I received an interesting email this morning referring me to an email which a local law firm distributed to subscribers of its property-related mailing list. Ordinarily that isn't the sort of thing which would garner much interest from me - property law is somewhat outside my usual scope. What caught my eye is the way this law firm emailed this particular issue. It listed every email address in the mailing list in the "To" field and the result is something like this:

If you are wondering what the blue fuzz is, it is a partial screen shot of the distribution list, zoomed out to obscure the individual email addresses. The recipient whose response to the law firm was forwarded to me along with the original email had the following to say in his reply to the firm (this is a direct quote):

I find it extra-ordinary that your firm has revealed the private contact details of 1378 of your clients.

I am not a lawyer but I am pretty sure as a law firm that this is a MASSIVE breach of ethics and I certainly NEVER wish to be affiliated with your firm again. I am horrified my personal email address has been revealed by your firm to every person on this mailing list. There are VERY VERY VERY strict rules as to the data protection of your clients' information but it seems your firm has opted to ignore these basic rules.

If this is how you treat my private email address goodness knowshow else you are treating your clients information!!!

The massive conflicts this emailcould create is shocking and I ask your firm to kindly remove my email address with immediate effect and not to EVER contact me again!

This blunder raises a number of legal issues. The one issue raised in the quote is legal professional privilege (commonly known as attorney-client privilege) which vests in attorneys' clients. This privilege places restrictions on what information attorneys can disclose about their clients and the work they are doing. What is a concern about this email is that it potentially discloses information about the firm's clients through their email addresses. That said, names of clients may not fall under legal professional privilege although this depends on the nature of the work being done for the client and any contractual restrictions between the client and the attorney.

Disclosing email addresses and, indirectly, clients' identities may be a breach of confidentiality which is an implied term of an attorney's contract with his or her client; a breach of non-disclosure provisions where the client has required the attorney to sign a non-disclosure agreement protecting its identity from disclosure.

Another concern is the simple disclosure of the recipients' email addresses to each other. The mailing list apparently contains roughly 1 378 recipients and some of those recipients may prefer that their email addresses not be disclosed to each other. I hope the firm's privacy policy covers this sort of disclosure and can sympathise with recipients who, like the recipient I quoted, are dismayed that their personal information could so easily be disseminated.

Of course this doesn't reflect well on the firm itself which could easily lose a number of clients outraged at this blunder. The firm could also suffer reputational harm should these recipients discuss the blunder with their colleagues, friends and other parties. This disclosure could also easily undermine what must have been a fair amount of work that went into the database's compilation and any goodwill the firm garnered through its publication in the time it has been distributed.

Leaving aside questions of confidentiality (and they are potentially very serious), not taking care to protect an email database from this sort of public disclosure could have equally serious privacy and reputational consequences for an organisation. I certainly would not want to be the firm's directors when clients start calling about this.