SECTION 41. Duty to safeguard client confidences in social media. – A lawyer, who uses. a social media account to communicate with any other person in relation to client confidences and information, shall exert efforts to prevent the inadvertent or unauthorized disclosure or use of, or unauthorized access to, such an account. (2023 Code of Professional Responsibility and Accountability or CPRA)
Social media accounts – refer to user accounts which are used in social media platforms, including personal accounts and business/brand accounts.
Personal accounts – refer to accounts that represent an individual and is personally used by said individual (as opposed to being managed by another) on the Internet.
Business or brand accounts – refer to accounts that represent a certain business or brand on the Internet. Such accounts may be managed by: (a) several individuals within the same organization; (b) independent contractors such as social media managers; or (b) a separate organization (e.g., PR/Social Media Firms).
Under this section, lawyers who use social media accounts to communicate “with any other person in relation to client confidences and information, shall exert efforts to prevent the inadvertent or unauthorized disclosure or use of, or unauthorized access to, such an account.”
Lawyers who use personal accounts on social media should take extra precautions with their account if they are using them to communicate with clients, particularly on confidential matters that are covered by lawyer-client privilege.
If it can be avoided, it would be best if personal accounts are not used for such communication. Lawyers can advise their clients that communication pertaining to legal services should be confined or limited to official communication channels, such as a phone call or via an office email.
If it cannot be avoided, and clients reach out nonetheless to a personal account, lawyers can redirect or continue the conversation in the earlier-mentioned official communication channels.
Similarly, lawyers or law firms who use business/brand accounts on social media should be diligent and responsible with using business/brand accounts, particularly if they are being managed by non-lawyers.
These non-lawyers should be advised and trained to avoid dispensing legal advice or opinion. Instead, they should inform clients on where and how to properly contact concerned lawyers who may be handling their case.
Further, these non-lawyers should also immediately notify the concerned lawyers of any client communication made through these social media accounts as it may be an important piece of information, particularly if it concerns deadlines.
With the rise of cybersecurity risks, these social media accounts are vulnerable to exploits and hacking. If client confidences or confidential information is leaked online, it could be disastrous for the clients and the lawyers.
If it is found later on that lawyers have been negligent in their use of social media, they could be found liable under this section.
For the foregoing reasons, lawyers should have social media policies in place to ensure responsible use thereof, in particular:
1) Observing security and privacy practices – e.g. cyber hygiene;
2) Logging in to safe networks;
3) Using two-factor authentication;
4) Logging out after use; and
5) Analogous therewith.