Client Confidentiality Compliance Checklist

Cover the named cases: client matter data lives in the DMS (NetDocuments / iManage / Clio Documents), never on personal email, personal cloud, or unmanaged USB. Walk through the firm's specific examples — last year's near-miss when a draft brief was emailed to a personal Gmail counts more than abstract rules. New attorneys, paralegals, and contract staff all attend.

Every employee, contract attorney, and intern signs the firm's confidentiality and acceptable-use agreement before being granted DMS or PMS access. File the executed copy in the personnel folder; HR keeps the master register.

Records clerk does an end-of-day floor sweep — no open matter files on desks, no privileged drafts on printers, no whiteboard notes referencing client names visible from the hallway. Common gotcha: the conference room printer holding overnight output of an opposing-counsel production.

Pull the keycard log for the prior quarter. Flag any after-hours entries, any badges still active for departed staff, and any access by non-firm personnel (cleaners, vendors). Disable terminated badges the day of separation, not at quarter-end.

Confirm the DMS (NetDocuments, iManage, Clio Documents, or equivalent) is configured for AES-256 at rest and TLS 1.2+ in transit. Pull the vendor's most recent SOC 2 Type II report; flag any qualified opinions for partner review.

MFA on Microsoft 365 / Google Workspace, the VPN, the DMS, and the PMS. Pull the admin report of users still on SMS-only or with MFA disabled and remediate. Phone-based SMS is no longer adequate for confidential client data; push to authenticator apps or hardware keys.

Update the policy to reflect the current Model Rule 1.6(c) language as adopted by your state, any new state breach-notification thresholds, and any practice-area-specific obligations (HIPAA for medical malpractice work, GLBA for financial-services clients, ITAR for defense work).

Managing partner reviews redline against prior version, signs the cover page, and dates the effective date. The signed PDF goes into the firm policy archive — auditors and bar examiners ask for the version-with-signature, not the unsigned draft.

Tier matter data: ordinary (general civil), elevated (criminal defense, family, immigration), restricted (M&A, sealed, ITAR). Tier drives access permissions in the DMS, retention period, and ethical-wall enforcement. Tag the matter at intake; reclassification mid-matter is painful.

Quarterly access review: pull the DMS access list per matter, confirm with responsible attorney that every named user is still on the deal team. Common gotcha is paralegals retaining access to closed matters — Rule 1.6 doesn't expire when the matter does.

Includes: cloud DMS, eDiscovery hosting (Relativity, Everlaw, DISCO), e-signature (DocuSign), transcription, expert witnesses, IT MSPs, off-site shred. Excludes: office supply, catering, landscaping. If in doubt, treat as in-scope.

Firm's standard addendum covers Rule 1.6 confidentiality flow-down, breach notification within 48 hours, sub-processor disclosure, and on-termination data return or destruction. Don't accept vendor's MSA without the addendum — vendor terms rarely meet bar requirements out of the box.

Plan names the incident commander (typically managing partner or firm administrator), outside breach counsel, the cyber insurer's hotline, and the IT MSP escalation contact. Update names whenever someone leaves; a plan with a departed partner's cell phone is worse than no plan.

For the period under review, walk the IT log, the DMS audit trail, and any reported incidents. A breach includes inadvertent production of privileged material, lost laptop with unencrypted matter data, ransomware on a workstation, and misdirected email containing client data.

Engage breach counsel before notifying — wording of the disclosure affects privilege, malpractice exposure, and any later FRE 502 clawback argument. State data-breach notification statutes (all 50) layer on top of bar reporting obligations; cyber carrier hotline can usually advise on both timelines.