Contact Us

Internal Investigations: Preserving the Attorney-Client Privilege & Avoiding Disqualification of Counsel

Determining whether an internal investigation should be led by the organization’s Human Resources personnel, in-house counsel, regular outside counsel, or non-regular outside counsel will generally hinge on the nature of the allegations and the target(s) of the allegations. Although HR personnel often conduct routine internal investigations, having them do so where litigation is reasonably anticipated in connection with the facts underlying the investigation is likely to result in the results of the investigation not being protected by the attorney-client privilege.  For that reason, and because of the expertise and experience that suitable counsel bring to an investigation, counsel should often be used to conduct an internal investigation.

When considering the role of in-house or outside counsel in conducting an internal investigation, it is critical to identify who the client is. NY RPC 1.13(a) states as follows: “A lawyer employed or retained by an organization represents the organization acting through its duly authorized constituents.” Of course, joint representation by in-house or outside counsel of an organization and its directors, officers, or employees is permitted where no conflict of interest is believed to exist. However, a joint retainer agreement pursuant to which an organization and one or more of its agents retain the same law firm should provide that, if the firm seeks to withdraw from its representation of the individual(s) because the corporation’s interests eventually deviate from those of the person(s) being jointly represented or otherwise, each individual agrees that she or he will not move to disqualify the firm from continuing to represent the organization.

Having in-house counsel conduct an investigation is often more efficient than having outside counsel do so but could lead to the in-house counsel becoming a witness and therefore preventing the organization from maintaining the confidentiality of communications made to counsel by employees and other agents of the organization. Indeed, it is not uncommon for the lead attorney who conducted an internal investigation to be called upon to serve as a witness in the ensuing litigation. Should this happen, the attorney is highly unlikely to be able to represent the organization in the litigation in New York since NY RPC 3.7(a) states that: “[a] lawyer shall not advocate at a trial in which the lawyer is likely to be a necessary witness….”

Office of Disciplinary Counsel v. Cynthia Baldwin1 provides an admittedly dramatic cautionary tale of a nightmare which can occur when in-house counsel conducts an internal investigation who is not equipped to do so. In that case the Court held that Baldwin, Penn States’ former General Counsel, had violated ethical rules in her investigation of child abuse allegations against a former Penn State assistant football coach when she represented the University, its President, and two senior athletic personnel in connection with an internal investigation and their grand jury testimony.  Among other things, the Court concluded that: (i) there was a lack of clear communication by counsel as to the identity of the client(s) which led to confusion on the part of the individuals; and (ii) counsel has a duty to clarify the professional relationship when counsel and the organization’s personnel may not have the same understanding of the relationship. In the Penn State case, the Court held that the then General Counsel’s “simultaneous representations of Penn State, Curley, Schultz and Spanier reflected incompetence, violated her obligation to avoid conflicts of interest, resulted in the revelation of client confidences, and prejudiced the proper administration of justice in cases with significant personal and public effect.”2

Having outside counsel conduct an investigation with help from in-house counsel enables an organization to benefit from outside counsel’s expertise, should lead to a more objective analysis of the facts, is likely to be perceived as more credible than an investigation conducted solely by in-house counsel, and should make it more likely that the organization will be able to maintain the attorney-client privilege. However, having the investigation conducted by the firm that is expected to represent the organization in any litigation arising out of the facts underlying the investigation can make it more likely that at least the lead attorney who conducted the investigation would not be able to serve as litigation counsel because he or she could be called as a witness.

Although disqualification as litigation counsel should be limited to the attorneys who conducted the investigation and not imputed to their entire firm, employing a law firm to conduct an investigation which is not going to represent the organization in any litigation which ensues should offer the most protection against a motion to disqualify litigation counsel being successful and may deter adverse counsel from even filing it.

Further, having non-regular outside counsel conduct an internal investigation should lead to a more objective analysis than one conducted by in-house counsel or even regular outside counsel.  Perhaps equally if not more importantly, the investigation is likely to be perceived by outsiders, including government regulators and prosecutors, as more credible than one performed only by in-house counsel or regular outside counsel.  Such an investigation should also be easier to maintain as confidential subject to the attorney-client privilege.  However, since non-regular outside counsel will almost certainly lack a detailed knowledge of the organization, having in-house counsel assist such outside counsel could enable the organization to benefit from their respective perspectives and experiences.

In light of the foregoing, we believe that the use of a law firm which does not regularly represent an organization to conduct an internal investigation where litigation is reasonably expected can provide the greatest protection to: (i) preserve the attorney-client privilege; and (ii) deter or defeat a motion to disqualify another law firm representing the organization in a litigation arising out of the facts underlying the investigation.

Richard B. Friedman
Richard Friedman PLLC

200 Park Avenue Suite 1700
New York, NY 10166
TEL: 212-600-9539
[email protected]
Connect with me on Linkedin


1 225 A.3d 817 (Pa. 2020).
2 858.

Data Privacy and Security: An Introduction for In-House and Outside Counsel

As is widely recognized, the attorney-client privilege is one of the most important fundamental principles in the legal profession. Every attorney has an obligation to protect his or her clients’ information and to keep attorney-client communications confidential. Of course, this principle applies to in-house counsel as well as outside counsel. Accordingly, it is crucial for both corporate legal departments and law firms to adopt and implement safeguards in order to protect client information. Although all lawyers presumably know that they have a duty to protect privileged client communications and information, many do not know how to do so. This article will briefly introduce the complex related topics of data privacy and security and provide some helpful initial steps that in-house and outside counsel should take in developing a plan to safeguard client information.

In this digital era, massive amounts of data are stored and transmitted electronically across a sea of systems and devices. In almost every kind of matter involving an organization, in-house and outside counsel have access to clients’ and employees’ personal information. It is no longer sufficient for in-house and outside counsel to rely solely on a company’s or a law firm’s IT department to handle cyber security issues. Indeed, many large companies, particularly in the financial services sector, are now conducting audits of their law firms’ data security protocols. A comprehensive data security plan needs to be developed in every organization and law firm by one or more lawyers in conjunction with the IT Department or an IT consultant and other stakeholders, if any, as described below.

1. Statutes and Regulations

The very first step that in-house and outside counsel should generally take on behalf of their client organization with regard to data privacy is to determine the governing state statutes and regulations regarding data privacy and security protection. Some states have data privacy laws that require companies to develop written policies and procedures to provide administrative, physical, and technological safeguards for sensitive client information. By way of example only, here are a few statutes and regulations that counsel charged with participating in the development of cyber security policies and practices should be mindful of: 

•Statutes that Protect Social Security Numbers: New York, New Jersey, Connecticut, and Michigan have statutes that require written policies to limit access to employees’ Social Security numbers. In Michigan and Connecticut, companies need to maintain and publish a specific corporate policy in order to require Social Security numbers from customers.

•Comprehensive Data Security Program RequirementsAn increasing number of states, such as California, Connecticut, Florida, Illinois, Indiana, Massachusetts, Maryland, Oregon, and Texas, require companies to take affirmative actions to protect personal information that belongs to the residents of those states, including driver’s license numbers, bank account numbers, Social Security numbers, and medical information.  

•Payment Card Industry Data Security Standards: Many corporations receive payments from clients and therefore have access to clients’ credit card information. These corporations need to make sure that they comply with the Payment Card Industry Data Security Standards.

•Breach Notification Requirements: All but three states require companies to provide notice when there has been a breach of “personal information” accessible to the organization.

2. Identify Personal Client Information

State statutes and regulations should be just the starting point in seeking to ensure data privacy protection. In-house and outside counsel should consider, for instance, the types of personal client information to which the organization in question has access; whether the organization maintains such personal information indefinitely; whether the organization sponsors or provides services to health care plans; and whether the organization has a comprehensive plan to respond to data privacy breaches.

3. Establish Internal Group to Coordinate Data Privacy Issues

Virtually every legal department should consider establishing an internal group to coordinate data privacy issues. This group should generally include personnel from the IT Department, the Accounting Department, the Human Resources Department, and the Legal Department—the areas where client personal information is often accessed the most. The group should be empowered to establish detailed steps to protect client data. For example, the group should consider:

Identifying all hardware, software, and devices such as laptops and cellphones that could store client information;

Classifying all digitally stored information by levels of sensitivity;

Determining which departments and which employees are most likely to have access to sensitive client information and how the information flows through the organization;

Identifying vendors and other third parties who maintain confidential client information; and

Reviewing existing agreements which require the organization to safeguard client information.

4. Protocol for Data Breach Response

Counsel should also develop a protocol for responding to data breaches, including, among other things, who will lead the response teams, and which templates to use for various types of data security-related communications.

5. Training

Law firms and legal departments should provide periodic training for employees who have access to client information and keep them informed about state regulations and charges in the company’s data privacy policies. In-house and outside counsel need to be thorough and thoughtful in helping their organizations identify, maintain, and safeguard all client information that their organizations maintain.


It is essential for in-house and outside counsel to take the foregoing steps in order to protect client information. Since individual and business clients increasingly demand heightened privacy protection, companies and law firms that fail to implement comprehensive data security policies will risk losing competitive advantage in the marketplace. In-house and outside counsel should share a leadership role with IT and other personnel in developing and implementing detailed internal policies and procedures for collecting, using, and disclosing the information that is needed to provide the services that their organizations render.  

Richard B. FriedmanRichard B. Friedman
Richard Friedman PLLC
830 Third Avenue, 5th Floor
New York, New York 10022
TEL: 212-600-9539
FAX: 212-840-8560
[email protected]
Connect with me on Linkedin

Confidentiality Obligations of In-House and Outside Counsel in the Virtual Workplace

As is widely known, many technological advancements have been integrated into the legal industry in recent decades. Maintaining an electronic record of all information is standard operating procedure at large and small companies and law firms. Another major development, in the last half dozen or so years, in particular, has been the dramatic increase in the number of employees who telecommute one or more days a week and in many instances full time. Indeed, there are now virtual companies and law firms which maintain limited, if any, office space. These parallel developments necessarily raise questions concerning the ability of companies and law firms alike to maintain the confidentiality of proprietary information.

Working Remotely

At the risk of stating the obvious, working from home or from other remote locations allows attorneys and other personnel to maintain a flexible schedule and eliminate commute time. With a click of a button on a remote device, in-house and outside counsel are able to access a confidential document from off-site locations, often as one or more colleagues are working on the exact same document. However, this increased flexibility and the possibility of maintaining a better work-life balance brings with it increased challenges in ensuring the confidentiality of client information.

Cyber Security and Confidentiality

Remote Access to Electronic Files

Of course, lawyers often handle very sensitive client information which must remain confidential. Questions have arisen in recent years as to whether the use of remote access violates a lawyer’s duty to preserve client confidences under Rule 1.6 of the Model Rules of Professional Conduct. In accordance with that rule, a violation occurs when one:

1. knowingly reveals confidential information; or

2. does not exercise reasonable care to prevent the compromise of confidential information while the lawyer or the service utilized by the lawyer has access to the confidential information.

The New York State Bar Association Committee on Professional Ethics has stated that, in addition to being prohibited from disclosing confidential information, a lawyer is also obligated to take reasonable care to affirmatively protect his or her client’s information (NYSBA Comm. on Professional Ethics, Formal Op. 842, 2010).

It is acceptable to use standard methods of transmitting or accessing information so long as there is a reasonable expectation of privacy. For example, confidential information may generally be sent by an unencrypted email. However, if there is a greater risk of interception due to the particular circumstances, the lawyer is obligated to take appropriate security measures bearing in mind the technology that is available at a reasonable cost (NYSBA Comm. on Professional Ethics, Formal Op. 709, 1998). The lawyer must also ensure that any security or storage service provider she plans to use has an enforceable obligation to preserve confidentiality. Any known risks in a security system must be disclosed to a client before the lawyer may obtain a client’s consent to access confidential information remotely to ensure that the consent is an informed one.

Use of Cloud Storage for Storing Client Information

When using a cloud for data storage, a lawyer must ensure that the storage system is password protected and that the stored data is encrypted (NYSBA Op. 842). Due to the rapid changes in technology and continually emerging threats to the security of stored data, a lawyer should also periodically confirm the effectiveness of the security measures provided by the service she or he uses. If there is evidence of a potential or actual lack of security, the lawyer must discontinue use of the service until the potential or actual problem is remediated by the service provider. Like the standard regarding remote access described above, a lawyer must affirmatively protect his client’s information. The American Bar Association and many state bar associations have issued opinions approving the use of cloud storage so long as reasonable care is taken to confirm the effectiveness of the security measures that are in place.

The success of the virtual workplace model in law, however convenient and liberating for many lawyers, is contingent on having an encryption system for protecting confidential information and having the means to securely store and transmit information while working from a remote location. If a virtual workplace model is tested by a court or otherwise, in-house and outside counsel must be able to demonstrate that they are affirmatively protecting their clients’ information by staying informed about technological advances and potential risks to data security. Taking reasonable care boils down to individual attorneys maintaining proper work protocols, such as choosing strong passwords, remotely accessing information from a secure Wi-Fi network, and communicating with the service provider regarding any potential security breaches.

Richard B. Friedman
Richard Friedman PLLC
830 Third Avenue, 5th Floor
New York, New York 10022
TEL: 212-600-9539
FAX: 212-840-8560
[email protected]
Connect with me on Linkedin