Does a grapevine grow over your "Chinese Wall" ?

In 1907 Australia completed the world's longest (and most expensive) fence. Intended to contain the spread of rabbits across the continent it failed miserably - by the time it was finished the rabbits were watching happily from both sides, and were no more than mildly inconvenienced.

The same fate awaits many information barriers - optimistically thrown up by law firms in answer to an alleged (and perhaps hotly contested) conflict of interest claim. Once such a conflict is identified, the onus is squarely on the firm propounding the barrier to demonstrate that there is "no real risk" (as opposed to a fanciful or remote risk [1]) that the duty of confidence to the - usually former - client will be breached.

The practical requirements are set out in full (some would say excruciating) detail in the link below. Adopted by several Australian law societies, these guidelines have generally been accepted by the Courts (See, for example: Zani v Lawfirst Pty Ltd trading as Bennett & Co [2014] WASC 75).

However - the most elaborate information barrier will not satisfy the test if the information has already traversed the boundary. Traditionally, the concern has been documents and people entering each others' physical orbit. These days, poor information management practices may sink the credibility of the proposed barrier from the outset.

Judges who think nothing of counsel acting against each other while briefs of evidence for opposing parties lie scattered throughout shared chambers will scour the affidavits of solicitors for the slightest indication that the shielded party might already have been exposed to the quarantined information. (Cf; Georgian American Alloys v White & Case LLC [2014] EWHC 94 (Comm) )

Complicated verein structures and the geographical distance between offices on different continents will be of little consequence if a few keystrokes could bridge that distance and allow the quarantined information to be viewed by someone in the shielded team. Once the barrier is in place this is unlikely, but can the firm swear to the fact that nobody from office A has ever accessed embargoed information held by office B? Is the fact that they had no real reason to enough ? How about someone from office C that was seconded to B and is now in A ? Did they access the data ? How long will it take to check ?

Good logging and an efficient way of viewing and mapping who has accessed what and can go a long way, but the judicial concern for the proverbial grape vine growing over the Chinese wall will take a lot to allay. The best approach: Lock access to client data to those on a need to know basis as default.

As an aside, good user access controls are a critical part of any cybersecurity program as well, so efforts in this regard come with a double dividend.

Information barrier guidelines here:

[1]  Farrow Mortgage Services Pty Ltd (In liq) v Mendall Properties Pty Ltd [1995] 1 VR 1 at 5; Carindale Country Club Estate Pty Ltd v Astill (1993) 42 FCR 307 (“real, as opposed to a theoretical possibility”); Mallesons Stephen Jaques v KPMG Peat Marwick (1990) 4 WAR 357, 371 per Ipp J, Prince Jefri Bolkiah v KPMG (a firm) [1999] 2 AC 222, 236-237 per Lord Millett.