CONFIDENTIALITY ON THE GO: RULE 4-1.6 AND ETHICAL OBLIGATIONS FOR LAWYERS WHILE TRAVELING

Modern legal practice has evolved into an increasingly mobile profession, allowing attorneys to access client information, easily communicate with clients, and perform legal services from virtually anywhere. While these technological advancements offer substantial benefits, they also create new threats to the confidentiality and security of client information, particularly when lawyers travel.

When lawyers leave the office, their ethical obligations under Rule 4-1.6 of the Rules Regulating The Florida Bar do not end. Lost or stolen devices, unsecured Wi-Fi networks, visual exposure in public spaces, and government searches at airports are real and recurring threats to client confidentiality. Rule 4-1.6 still applies in these situations and requires lawyers to take reasonable steps to safeguard client information wherever it is stored or can easily be accessed by third parties.

Rule 4-1.6(a) establishes one of the most fundamental obligations a lawyer owes to a client. A lawyer must not reveal information relating to the representation of a client absent informed consent or an applicable exception.^[1] This obligation is extremely broad and extends to all information relating to the representation, regardless of its source.^[2] Thus even information contained in a public record remains subject to a lawyer’s duty of confidentiality to a client.

Rule 4-1.6(e) further requires lawyers to act competently to safeguard such information against unauthorized access or disclosure.^[3] Compliance is measured by whether the lawyer made reasonable efforts under the circumstances.^[4]

Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients.^[5]

Travel significantly increases the risk of inadvertent or unauthorized disclosure because environments outside the office are more difficult to control and are therefore inherently less secure. Because protective measures such as encryption and multi-factor authentication are now widely available and readily accessible, reasonable efforts to safeguard client information during travel generally require the implementation of these and other enhanced security measures. Rule 4-1.1, the competence rule, reinforces this obligation by requiring lawyers to understand the risks associated with technology and traveling with devices.^[6] The Florida Bar has  emphasized that lawyers must remain aware of evolving technology risks, including those associated with cloud computing and remote access to client data.^[7] Failure to address travel-related risks may involve a violation of both competence and confidentiality duties to clients.

The risks lawyers should consider when traveling include, but are not limited to:

• Physical Loss or Theft
  Devices may be more likely to be lost or stolen during travel. Without encryption, a compromised device can expose extensive client data.

• Unsecured Networks
  The use of public Wi-Fi networks exposes information to nearby individuals, creating the risk of inadvertent disclosure.

• Visual Exposure
  Reviewing client materials in public spaces without privacy screens exposes information to nearby individuals.

• Customs and TSA Searches
  Travel may allow government authorities to search electronic devices without a warrant. International travel presents heightened risks of forced disclosure because travelers are exposed to legal systems and security practices that are outside their normal control and may be subject to broader government authority.

• Business Centers
  The use of business center computers and printers introduces additional risks, such as data retention and unauthorized access.

Practical safeguards before travel include enabling encryption, using stronger passwords and multi-factor authentication, and any other preventative measures to help protect confidential information. If possible, lawyers should also minimize the amount of client data stored on their devices and consider using dedicated travel devices, especially for higher-risk trips such as international trips.

During travel, a secure virtual private network (VPN) should be used on all public networks, and personal cellular data may be safer. Privacy screens should be used in public settings, and devices should remain under the lawyer’s physical control at all times. Lawyers should avoid discussing client matters in public and refrain from using public printers or business centers for confidential materials. Any lost, stolen , or compromised device should be reported to the firm immediately.

If a lawyer suspects that client information has been exposed, the lawyer should promptly change their credentials and determine whether any data breach notification obligations are triggered. They should also evaluate their duty under The Florida Bar’s communication rule to keep clients reasonably informed of developments affecting the representation, including potential compromises of confidential information.^[8]

The duty to safeguard client information also extends to law firms, not just the individual lawyer. Under Rules 4-5.1 and 4-5.3, firms must make reasonable efforts to ensure that lawyers and staff comply with their ethical obligations.^[9]

Firms should implement clear travel security policies, including requirements for encryption, VPN use, restrictions on personal device usage with access to client confidential information, and protocols for reporting lost devices. Training should also be provided to ensure that all personnel understand travel-related risks and the processes to mitigate any exposure or interception of confidential information.

In today’s increasingly mobile and technology-driven legal profession, the ability to access client information remotely has become both essential and expected. However, the convenience and flexibility that modern technology provides also create significant risks to the confidentiality of client information.

A lawyer’s ethical duty to safeguard client information does not diminish while traveling. Rule 4-1.6(e) requires lawyers to make reasonable efforts to prevent the unauthorized disclosure of client information, and the risks associated with travel demand increased vigilance and security measures. Basic safeguards and careful handling of devices are no longer optional; they represent the baseline standard of competent legal practice. Lawyers who incorporate these measures into their travel routines will be better positioned to protect client confidentiality and comply with their ethical obligations.

^[1] R. Regulating Fla. Bar 4-1.6(a).

^[2] Id. 4-1.6 comment

^[3] Id. 4-1.6 (e).

[4] Id. 4-1.6 comment

^[5] Id.

^[6] R. Regulating Fla. Bar 4-1.1 comment.

^[7] Fla. Bar Ethics Op. 12-3 (2013).

^[8] R. Regulating Fla. Bar 4-1.4.

^[9] R. Regulating Fla. Bar 4-5.1;4-5.3.