Attorney-client privilege is one of the oldest and most foundational protections in American law. It allows clients to be fully honest with their attorneys without fear that those communications will be used against them. Most attorneys understand the privilege conceptually. Fewer think carefully about the operational decisions that can inadvertently waive it or put it at risk.
This guide focuses on what small firm owners need to know about privilege from an operational standpoint — not an academic treatment of the doctrine, but the practical decisions that affect whether privilege is maintained.
This guide covers operational best practices. It is not legal advice. Privilege rules vary by jurisdiction and the specifics of each matter. Consult your state bar's ethics resources for jurisdiction-specific guidance.
What Attorney-Client Privilege Covers (And What It Doesn't)
The basic rule: privilege protects confidential communications between an attorney and client made for the purpose of seeking or giving legal advice. Four elements must all be present: a communication, between attorney and client, that was confidential, and made for the purpose of obtaining or providing legal advice.
What this means in practice:
- A client's detailed factual account of events shared with their attorney in confidence is privileged
- An attorney's legal analysis or strategy communicated to the client is privileged
- A client's communication shared with a non-attorney (with exceptions for agents acting within the scope of representation) may not be privileged
- Business advice that isn't specifically legal advice may not be privileged, even if given by an attorney
- Underlying facts are not privileged — only the communication about those facts
The work-product doctrine is a related but distinct protection. Work product protects documents and mental impressions prepared in anticipation of litigation. It's broader in some ways (it can apply to non-attorney work) and narrower in others (the standard for defeating it is different from privilege).
When Privilege Can Be Waived
Privilege can be waived voluntarily or inadvertently. Both matter for small firm owners.
Voluntary Waiver
A client can waive privilege by disclosing privileged communications to a third party outside the attorney-client relationship. Attorneys who share privileged client information without authorization also waive privilege. In both cases, the waiver may extend beyond the specific communication disclosed — in many jurisdictions, waiving privilege as to part of a communication can waive it as to the entire subject matter.
Inadvertent Disclosure
Privileged documents mistakenly produced in discovery, shared via a misdirected email, or included in a document production by error. When inadvertent disclosure occurs, the attorney must act quickly: notify opposing counsel, demand the return or destruction of the documents, and potentially seek a court order. Most jurisdictions allow the privilege to be preserved after inadvertent disclosure if prompt corrective action is taken.
The lesson for small firm operations: document management and email protocols matter. A firm that uses consistent document naming conventions, reviews productions carefully before sending, and trains staff on handling privileged materials has lower inadvertent disclosure risk than one that doesn't.
The Common Interest Exception
Multiple parties with a common legal interest can share privileged communications among themselves without waiving privilege. This applies to co-defendants in litigation, parties to a joint venture seeking shared legal advice, and similar situations. The common interest must be a legal interest, not just a business one, and the arrangement should be documented in writing.
Privilege Considerations in Digital Communication
Most privilege doctrine was developed before email, and the rules are still catching up with digital communication realities.
Email between attorney and client is privileged if the client uses a private account. Email from a client's work account that goes through their employer's server is more complicated — courts have split on whether the employer's access to the server defeats the client's reasonable expectation of confidentiality. Attorneys representing employees in disputes with their employer should advise clients to use personal email, not work email, for all attorney-client communications.
Cloud storage and practice management software raise similar questions. Where are client files stored? Who has access to the servers? What security measures are in place? These aren't just IT questions — they're privilege questions. A practice management system that's configured to give unauthorized parties access to client communications creates privilege risk.
For the data security side of this, see our guide on law firm data security.
Common Privilege Mistakes at Small Firms
Including non-attorney staff in privileged communications unnecessarily. Staff who work on the matter can be included in privileged communications as agents of the attorney. Staff who have no role in the matter should not be copied or given access to privileged communications. Train staff on what they can and cannot receive.
Discussing client matters in non-secure locations. Privilege requires confidentiality. A conversation about a client's matter in a coffee shop, a shared coworking space, or a waiting room where others can overhear it may not be privileged. The expectation of confidentiality has to be reasonable under the circumstances.
Not using clear subject lines and headers for privileged documents. Mark documents as "Attorney-Client Privileged" and "Attorney Work Product" as appropriate. These labels don't create privilege where it doesn't exist, but they signal the expectation of confidentiality and support privilege claims if the documents are challenged.
Mixing privileged and non-privileged material in the same document. A document that mixes legal advice with general business guidance complicates privilege determinations. Keep them separate where possible.
How Operational Systems Affect Privilege
The way a firm is organized operationally affects privilege exposure in practical ways. Automated systems that handle client communications — intake forms, client portals, email automation — should be configured to maintain appropriate confidentiality standards. Client data that flows through third-party platforms should be covered by a Business Associate Agreement or equivalent contractual protection where applicable.
The questions to ask of any system that touches client communications: Who has access? Where is the data stored? What security protections are in place? Is client data ever visible to the platform provider's employees? For HIPAA-adjacent work (medical malpractice, personal injury with medical records, etc.), the compliance requirements are even more specific. See our guide on legal billing ethics for the overlap between ethics rules and operational compliance.
The core operational principle is straightforward: privilege is only as strong as the confidentiality practices that surround it. Firms that treat privilege protection as a courtroom doctrine and not an operational one are the ones that discover privilege problems after the fact. If you're building systems that handle client communications and want to make sure they're configured correctly, book a free audit call.