Sign In
  • September 12, 2023

    SCR 20:1.6 in the 21st Century: New and Exciting Ways to Breach Confidentiality and Not Even Know It

    Advances in technology make it easier to communicate from everywhere but also to expose confidential client information to unintended audiences.

    Stacie H. Rosenzweig

    elephant in a room

    There are a lot of sentences people use today that my pre-law-school self would not understand – and it’s not because they contain any legalese.

    “I have to replace my refrigerator because it won’t connect to the Wi-Fi.”

    “Hey Alexa, turn dow​n the thermostat before I get home.”

    “ChatGPT generated a serviceable but ultimately superficial criticism of Kanye West’s run for president.”

    Remember a few years ago when people were worried about whether sending an email or talking on a cell phone was secure enough to comply with confidentiality requirements? Technology changes quickly.

    Our mobile society makes it easier to stay connected, which can be a blessing or a curse and sometimes both at once. But this also means that it is easier to have a conversation in public that, until recently, had to be done in private. Recently, I’ve heard people discuss obviously confidential information on Skype in train stations (sorry about the test results, Cathy) and learned a whole lot about someone’s bankruptcy case when their lawyer worked on their matter from the coach airplane seat across the aisle from me, in a large font and with a screen brightness that could be seen from the International Space Station.

    SCR 20:1.6(d) requires lawyers to make “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” (Emphasis added.) This rule does not require lawyers to set up Fort Knox to protect a scheduling email, but it does require that we take care. Turn down that brightness, get a privacy screen, maybe delay a Skype call if you can’t quickly get to a more secluded location.

    However, some of these technology-related confidentiality breaches aren’t as obvious as video-calling from a transit hub. Let’s discuss some of the more interesting recent traps.

    Venmo Payment Service

    News broke in July 2023 that several lawyers who had previously served as law clerks to Justice Clarence Thomas, some of whom had business before the U.S. Supreme Court, had used the Venmo payment service to send funds to an aide to Thomas, ostensibly for a Christmas party.1 How did other people find out about this? It’s a feature of Venmo itself.2 Venmo is not only a means of buying a ticket for your old-boss-who-happens-to-be-a-SCOTUS-Justice’s shindig, but a social network of sorts. The app prompts users for permission to access the contacts on their phones, and if any of those contacts are already Venmo users, they and the new user will be added to each others’ “friend” list.3 After that, transactions can be private or public. And transactions are public by default, unless the user sets a different preference.

    Now, in most cases, it doesn’t matter – nobody cares if you send your neighbor $15 for that used kiddie pool (except maybe to say you overpaid). But increasingly, clients are turning to tools such as Venmo for transactions with their lawyers. In Wisconsin, the identity of a client is presumptively confidential under SCR 20:1.6,4 and that dopamine hit that only social networking will give you is not necessary for you to carry out the representation (which would provide an exception to confidentiality under SCR 20:1.6(a)). If you do choose to use Venmo or similar services for law-practice-related purposes, make sure your transactions are set to private.

    If you do choose to use Venmo or similar services for law-practice-related purposes, make sure your transactions are set to private.

    Smart Phones, Watches, Tablets

    When I was in law school, I had a flip phone. I had 100 minutes of pre-11 p.m. talk time, and I had to buy a separate text-messaging package (to be fair, texting using a tiny phone keypad was self-limiting anyway). I don’t think I had passcode protection set up; I’m not even sure if that was available. Nonetheless, my phone did not have internet access or email; the biggest security risk was that someone would get my phone and drain those precious, precious minutes.

    Stacie H. Rosenzweig Stacie H. Rosenzweig, Marquette 2009, practices with Halling & Cayo SC, Milwaukee, and focuses on legal ethics, professional responsibility, licensing, and election and political law. She is a member of the State Bar of Wisconsin’s Litigation Section and Professional Ethics Committee and is a Fellow of the Wisconsin Law Foundation.

    Now, all of us have supercomputers in our pockets or on our wrists, and we are a tap or two away from client information. Most of us use the available security features, such as passcodes, face or fingerprint recognition, multifactor authentication, or a combination, to keep intruders out, but we enjoy the convenience of notifications and email previews on the lock screen.

    Unfortunately, if we’re not careful, we can end up revealing a lot of client information on the lock screen, and it’s not only names or numbers. Some systems will populate the content of text messages or the first sentences of an email right onto the lock screen, where anyone can see it without unlocking the device. Recently, at an event where I was sitting to the left of my spouse, I was able to read incoming text messages from his Apple Watch. (Good thing he’s not a lawyer.)

    Fixing this is relatively easy – most operating systems and messaging apps allow users to shut off message previews or disable notifications on the lock screen. Customization levels vary, but some apps allow you to set notification preferences by contact. This feature will allow you to receive notifications from, say, your kids on the lock screen but will not push through a communication from a client.

    Artificial Intelligence

    Ah yes, the Skynet-shaped elephant in the room. Artificial intelligence (AI), whatever that means to its proponents, is seemingly everywhere. It is already integrated into both legacy and emerging legal research services; voice assistant products such as Siri and Alexa; search engines like Bing and Bard; even the chatbots you use to complain about an internet order. Recently, generative AI (systems that are designed to learn patterns from existing data and use that information to create new content) has captured lawyers’ attention.5 OpenAI’s ChatGPT program has set the standard (for now).

    And ChatGPT is fun! It can generate a Bolognese sauce recipe in the style of a Petrarchan sonnet in about 15 seconds. What it can’t do, however, is guarantee accuracy – or, relevant to this article, guarantee privacy. Whatever information a user provides is collected and may be used to train the software or to develop new programs and services.6 There is a mechanism for users to turn off chat history and keep certain conversations out of the training pool, but as with many privacy features, a user must opt out.

    Lawyers do disclose scads of client information to traditional research services – the client name might be entered into an ID field, and their specific legal questions become part of a natural-language or Boolean search. But SCR 20:1.6(a) allows disclosures that are “impliedly authorized in order to carry out the representation,” and legal research (at least when using traditional services with a history of appropriately handling user data) would generally fall into that exception. Emerging generative AI services do not have that history. If you do choose to use this technology in your practice, opt out of data collection, and stick to more general inquiries that do not contain identifying details.


    I’m not trying to scare people off from technology – I like technology! Probably a little too much. I never really go “off grid” or end up unreachable. But we need to be careful – SCR 20:1.1’s duty of competence includes being aware of the benefits and risks of relevant technologies.7

    I conclude by noting that I am writing this the week that Elon Musk announced the change from Twitter to X8 and by the time you read this, the company’s name and logo and this entire article probably will be outdated. Anyhow. I’ll be over here, trying to get my phone to start my dishwasher.


    1 Stephanie Kirchgaessner, Lawyers with Supreme Court Business Paid Clarence Thomas Aide via Venmo, Guardian (July 12, 2023),

    2 Venmo Help Center, Payment Activity & Privacy, (last visited Aug. 9, 2023).

    3 Venmo Help Center, Adding & Removing Friends, (last visited Aug. 9, 2023).

    4 Ethics opinions are available at State Bar of Wis., Formal and Informal Ethics Opinions,

    5 John Fuller, Is It Time to Adopt Generative AI into Your Legal Writing?, 96 Wis. Law. 43 (July/Aug. 2023),

    6 OpenAI, Privacy Policy, (updated June 23, 2023).

    7 SCR 20:1.1 (cmt. 8).

    8 Mirna Alsharif & The Associated Press, Twitter Will Change Logo from Bird to “X” on Sunday, Elon Musk Says, NBC News (July 23, 2023),

    » Cite this article: 96 Wis. Law. 35-37 (September 2023).

Join the conversation! Log in to comment.
System.NullReferenceException: Object reference not set to an instance of an object. at News.NewsTOCNavigation.NewsTOCNavigationUserControl.Page_Load(Object sender, EventArgs e)

News & Pubs Search

Format: MM/DD/YYYY