ABA Rule 1.6 & Client Confidentiality When You Share Files

|8 min read
The Lex Cloak workspace scanning a sample document — matches grouped by category in the sidebar, every sensitive field outlined in red on the page

There’s a comfortable assumption behind a lot of file-sharing: that if you were careful — you blacked out the names, you didn’t attach the wrong version — you’ve met your duty. Rule 1.6 asks for something both easier and harder than perfection. It asks for reasonable efforts. This is a plain-English look at what that means the moment a client file leaves your office, where confidential information actually slips through, and what handling it well looks like in practice.

What Rule 1.6 actually requires

Most lawyers know Rule 1.6 as the duty of confidentiality. The part that governs sharing files is subsection (c), added when the ABA modernized the rule for a digital practice:

“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” — ABA Model Rule 1.6(c)1

Two words carry the weight. “Inadvertent” means the rule covers accidents, not just leaks you meant to make — the redaction that didn’t take, the attachment you didn’t mean to send. And “reasonable efforts” means the standard is not a guarantee. Comment [18] to the rule is explicit that a disclosure does not violate subsection (c) if the lawyer made reasonable efforts to prevent it. You are judged on the care you took, not on whether something ever slips.

Comment [18] lists the factors that decide whether your efforts were reasonable:

  • the sensitivity of the information;
  • the likelihood of disclosure if additional safeguards aren’t used;
  • the cost of those safeguards;
  • the difficulty of implementing them; and
  • the extent to which a safeguard would get in the way of the representation — a tool so cumbersome no one actually uses it.1

Read together, that’s a workmanlike standard. The more sensitive the file and the easier the leak, the more is expected of you — and a safeguard that’s cheap, easy, and unobtrusive is one you have little excuse to skip.

Where confidentiality leaks when you share files

The exposure isn’t evenly spread. It concentrates in the documents you hand off most routinely, where the sensitive data is dense and the deadline is close.

  • Court exhibits and e-filings. Public and effectively permanent. A filing carries Social Security numbers, financial account numbers, and the names of minors — exactly the identifiers filing rules require you to strip before the document hits a public docket.
  • Discovery productions. Hundreds or thousands of pages going to opposing counsel. One un-redacted bank statement or medical record in the set is a disclosure, and at that volume it’s the page you didn’t look at closely that gets you.
  • Medical records in a case file. Personal-injury, med-mal, and workers’-comp files are thick with protected health information — diagnosis and ICD-10 codes, medical record numbers, dates of birth, provider identifiers — that has to come out before the file travels.
  • Demand packages and settlement material. Sent to insurers, adjusters, and mediators, often bundling a client’s records, wage information, and identifiers into a single PDF built under time pressure.

In every one of these, the sensitive material is specific and nameable — not “confidential information” in the abstract, but an SSN, an account number, a child’s name, a diagnosis code. That specificity is the point: it’s what you’re on the hook to find and remove.

Why the usual approaches fall short

Three habits feel like reasonable effort but leave a gap a Comment [18] analysis would notice.

  • Reading the page by eye. Careful review catches the obvious. It misses the differently-formatted phone number, the SSN written without dashes, the account number in a footer — and it doesn’t scale to a thousand-page production.
  • Drawing a black box over the text. The most common failure of all. A black rectangle in most PDF tools is a shape laid on top of live text — the words underneath are still in the file and come right back with a copy-paste or a text extractor. It looks redacted; it isn’t. Two decades of high-profile examples show how reliably this one backfires.
  • Uploading the file to an online redaction service. Here the tool itself raises the question the rule is asking. To use most web-based redactors you first send the un-redacted client file to a third party’s servers — which is precisely the “unauthorized access” and disclosure Rule 1.6(c) is about. You may have solved the black-box problem by creating a custody one.

What handling it well looks like

Map the Comment [18] factors — sensitivity high, likelihood real, cost and difficulty low — and a sensible baseline falls out.

Keep the file on your own machine. The cleanest way to prevent unauthorized access during redaction is to never hand the document to anyone to redact it. Redaction that runs entirely on your computer — nothing uploaded, nothing sent to an outside service or an AI tool — means the sensitive version never leaves your control in the first place. It’s the one safeguard a cloud workflow, by definition, can’t offer.

Remove the content, don’t cover it. Real redaction deletes the underlying text and image data so there’s nothing left to copy, paste, or extract, and it clears the document’s metadata along with it. (For why the metadata matters as much as the visible text, see how most PDF redaction quietly fails.)

Catch what the eye misses, then decide. Automatic detection of the common identifiers — SSNs, account numbers, dates of birth, medical record numbers, emails — surfaces the items you’d skim past, and leaves the call to you: each match is something you confirm or dismiss, so you stay in control of the file. That’s Lex Cloak’s job: it finds and removes sensitive information in PDFs entirely on your machine, and lets you check the text is actually gone before you send.

Keep a record of what you did. “Reasonable efforts” is a standard you may one day have to demonstrate. Being able to show which identifiers were found and removed, and that the file was handled locally, is the difference between asserting you were careful and showing it.

The bottom line

The question Rule 1.6(c) puts to you isn’t whether your files contain protected client information — in litigation and transactional work alike, they do. It’s whether you can show you took reasonable, unobtrusive steps before those files left your hands. A redaction workflow that runs on your own machine, removes rather than masks, and gives you a record of the work is about as squarely inside “reasonable efforts” as a small firm can get — at a cost and effort Comment [18] would call negligible.

See how Lex Cloak redacts a file, start to finish →

This guide is general information about a professional-responsibility rule, not legal advice, and doesn’t create an attorney-client relationship. Ethics rules vary by state, and how Rule 1.6 applies to your situation is a question for your bar association or your own counsel.

Sources

  1. American Bar Association, Model Rules of Professional Conduct, Rule 1.6 — Confidentiality of Information, subsection (c) and Comment [18]. americanbar.org (Model rule; individual states adopt their own versions.)