Confidentiality of Information
- (a) A lawyer shall not reveal information protected by the attorney-client privilege under applicable law or other information gained in the professional relationship that the client has requested be held inviolate or the disclosure of which would be embarrassing or would be likely to be detrimental to the client unless the client consents after consultation, except for disclosures that are impliedly authorized in order to carry out the representation, and except as stated in paragraphs (b) and (c).
- (b) To the extent a lawyer reasonably believes necessary, the lawyer may reveal:
- (1) such information to comply with law or a court order;
- (2) such information to establish a claim or defense on behalf of the lawyer in a controversy between the lawyer and the client, to establish a defense to a criminal charge or civil claim against the lawyer based upon conduct in which the client was involved, or to respond to allegations in any proceeding concerning the lawyer's representation of the client;
- (3) such information which clearly establishes that the client has, in the course of the representation, perpetrated upon a third party a fraud related to the subject matter of the representation;
- (4) such information reasonably necessary to protect a client’s interests in the event of the representing lawyer’s death, disability, incapacity or incompetence;
- (5) such information sufficient to participate in a law office management assistance program approved by the Virginia State Bar or other similar private program;
- (6) information to an outside agency necessary for statistical, bookkeeping, accounting, data processing, printing, or other similar office management purposes, provided the lawyer exercises due care in the selection of the agency, advises the agency that the information must be kept confidential and reasonably believes that the information will be kept confidential;
- (7) such information to prevent reasonably certain death or substantial bodily harm.
- (c) A lawyer shall promptly reveal:
- (1) the intention of a client, as stated by the client, to commit a crime reasonably certain to result in death or substantial bodily harm to another or substantial injury to the financial interests or property of another and the information necessary to prevent the crime, but before revealing such information, the attorney shall, where feasible, advise the client of the possible legal consequences of the action, urge the client not to commit the crime, and advise the client that the attorney must reveal the client's criminal intention unless thereupon abandoned. However, if the crime involves perjury by the client, the attorney shall take appropriate remedial measures as required by Rule 3.3; or
- (2) information concerning the misconduct of another attorney to the appropriate professional authority under Rule 8.3. When the information necessary to report the misconduct is protected under this Rule, the attorney, after consultation, must obtain client consent. Consultation should include full disclosure of all reasonably foreseeable consequences of both disclosure and non-disclosure to the client.
- (d) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information protected under this Rule.
 The lawyer is part of a judicial system charged with upholding the law. One of the lawyer's functions is to advise clients so that they avoid any violation of the law in the proper exercise of their rights.
 The common law recognizes that the client's confidences must be protected from disclosure. The observance of the ethical obligation of a lawyer to hold inviolate confidential information of the client not only facilitates the full development of facts essential to proper representation of the client but also encourages people to seek early legal assistance.
[2a] Almost without exception, clients come to lawyers in order to determine what their rights are and what is, in the maze of laws and regulations, deemed to be legal and correct. Based upon experience, lawyers know that clients usually follow the advice given, and the law is upheld.
[2b] A fundamental principle in the client-lawyer relationship is that the lawyer maintain confidentiality of information relating to the representation. The client is thereby encouraged to communicate fully and frankly with the lawyer even as to embarrassing or legally damaging subject matter.
 The principle of confidentiality is given effect in two related bodies of law, the attorney-client privilege (which includes the work product doctrine) in the law of evidence and the rule of confidentiality established in professional ethics. The attorney-client privilege applies in judicial and other proceedings in which a lawyer may be called as a witness or otherwise required to produce evidence concerning a client. The rule of client-lawyer confidentiality applies in situations other than those where evidence is sought from the lawyer through compulsion of law. The confidentiality rule applies not merely to matters communicated in confidence by the client but also to all information protected by the attorney-client privilege under applicable law or other information gained in the professional relationship that the client has requested be held inviolate or the disclosure of which would be embarrassing or would be likely to be detrimental to the client, whatever its source. A lawyer may not disclose such information except as authorized or required by the Rules of Professional Conduct or other law.
[3a] The rules governing confidentiality of information apply to a lawyer who represents an organization of which the lawyer is an employee.
 The requirement of maintaining confidentiality of information relating to representation applies to government lawyers who may disagree with the policy goals that their representation is designed to advance.
 A lawyer is impliedly authorized to make disclosures about a client when appropriate in carrying out the representation, except to the extent that the client's instructions or special circumstances limit that authority. In litigation, for example, a lawyer may disclose information by admitting a fact that cannot properly be disputed, or in negotiation by making a disclosure that facilitates a satisfactory conclusion.
[5a] Lawyers frequently need to consult with colleagues or other attorneys in order to competently represent their clients’ interests. An overly strict reading of the duty to protect client information would render it difficult for lawyers to consult with each other, which is an important means of continuing professional education and development. A lawyer should exercise great care in discussing a client’s case with another attorney from whom advice is sought. Among other things, the lawyer should consider whether the communication risks a waiver of the attorney-client privilege or other applicable protections. The lawyer should endeavor when possible to discuss a case in strictly hypothetical or abstract terms. In addition, prior to seeking advice from another attorney, the attorney should take reasonable steps to determine whether the attorney from whom advice is sought has a conflict. The attorney from whom advice is sought must be careful to protect the confidentiality of the information given by the attorney seeking advice and must not use such information for the advantage of the lawyer or a third party.
[5b] Compliance with Rule 1.6(a) might include fulfilling duties under Rule 1.14, regarding a client with an impairment.
[5c] Compliance with Rule 1.6(b)(5) might require a written confidentiality agreement with the outside agency to which the lawyer discloses information.
 Lawyers in a firm may, in the course of the firm's practice, disclose to each other information relating to a client of the firm, unless the client has instructed that particular information be confined to specified lawyers.
[6a] Lawyers involved in insurance defense work that includes submission of detailed information regarding the client’s case to an auditing firm must be extremely careful to gain consent from the client after full and adequate disclosure. Client consent to provision of information to the insurance carrier does not equate with consent to provide the information to an outside auditor. The lawyer must obtain specific consent to disclose the information to that auditor. Pursuant to the lawyer’s duty of loyalty to the client, the lawyer should not recommend that the client provide such consent if the disclosure to the auditor would in some way prejudice the client. Legal Ethics Opinion #1723, approved by the Supreme Court of Virginia, September 29, 1999.
Disclosure Adverse to Client
[6b] The confidentiality rule is subject to limited exceptions. However, to the extent a lawyer is required or permitted to disclose a client's confidences, the client will be inhibited from revealing facts which would enable the lawyer to counsel against a wrongful course of action. The public is better protected if full and open communication by the client is encouraged than if it is inhibited.
 Several situations must be distinguished.
[7a] First, the lawyer may not counsel or assist a client in conduct that is criminal or fraudulent. See Rule 1.2(c). Similarly, a lawyer has a duty under Rule 3.3(a)(4) not to use false evidence. This duty is essentially a special instance of the duty prescribed in Rule 1.2(c) to avoid assisting a client in criminal or fraudulent conduct.
[7b] Second, the lawyer may have been innocently involved in past conduct by the client that was criminal or fraudulent. In such a situation the lawyer has not violated Rule 1.2(c), because to "counsel or assist" criminal or fraudulent conduct requires knowing that the conduct is of that character.
[7c] Third, the lawyer may learn that a client intends prospective criminal conduct. As stated in paragraph (c)(1), the lawyer is obligated to reveal such information if the crime is reasonably certain to result in death or substantial bodily harm to another or substantial injury to the financial interests or property of another. Caution is warranted as it is very difficult for a lawyer to "know" when proposed criminal conduct will actually be carried out, for the client may have a change of mind. If the client’s intended crime is perjury, the lawyer must look to Rule 3.3(a)(4) rather than paragraph (c)(1).
 When considering disclosure under paragraph (b), the lawyer should weigh such factors as the nature of the lawyer's relationship with the client and with those who might be injured by the client, the nature of the client's intended conduct, the lawyer's own involvement in the transaction, and factors that may extenuate the conduct in question. Where practical, the lawyer should seek to persuade the client to take appropriate action. In any case, a disclosure adverse to the client's interest should be no greater than the lawyer reasonably believes necessary to the purpose.
[8a] Paragraph (b)(7) recognizes the overriding value of life and physical integrity and permits disclosure reasonably necessary to prevent reasonably certain death or substantial bodily harm. Such harm is reasonably certain to occur if it will be suffered imminently or if there is a present and substantial threat that a person will suffer such harm at a later date if the lawyer fails to take action necessary to eliminate the threat.
 If the lawyer's services will be used by the client in materially furthering a course of criminal or fraudulent conduct, the lawyer must withdraw, as stated in Rule 1.16(a)(1).
[9a] After withdrawal the lawyer is required to refrain from making disclosure of the client's confidences, except as otherwise provided in Rule 1.6. Neither this Rule nor Rule 1.8(b) nor Rule 1.16(d) prevents the lawyer from giving notice of the fact of withdrawal, and the lawyer may also withdraw or disaffirm any opinion, document, affirmation, or the like.
[9b] Where the client is an organization, the lawyer may be in doubt whether contemplated conduct will actually be carried out by the organization. Where necessary to guide conduct in connection with this Rule, the lawyer may make inquiry within the organization as indicated in Rule 1.13(b).
Dispute Concerning a Lawyer's Conduct
 Where a legal claim or disciplinary charge alleges complicity of the lawyer in a client's conduct or other misconduct of the lawyer involving representation of the client, the lawyer may respond to the extent the lawyer reasonably believes necessary to establish a defense. The same is true with respect to a claim involving the conduct or representation of a former client. The lawyer's right to respond arises when an assertion of such complicity has been made. Paragraph (b)(2) does not require the lawyer to await the commencement of an action or proceeding that charges such complicity, so that the defense may be established by responding directly to a third party who has made such an assertion. The right to defend, of course, applies where a proceeding has been commenced. Where practicable and not prejudicial to the lawyer's ability to establish the defense, the lawyer should advise the client of the third party's assertion and request that the client respond appropriately. In any event, disclosure should be no greater than the lawyer reasonably believes is necessary to vindicate innocence, the disclosure should be made in a manner which limits access to the information to the tribunal or other persons having a need to know it, and appropriate protective orders or other arrangements should be sought by the lawyer to the fullest extent practicable.
[10a] If the lawyer is charged with wrongdoing in which the client's conduct is implicated, the rule of confidentiality should not prevent the lawyer from defending against the charge. Such a charge can arise in a civil, criminal or professional disciplinary proceeding, and can be based on a wrong allegedly committed by the lawyer against the client, or on a wrong alleged by a third person; for example, a person claiming to have been defrauded by the lawyer and client acting together. A lawyer entitled to a fee is permitted by paragraph (b)(2) to prove the services rendered in an action to collect it. This aspect of the Rule expresses the principle that the beneficiary of a fiduciary relationship may not exploit it to the detriment of the fiduciary. As stated above, the lawyer must make every effort practicable to avoid unnecessary disclosure of information relating to a representation, to limit disclosure to those having the need to know it, and to obtain protective orders or make other arrangements minimizing the risk of disclosure.
Disclosures Otherwise Required or Authorized
 If a lawyer is called as a witness to give testimony concerning a client, absent waiver by the client, paragraph (a) requires the lawyer to invoke the attorney-client privilege when it is applicable. Except as permitted by Rule 3.4(d), the lawyer must comply with the final orders of a court or other tribunal of competent jurisdiction requiring the lawyer to give information about the client.
 The Rules of Professional Conduct in various circumstances permit or require a lawyer to disclose information relating to the representation. See Rules 2.3, 3.3 and 4.1. In addition to these provisions, a lawyer may be obligated or permitted by other provisions of law to give information about a client. Whether another provision of law supersedes Rule 1.6 is a matter of interpretation beyond the scope of these Rules, but a presumption should exist against such a supersession.
 Self-regulation of the legal profession occasionally places attorneys in awkward positions with respect to their obligations to clients and to the profession. Paragraph (c)(2) requires an attorney who has information indicating that another attorney has violated the Rules of Professional Conduct, learned during the course of representing a client and protected as a confidence or secret under Rule 1.6, to request the permission of the client to disclose the information necessary to report the misconduct to disciplinary authorities. In requesting consent, the attorney must inform the client of all reasonably foreseeable consequences of both disclosure and non-disclosure.
 Although paragraph (c)(2) requires that authorized disclosure be made promptly, a lawyer does not violate this Rule by delaying in reporting attorney misconduct for the minimum period of time necessary to protect a client's interests. For example, a lawyer might choose to postpone reporting attorney misconduct until the end of litigation when reporting during litigation might harm the client's interests.
[15 - 17] ABA Model Rule Comments not adopted.
 The duty of confidentiality continues after the client-lawyer relationship has terminated.
Acting Reasonably to Preserve Confidentiality
 Paragraph (d) requires a lawyer to act reasonably to safeguard information protected under this Rule against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3. The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of this Rule if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the employment or engagement of persons competent with technology, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
[19a] Whether a lawyer may be required to take additional steps to safeguard a client’s information in order to comply with other laws, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information, is beyond the scope of this Rule.
 Paragraph (d) makes clear that a lawyer is not subject to discipline under this Rule if the lawyer has made reasonable efforts to protect electronic data, even if there is a data breach, cyber-attack or other incident resulting in the loss, destruction, misdelivery or theft of confidential client information. Perfect online security and data protection is not attainable. Even large businesses and government organizations with sophisticated data security systems have suffered data breaches. Nevertheless, security and data breaches have become so prevalent that some security measures must be reasonably expected of all businesses, including lawyers and law firms. Lawyers have an ethical obligation to implement reasonable information security practices to protect the confidentiality of client data. What is “reasonable” will be determined in part by the size of the firm. See Rules 5.1(a)-(b) and 5.3(a)-(b). The sheer amount of personal, medical and financial information of clients kept by lawyers and law firms requires reasonable care in the communication and storage of such information. A lawyer or law firm complies with paragraph (d) if they have acted reasonably to safeguard client information by employing appropriate data protection measures for any devices used to communicate or store client confidential information.
To comply with this Rule, a lawyer does not need to have all the required technology competencies. The lawyer can and more likely must turn to the expertise of staff or an outside technology professional. Because threats and technology both change, lawyers should periodically review both and enhance their security as needed; steps that are reasonable measures when adopted may become outdated as well.
 Because of evolving technology, and associated evolving risks, law firms should keep abreast on an ongoing basis of reasonable methods for protecting client confidential information, addressing such practices as:
(a) Periodic staff security training and evaluation programs, including precautions and procedures regarding data security;
(b) Policies to address departing employee’s future access to confidential firm data and return of electronically stored confidential data;
(c) Procedures addressing security measures for access of third parties to stored information;
(d) Procedures for both the backup and storage of firm data and steps to securely erase or wipe electronic data from computing devices before they are transferred, sold, or reused;
(e) The use of strong passwords or other authentication measures to log on to their network, and the security of password and authentication measures; and
(f) The use of hardware and/or software measures to prevent, detect and respond to malicious software and activity.
Virginia Code Comparison
Rule 1.6 retains the two-part definition of information subject to the lawyer's ethical duty of confidentiality. EC 4-4 added that the duty differed from the evidentiary privilege in that it existed "without regard to the nature or source of information or the fact that others share the knowledge." However, the definition of "client information" as set forth in the ABA Model Rules, which includes all information "relating to" the representation, was rejected as too broad.
Paragraph (a) permits a lawyer to disclose information where impliedly authorized to do so in order to carry out the representation. Under DR 4-101(B) and (C), a lawyer was not permitted to reveal "confidences" unless the client first consented after disclosure.
Paragraph (b)(1) is substantially the same as DR 4-101(C)(2).
Paragraph (b)(2) is substantially similar to DR 4-101(C)(4) which authorized disclosure by a lawyer of "[c]onfidences or secrets necessary to establish the reasonableness of his fee or to defend himself or his employees or associates against an accusation of wrongful conduct."
Paragraph (b)(3) is substantially the same as DR 4-101(C)(3).
Paragraph (b)(4) had no counterpart in the Virginia Code.
Paragraphs (c)(1) and (c)(2) are substantially the same as DR 4-101(D).
Paragraph (c)(3) had no counterpart in the Virginia Code.
The Committee added language to this Rule from DR 4-101 to make the disclosure provisions more consistent with current Virginia policy. The Committee specifically concluded that the provisions of DR 4-101(D) of the Virginia Code, which required broader disclosure than the ABA Model Rule even permitted, should be added as paragraph (c). Additionally, to promote the integrity of the legal profession, the Committee adopted new language as paragraph (c)(3) setting forth the circumstances under which a lawyer must report the misconduct of another lawyer when such a report may require disclosure of privileged information.
The amendments effective January 1, 2004, added present paragraph (b)(4) and redesignated former paragraphs (b)(4) and (5) as present (b)(5) and (6); in paragraph (c)(3), at end of first sentence, deleted “but only if the client consents after consultation,” added the present second sentence, and deleted the former last sentence which read, “Under this paragraph, an attorney is required to request the consent of a client to disclose information necessary to report the misconduct of another attorney.”; added Comment [5b] and [6a]; rewrote Comment .
The amendments effective March 1, 2016, added paragraph 1.6 (d); added “Acting Reasonably to Preserve Confidentiality” before adding Comments , [19a],  and  paragraphs “a” through “f”.
The amendments effective December 1, 2016, added paragraph (7); in paragraph (c)(1) added the language “reasonably certain to result in death or substantial bodily harm to another or substantial injury to the financial interests or property of another”, and rewrote the last sentence of the paragraph; deleted former paragraph (2) and redesignated former paragraph (3) as present paragraph (2); added the language to comment [7c] “if the crime is reasonably certain to result in death or substantial bodily harm to another or substantial injury to the financial interests or property of another”, substituted the language “Caution” is “warranted” in place of “Some discretion is involved”, and added the last sentence; in Comment  deleted the language “The lawyer’s exercise of discretion requires consideration of” and replaced it with “When considering disclosure under paragraph (b), the lawyer should weigh”, and added the language “and with those who might be injured by the client”; added Comment [8a]; and in Comments  and  substituted the language “(c)(3)” with “(c)(2)”.
Updated: November 29, 2016