Privileged and Confidential: What Every Attorney Must Know

Most attorneys stamp "Privileged and Confidential" on emails without stopping to ask whether that label is doing anything. It is not, on its own.

Privileged and confidential are two separate legal protections. They overlap, but they are not the same. Using them interchangeably is one of the most common mistakes attorneys make, and it has real consequences for clients, cases, and firms.

This guide explains what each term means, where each one ends, and what law firm owners need to do to protect both.

‍

Key Takeaways

1. "Privileged" and "confidential" are not interchangeable. Privilege is an evidentiary rule. Confidentiality is a broader ethical duty that covers every setting.
2. A label does not create privilege. Courts look at substance, not headers or footers.
3. Privilege is fragile. One wrong CC or forwarded message can waive it entirely.
4. Protecting privilege is a firm management issue. Protocols, training, and onboarding are what keep it intact.

‍

What "Privileged and Confidential" Actually Means

These two words refer to two different legal protections that are almost always treated as one.

Privileged communication is shielded from forced disclosure in court. When a communication qualifies as privileged, a court cannot compel the attorney to reveal it.

Confidential communication is governed by an attorney's ethical duty under ABA Model Rule 1.6. It covers all information from a client's representation, not just direct attorney-client exchanges, and applies in every setting, not only in legal proceedings.

A client email to their attorney about pending litigation is both privileged and confidential. An internal company memo discussing a sensitive business matter may be confidential, but it is not necessarily privileged. That distinction determines what can be compelled in discovery and what cannot.

Labeling a document "Privileged and Confidential" does not change its legal status. Courts assess whether the actual criteria for privilege were met. The label alone cannot protect a communication that fails on substance.

‍

‍

What Are the Criteria for Attorney-Client Privilege?

Four conditions must all be present. If any one is missing, the communication is not protected.

1. There is an attorney-client relationship. The person seeking advice must have retained, or be in the process of retaining, a licensed attorney. Prospective clients may qualify. Casually asking a lawyer a question at an event does not.

2. The communication was made in confidence. No unnecessary third parties can be present or included. A conversation at a shared workspace is not confidential. An email sent from an employer-monitored account is not confidential.

3. The purpose was to seek or provide legal advice. This is the most frequently misunderstood requirement. The communication must be about legal counsel, not business strategy or operational decisions. 

As Baker McKenzie's Global Privilege Guide notes, in-house counsel should avoid mixing legal advice with general business advice, since courts look at the nature of the communication itself, not the title of the person who sent it.

4. Confidentiality has been maintained. Forwarding the communication to someone outside the protected relationship, posting about it, or sharing it with a non-essential third party can waive the privilege entirely.

For firms with remote attorneys or distributed teams, criteria two and four are the most operationally fragile. Encrypted portals and controlled access are not optional. They are how privilege survives outside a traditional office.

‍

The 5 C's of Attorney-Client Privilege

Every attorney and paralegal in your firm should be able to recall this framework:

Communication between a Client and Counsel, made in Confidence, for the purpose of seeking or providing legal Advice.

All five must be present. Here is what each one requires:

• Communication: This covers any method of information exchange including emails, letters, texts, calls, and in some cases physical gestures. Format matters less than context.
• Client: The communication must involve or originate from the client. This relationship requires the individual to consult the attorney in good faith to advance their own legal interests. A formal contract or retainer agreement is not required for the privilege to apply.
• Counsel: a licensed attorney acting in a legal capacity. An accountant or financial advisor does not qualify, even if an attorney is copied on the same thread.
• Confidence: only the attorney, the client, and those directly essential to the representation should be included.
• Counseling (Legal Advice): The core purpose of the communication must be to seek, obtain, or provide legal advice. General business advice or casual conversation is not protected.

One action can end the protection. Forwarding a privileged email to a family member, copying a business partner outside the representation, or using an employer-monitored inbox can eliminate the privilege before anyone catches the mistake.

‍

What Is Protected Under Attorney-Client Privilege?

Protected:

• Emails, letters, texts, and conversations made in confidence for legal advice
• Attorney work product prepared in anticipation of litigation
• Communications with the attorney's support staff when directly assisting with the legal matter
• Initial consultations with prospective clients, even before formal retention

Not protected:

• Pre-existing documents given to an attorney. The document does not become privileged simply because an attorney received it.
• Business decisions routed through counsel to appear protected
• Communications shared with non-essential third parties
• The underlying facts of a matter. A client cannot refuse to testify about what happened simply because they discussed it with their attorney.
• Fee agreements and billing records, in most jurisdictions

On that last point: McGuireWoods' analysis of attorney billing privilege confirms that most courts hold fee agreements and invoices are not privileged, except where a billing description reveals legal strategy or the nature of advice given. If your firm seeks attorney's fees from a third party in litigation, you may waive privilege over those records entirely.

To reduce unnecessary disclosure risk, firms should avoid placing detailed legal analysis, litigation strategy, or sensitive factual summaries directly into billing narratives unless operationally necessary. Time entries should remain specific enough for billing compliance while avoiding unnecessary exposure of protected legal strategy.

‍

Two Exceptions to Attorney-Client Confidentiality

‍

The Crime-Fraud Exception

Communications made to help a client commit a future crime or fraud are not protected. The privilege shields the past. It does not protect plans for future wrongdoing.

Courts may conduct an in-camera review of disputed communications to determine whether this exception applies. It covers both the evidentiary privilege and the ethical confidentiality duty.

A relevant example emerged during the DOJ's antitrust case against Google, where allegations surfaced that employees were encouraged to copy attorneys on communications that did not involve genuine legal advice in an effort to strengthen privilege claims. Courts described the practice as “eyebrow-raising,” and the issue became more serious than a labeling problem alone.

When courts believe privilege is being misused systematically, they may order deeper privilege-log reviews, scrutinize entire categories of withheld documents, reject privilege assertions in bulk, or draw adverse inferences about the firm's document practices. Improperly applying privilege labels can therefore weaken legitimate privilege claims throughout the matter, not just for a single email thread.

‍

The Self-Defense Exception

An attorney may disclose limited confidential information to defend against a client claim, such as a malpractice suit or a fee dispute. The disclosure must be limited strictly to what is necessary.

Other exceptions that vary by jurisdiction:

• Preventing reasonably certain death or substantial bodily harm
• Preventing a client from committing a crime or fraud causing substantial financial injury to another
• Complying with a court order
• Resolving conflicts of interest during a firm merger or attorney transition

The ABA Model Rules set a baseline. As the Florida Bar's analysis of privilege vs. confidentiality notes, individual states apply their own standards, and an exception to the confidentiality rule in one jurisdiction may not operate the same way in another. Attorneys must know their specific state's rules.

‍

Privileged and Confidential Email Disclaimers

A disclaimer does not create privilege. Courts look at the substance of the communication: who sent it, to whom, why, and whether confidentiality was genuinely maintained.

What a disclaimer does: it signals intent and can support a claim that the sender treated the communication as protected. Per the Association of Corporate Counsel, overusing disclaimers on every outgoing email may actually dilute their persuasive weight in court.

The more effective practice: mark sensitive emails as "Privileged and Confidential" or "Attorney-Client Communication" in the subject line, not only the footer. Subject-line labeling is more visible and more clearly deliberate.

‍

Three Ready-to-Use Templates

Short-form (routine client emails):

This email and any attachments are confidential and may contain privileged information. If you are not the intended recipient, please delete this message and notify the sender immediately.

Standard law firm footer:

This communication may contain confidential and attorney-client privileged information intended solely for the named recipient. Unauthorized use, disclosure, or distribution is prohibited. If received in error, please notify the sender and destroy all copies.

Formal / litigation-ready:

This transmission is from [Firm Name] and may contain information protected by the attorney-client privilege or attorney work product doctrine. If you are not the intended recipient, any review, copying, or distribution of this message is strictly prohibited. Please notify us immediately and delete the original.

Standardize one template across all attorneys, paralegals, and legal staff. Inconsistent or missing disclaimers are a preventable risk.

‍

How Law Firms Break Privilege Without Realizing It

Most attorneys understand the rule. Fewer track the daily habits that quietly destroy the protection.

Forwarding to the wrong person. Sending a privileged communication to someone outside the protected relationship, such as a client's assistant or a business partner, can waive privilege on that subject matter. 

Under Federal Rule of Evidence 502, voluntary disclosure to a third party in a federal proceeding can result in a subject-matter waiver of related communications, particularly when the disclosure is intentional and fairness requires related materials to be considered together. However, FRE 502 was also designed to limit overly broad waiver findings and permits clawback agreements and protections for certain inadvertent disclosures.

Using non-secure channels. Employer-monitored email accounts, consumer messaging apps, shared inboxes, and group chats are not confidential channels. Privilege cannot attach to a communication the employer can access.

Overcrowding the CC line. Copying individuals without a direct role in the representation may break confidentiality. Courts assess whether each person included was necessary to the legal work, not whether they work at the firm.

In-house attorneys advising on business, not law. When in-house counsel weighs in on a business decision rather than a legal question, the communication is not privileged. Courts look at the function of the communication, not the title of the person who wrote it.

Unsecured remote work environments. Home networks, shared screens, and unsecured connections all introduce risk. Attorneys working remotely need the same confidentiality safeguards as those in a physical office. 

At minimum, firms should require encrypted file-sharing systems, VPN-secured connections, password-protected devices, multi-factor authentication, restricted document permissions, and private workspaces for confidential calls or document review.

‍

What Law Firm Owners Should Have in Place

These three gaps are where most firms fall short:

1. A written email communication protocol. Every attorney and staff member should know which emails need a subject-line privilege label, when to use a secure portal instead of email, and how to handle communications that involve multiple parties. Informal norms are not enough.

2. Client onboarding that covers communication security. Clients break privilege by forwarding attorney emails, discussing legal strategy on social media, or communicating through employer-monitored devices. Covering these risks during onboarding protects the representation from the start.

3. Consistent training for all staff and contractors. Everyone who touches a client matter, including remote attorneys, paralegals, and legal assistants, needs to understand what breaks privilege. One team member without this knowledge is a real liability.

Firms that are growing, whether through in-house hires or virtual legal teams, need these protocols in place before a breach occurs, not in response to one.

‍

Frequently Asked Questions

What does "privileged and confidential" mean in a legal context?

Privileged means the communication cannot be compelled in court. Confidential means the attorney has an ethical duty under ABA Model Rule 1.6 not to disclose it voluntarily. Confidentiality is broader and covers all information from the representation, not just direct attorney-client communications.

What are the 5 C's of attorney-client privilege?

Communication between a Client and Counsel, made in Confidence, for the purpose of seeking or providing legal Advice. All five elements must be present. A missing element, such as a third party copied on the email, can void the privilege.

What are two exceptions to attorney-client confidentiality?

The crime-fraud exception removes protection from communications made to help plan a future crime or fraud. The self-defense exception permits an attorney to disclose limited information when defending against a client's malpractice claim or fee dispute.

What is the best reason for attorney-client privilege?

Clients must be able to speak honestly with their attorneys without that honesty being used against them. Without this protection, clients withhold facts, attorneys work with incomplete information, and the quality of legal representation declines.

Does an email disclaimer make a communication privileged?

No. A disclaimer signals intent but does not create privilege where the underlying criteria are not met. Courts assess the content, the parties, and whether confidentiality was actually maintained, not the footer language.

‍

Build a Firm Where Privilege Is Protected, Not Just Assumed

Privilege is not self-executing. It requires written protocols, trained staff, educated clients, and consistent practices across every person handling a client matter, including those working remotely.

If your firm is growing and needs remote legal professionals who understand these obligations from the start, Remote Attorneys places vetted legal staff trained to operate within the confidentiality standards your clients expect. Book a Consultation to see how it works for your firm.

‍