes USB flash drives.
- Multi-factor authentication for device and account logins.
- Only drafting and storing electronic documents on the firm’s network, rather than personal home computers.
- Including settings that allow remotely wiping devices if they are lost or stolen.
- Scrubbing all metadata prior to transmitting documents to external email addresses.
Strong Passwords
Passwords should be complex and include numbers, upper- and lower-case letters, and symbols; they should also be long. Staff should be instructed not to use confidential information in creating passwords, such as birth dates, children’s names, or other easily discernible information. External vendors can assist in creating, maintaining, and changing strong passwords.
E-mail and Messaging Encryption
Email doesn’t travel in a straight line from your computer or phone to your client. It might be intercepted while it travels through servers in various countries. The best practice is to use an encrypted email service. Most email applications use some form of encryption; however, there are also more robust end-to-end encrypted email services, including Skiff, Tutanota, and ProtonMail.
End-to-end encrypted messengers also fall clearly into the space of an expectation of privacy between a client and their attorney. An end-to-end encrypted messenger is a messaging app that uses end-to-end encryption to keep messages secure. This means that only the attorney and recipients can read messages sent back and forth, and no one else — not even the technology provider — can access them. There are several different end-to-end encrypted messaging apps available, but some of the most popular ones include Signal, WhatsApp, and iMessage.
Digital Devices
The rapid evolution of communications technology and the means of intercepting confidential communications have created significant risks to attorney-client privilege. Before using a device — be it a phone, tablet, or laptop — counsel and their client must be familiar with the security implications stemming from the device and any downloaded apps.
An attendant concern stemming from 24/7 email and messaging access on mobile phones includes the extent of permissions granted to an email provider’s app and how these may be violative of privilege. In a recent opinion, the New York State Bar Association’s Committee on Professional Ethics, Opinion 1240, addressed this question and concluded that:
If ‘contacts’ on a lawyer’s smartphone include any client whose identity or other information is confidential under Rule 1.6, then the lawyer may not consent to share contacts with a smartphone app unless the lawyer concludes that no human being will view that confidential information, and that the information will not be sold or transferred to additional third parties, without the client’s consent.
Unfortunately, many attorneys are not aware of the extent to which different apps can potentially see client contact information if granted access. Venmo, Facebook, Zoom, Snap, Slack, Tinder, Signal, Pinterest, Telegram, Chase Bank, Wayfair, and even Samsung’s smart washing machine will ask you for access to your contacts. This may mean that not only attorneys, but also staff, are disclosing potentially confidential information simply by having access to firm email or other messaging on their mobile devices.
Additionally, in the same way that law firms shred printed client data, attorneys should consider thoroughly wiping and overwriting data storage devices, such as phones, tablets, and computers used by the attorney and staff.
Data Storage
Cloud-based data storage can be an efficient and effective way to gather, share, and transmit client data. Common vendors include DropBox, Google Drive, and OneDrive, but there are many others, each with varying levels of encryption and security. As discussed previously, the potential that a storage provider could be hacked involves risks to confidentiality, and clients should be aware of those third-party risks. As with email transmission, one technical step that can be taken is to ensure client data is encrypted during transit and storage.
Secure Networks
Unencrypted data can be viewed by anyone who has network access and wants to see it. Using a virtual private network (VPN) hides your device’s IP address by letting the network redirect it through a specially configured remote server run by a VPN host. A VPN connection disguises data traffic online and protects it from external access; hackers and cybercriminals can’t decipher this data. Use of a VPN is particularly important when accessing any third-party or public WiFi service, whether for browsing the web, attending a video-conference, or just emailing.
Video Conferencing
An unsecured video conference is analogous to inviting passersby from the street to attend an in-person client meeting. In virtual settings, attorneys should consider the following precautions:
- The platform should have appropriate encryption.
- Meeting links should be private and include unique links and passwords for each meeting.
- Attorneys should attempt to ensure that only parties who are supposed to be attending can see or hear the conversation. Participants should join from a separate physical space, such as a room or office, and use headphones to keep other people, including family members, from seeing or hearing the communication. Unfortunately, the duty of confidentiality does not extend to family, roommates, or neighbors accessing client data or overhearing client meetings.
- Meetings should occur on a private network, and, ideally, public WiFi should not be used. However, if a private network is not available, the participants should use a VPN service, one that will not collect user data, to limit unwanted access to the communication.
- The attorney should ensure that recording is disabled before the meeting starts, or at least configured so that the attorney is the only one allowed to record. Recording privileged communications can be problematic because if the recording is accidentally shared with a third party, or if proper measures are not taken to ensure that the recording is secure from a third party (e.g. either in the cloud or locally), this may waive privilege.
- Participants should turn off listening devices such as Google Home or Alexa.
To the extent that these safeguards can be enacted, attorneys should consider which are appropriate and necessary in the context of their practice. While these safeguards may not be necessary for every practice, failing to implement readily available safeguards could later be used as a basis for challenging privilege or, even worse, considered an ethical breach, and unfortunately, getting disbarred in the real world carries over to the metaverse.