Legal professional privilege and Internet hacking

November 1st, 2017

By Daniël Eloff

During the past ten years, the world has seen an increase in the number of high profile data hacks. The Panama Papers clearly show the far reaching effects of hacking in the legal environment. These hacking attempts move between target industries and law firms and remain attractive targets for hackers to gain sensitive information. As with physical files, virtual files also need due safeguards and measures to be adequately protected.

Information that is stored by attorneys and law firms is often subject to confidentiality and attorney-client privilege. A quick distinction between these two concepts needs to be made. Firstly, confidentiality refers to the duty that is placed on attorneys to ensure that all communications between their clients and themselves remain confidential. Confidentiality is deemed to be far broader than legal professional privilege (Kristen Wagner and Claire Brett ‘I heard it through the grapevine: The difference between legal professional privilege and confidentiality’ 2016 (Sept) DR 22).

In terms of legal professional privilege, all communications or advice given by an attorney, while he or she was acting in a professional capacity is subject to the legal doctrine (Van der Heever v Die Meester en Andere 1997 (3) SA 93 (T)). These communications have to be made in confidence by the client and for the purpose of attaining legal advice but not necessarily to litigate (S v Safatsa and Others 1988 (1) SA 868 (A)). Legal professional privilege may only be claimed by the client. Communications as a concept extend to online communications that fulfil the requirements mentioned above. Therefore, if communications were made in confidence by a client to an attorney and the attorney was acting in his or her professional capacity, the communications are subject to the protection of legal professional privilege.

When confidential information has been leaked, the extent of the protection of legal professional privilege depends on the facts of the matter, as well as the context of public interest with regards to the leaked information (South African Airways Soc v BDFM Publishers (Pty) Ltd and Others 2016 (2) SA 561 (GJ)).

Reasonable duty of competence

Just as there is a reasonable duty placed on attorneys and law firms to protect physical documents from prying eyes, the same duty exists with regards to information that is stored digitally, regardless of whether or not the data is stored on a hard drive or through the use of cloud-based data storage services. Data breaches could include hacking of e-mails, computers or trojan horse programmes that allow unauthorised backdoor access to computers. These data breaches could threaten confidentiality or legal professional privilege if the information that is leaked is subject thereto.

Cloud-based data storage, is in most instances, effective in ensuring adequate protection of information (LSSA Guidelines on the Use of Internet-Based Technologies in Legal Practice (, accessed 27-9-2017)). When making use of cloud-based data storage services, attorneys and law firms must enter into a contract with the third party service providers, which obliges the third party to safeguard digital information. As attorneys and law firms also often have personal details of clients on record, law firms have to ensure that they are compliant with the Protection of Personal Information Act 4 of 2013 (POPI).

Although the methods of protecting digital information are vastly different compared to the historical protection of hard copy, the basics still remain the same for both. The onus rests on law firms to evaluate their security measures, just as is the case with hard copies of documents and to ensure that the necessary safeguards are in place. As attorneys are ‘required to act reasonably and diligently in fulfilling their professional obligations’ this logically includes the use of modern technology and its associated risks (Information Security Guidelines for Law Firms (, accessed 27-9-2017)).

As e-mails have become the main method of communication between attorneys and their clients, often confidential information is communicated by way of e-mail. As confidentiality is of the utmost importance in ensuring the independence and effective running of the legal profession specific steps need to be taken to secure e-mail services. One possible due diligence solution is that attachments in e-mails are password protected. When using password protected attachments, it obviously remains important not to communicate the password via e-mail, as this would defeat the purpose of password protecting the document.

A second method is to make use of encryption technology to ensure that e-mails are only viewable by the intended recipient of the e-mail. This, however, requires certain training of staff to properly make use of the security measure.

The advantages of sound information security protocol and appropriate technological security measures mean that attorneys and law firms are able to enjoy the full potential of the Internet, new software and technology while acting reasonably and diligently. This avoids negligence on the part of attorneys and law firms when data breaches occur. Not only are adequate information security protocols good for protecting clients interests, but by proactively taking steps to defend against hacks and data breaches law firms avoid unnecessary computer network down time. The loss of files that then need to be replaced also doubles the time spent on the same work, and can be prevented.

What to do after a hack?

Despite taking all required and necessary steps to ensure good practice with regards to information security, serious hacking efforts could still take place and succeed. The above-mentioned steps merely ensure that attorneys and law firms do their part in providing protection to their clients.

If a hack or data breach does occur, attorneys and law firms would be wise to immediately establish the scope of the hack or breach. By determining what information has been leaked, decisions regarding the next steps could be taken. To make this determination independent and expert, outside assistance is needed as it is too tall a task for in house IT teams. After clearly noting the scope of the hack or breach a damage assessment could be done which is then used to limit client reputational harm and legal liability.

Directly after an attack, the source of the attack must also be confirmed to defend against ongoing breaches. Often data hacks still lurk in the computer systems of law firms and the ransomware might continue to spread. Turn off all networks and instruct employees not to open any attachments that might contain ransomware that could further spread.

If the leaked information is confidential in nature or subject to legal professional privilege, legal steps to stop the dissemination of the information could be taken. To establish who the hackers involved were, might prove to be quite difficult, but as the information is known and identifiable it could be stopped from being published. In this regard, cyber security experts might be crucial in protected clients in the aftermath of a hacking breach.

In accordance with POPI, if personal information has been lost, attorneys and law firms have to notify affected parties and the Information Regulator about the attack. Thereafter, steps need to be taken to ensure that a similar attack does not repeat itself, which could potentially harm clients and the attorney’s or law firm’s reputation. By conducting a review of the hack or breaches, weaknesses and poor procedures need to be identified and addressed.


Attorneys need to keep up to date with developing technology and global challenges, which include cyber security threats. As the great potential of the Internet, new software and technology get unlocked, so too does the risk of breaches grow.

As the legal profession delves ever deeper into new technology, measures such as cyber security insurance could also be considered to limit the risk to firms. Most general liability and malpractice policies would not cover cyber security breaches. The need for supplementary coverage becomes increasingly important.

Data breaches could come as a result of sophisticated hacking attempts, and law firms, big and small, are at risk. Although attorneys and law firms might feel that they are unlikely to be attacked, as with most crimes, criminals look for easy targets. The ease of automating hacking attacks makes all systems vulnerable.

Just as paper files were susceptible to physical theft or loss, digital information now adds a new dimension to legal practice. Attorneys and law firms should not, however, see this threat as a clear sign of turning back the hands of time to stick with or go back to purely paper based communication, but rather as a reminder of the reality of our modern times.

Daniël Eloff LLB (UP) is an academic associate in the department of mercantile law at the University of Pretoria.

This article was first published in De Rebus in 2017 (Nov) DR 17.