Professionals are given access to vast amounts of confidential information from the moment they start their careers. It is such a common fact of professional life that people often forget it. But it is all too easy to breach a client’s confidence. Then, when a breach occurs, it can have significant repercussions, both reputationally and financially for the firm involved, and may cause regulatory action.
Press articles regularly point out the risks that professionals face. Recently Harry Potter author, JK Rowling’s solicitors had to settle a breach of confidence claim brought by the writer after her solicitor told his wife, who told a friend, who told the press that JK Rowling had written a crime novel under the pseudonym “Robert Galbraith”. Similarly, during the past year, the accountancy firm, Baker Tilly in the UK, was under investigation by regula- tors following an allegation by Barclays Bank that a Baker Tilly employee took back confidential information to the firm following a secondment at the bank.
These are high-profile and significant breaches or alleged breaches of confidence rather than everyday occurrences. However, all of us are facing smaller scale breaches on a more regular basis. These can take the form of disclosing client details to a member firm, apparently for client ID purposes but, without permission from the client, this amounts to a breach of confidence. Alternatively, mentioning to a mutual contact of the firm and the client that the firm acts for the client could be claimed to be a breach of confidence. It is also all too easy for a partner or a member of staff to lose a laptop or send a confidential email to the incorrect recipient by inadvertently inserting the wrong email address.
The question then becomes a) how does the firm best manage the breach to minimise its impact and b) how can future breaches be avoided?
With many breaches of confidence, whether big or small, it is important to act quickly to manage and contain them and, from a regulatory viewpoint, be seen to act quickly. With this in mind, firms could put in place an internal protocol to follow in the event of a breach. This could include details of the individuals internally who should be contacted in the event of a breach, and also details of any external regulators who need to be con- tacted. On the internal contact list, consider including the Head of Legal or Risk Management (to take the lead on any external reporting to Regulators and the management of any breach of confidence claim), the Head of Communications (so that they will be ready to deal with any adverse publicity) and the individual responsible for the firm’s Professional Indemnity Insurance (as the breach is likely to be a notifiable event). In terms of external regulators, consider whether you need to contact the Police (if confidential information was contained on a stolen laptop) and any entity responsible for information security. In the UK, breaches of confidential personal data have to be reported to the Information Commissioner’s Office.
Once the immediate aftermath of the breach has passed, there is time to consider how to avoid a similar breach occurring again. It may be that the firm’s partners and staff need to be reminded of the extent of their professional obligations when it comes to confidentiality. Alternatively, the breach may have arisen on account of a lack of understanding as to the extent of the confidentiality terms in the contract for work. This is particularly so if a client’s terms of business have been used rather than the firm’s engagement letter. In which case, consider implementing a contract “control” sheet when teams engage on unfamiliar terms, which could set out materially different or more onerous terms than the firm’s own terms.
It may also be worth checking the firm’s own contractual terms and ensuring that these leave the firm as unfettered as legally possible when it comes to disclosing information to Regulators or following a Court Order requiring disclosure. For instance, try to avoid having to give notice or seek consent from your client in such circumstances. Further, ensure that any breach of confidence claim is included within the liability cap which has been set, either in the firm’s terms of business or the client’s own terms. This will minimise the financial impact of any breach of confidence.
Well-publicised instances of breach of confidence and our own private experiences show us that breaches of confidentiality can never be avoided entirely. However, with a well-thought out approach to mitigating their impact, continued education within firms as to what amounts to a breach of confidence and improved contractual terms regarding confidentiality, the number and extent of the instances should be significantly reduced.