Client Confidentiality Compliance Checklist

Cover the named cases: client matter data lives in the DMS (NetDocuments / iManage / Clio Documents), never on personal email, personal cloud, or unmanaged USB. Walk through the firm's specific examples — last year's near-miss when a draft brief was emailed to a personal Gmail counts more than abstract rules. New attorneys, paralegals, and contract staff all attend.

Every employee, contract attorney, and intern signs the firm's confidentiality and acceptable-use agreement before being granted DMS or PMS access. File the executed copy in the personnel folder; HR keeps the master register.

Ethics CLE hours are tracked separately from general CLE in most states. Confirm the firm's CLE provider covers Rule 1.6(c) reasonable safeguards and any state-specific technology competence amendments enacted this cycle.

Records clerk does an end-of-day floor sweep — no open matter files on desks, no privileged drafts on printers, no whiteboard notes referencing client names visible from the hallway. Common gotcha: the conference room printer holding overnight output of an opposing-counsel production.

Pull the keycard log for the prior quarter. Flag any after-hours entries, any badges still active for departed staff, and any access by non-firm personnel (cleaners, vendors). Disable terminated badges the day of separation, not at quarter-end.

Cross-cut or micro-cut only — strip-cut shredders fail Rule 1.6(c) reasonable-safeguards review in most jurisdictions. Confirm the shred vendor provides certificates of destruction and that bins are locked between pickups.

Confirm the DMS (NetDocuments, iManage, Clio Documents, or equivalent) is configured for AES-256 at rest and TLS 1.2+ in transit. Pull the vendor's most recent SOC 2 Type II report; flag any qualified opinions for partner review.

MFA on Microsoft 365 / Google Workspace, the VPN, the DMS, and the PMS. Pull the admin report of users still on SMS-only or with MFA disabled and remediate. Phone-based SMS is no longer adequate for confidential client data; push to authenticator apps or hardware keys.

Cloud-hosted PMS (Clio, MyCase, Smokeball) patches automatically; on-prem (Tabs3, PCLaw, ProLaw, iManage Server) does not. For on-prem, confirm the IT manager has applied the most recent vendor security release and document the patch date.

Update the policy to reflect the current Model Rule 1.6(c) language as adopted by your state, any new state breach-notification thresholds, and any practice-area-specific obligations (HIPAA for medical malpractice work, GLBA for financial-services clients, ITAR for defense work).

Managing partner reviews redline against prior version, signs the cover page, and dates the effective date. The signed PDF goes into the firm policy archive — auditors and bar examiners ask for the version-with-signature, not the unsigned draft.

Post the signed policy to the firm intranet or SharePoint. Send an all-staff notice with the effective date and a link; include a request for read-acknowledgment from every employee. Bar examiners specifically check whether staff can locate the policy on demand.

Tier matter data: ordinary (general civil), elevated (criminal defense, family, immigration), restricted (M&A, sealed, ITAR). Tier drives access permissions in the DMS, retention period, and ethical-wall enforcement. Tag the matter at intake; reclassification mid-matter is painful.

Quarterly access review: pull the DMS access list per matter, confirm with responsible attorney that every named user is still on the deal team. Common gotcha is paralegals retaining access to closed matters — Rule 1.6 doesn't expire when the matter does.

State bar minimums commonly run 5–7 years post-close; estate, real estate, and minor-client matters often run longer. Both early destruction (spoliation in subsequent matter) and late destruction (storage cost, breach risk) are problems. Run the records clerk's destruction list past the responsible attorney before shredding.

Includes: cloud DMS, eDiscovery hosting (Relativity, Everlaw, DISCO), e-signature (DocuSign), transcription, expert witnesses, IT MSPs, off-site shred. Excludes: office supply, catering, landscaping. If in doubt, treat as in-scope.

Firm's standard addendum covers Rule 1.6 confidentiality flow-down, breach notification within 48 hours, sub-processor disclosure, and on-termination data return or destruction. Don't accept vendor's MSA without the addendum — vendor terms rarely meet bar requirements out of the box.

Calendar the annual review on the firm's compliance docket. Pull the vendor's current SOC 2 Type II, evidence of cyber insurance, and a sub-processor list. Document any qualified findings and the firm's mitigation decision.

Plan names the incident commander (typically managing partner or firm administrator), outside breach counsel, the cyber insurer's hotline, and the IT MSP escalation contact. Update names whenever someone leaves; a plan with a departed partner's cell phone is worse than no plan.

For the period under review, walk the IT log, the DMS audit trail, and any reported incidents. A breach includes inadvertent production of privileged material, lost laptop with unencrypted matter data, ransomware on a workstation, and misdirected email containing client data.

Engage breach counsel before notifying — wording of the disclosure affects privilege, malpractice exposure, and any later FRE 502 clawback argument. State data-breach notification statutes (all 50) layer on top of bar reporting obligations; cyber carrier hotline can usually advise on both timelines.

Walk a realistic scenario — a paralegal Bcc's a 200-document production to opposing counsel including five privileged emails. Test the clawback letter, the FRE 502(d) order language, the client notification draft, and the internal lessons-learned write-up. Drill once a year minimum.