Reflections on Client Confidentiality

In 2017 and 2018, I wrote a four-part series titled “How Much Info Is Too Much?” to challenge an uncomfortable norm: professionals, especially in IT and information security, are routinely expected to share confidential client details as proof of credibility. Whether in procurement discussions or during recruitment, the pressure to disclose private information to secure the next opportunity became standard practice.

Seven years later, this article recaps the original series, ties in a follow-up article on recruitment ethics, and considers whether we have changed our professional culture or whether client confidentiality is still treated as expendable when careers or contracts are on the line.

The Ethics of Disclosure

The series began with a direct comparison that exposed the double standards applied to confidentiality in IT and other professions.

“Imagine asking a solicitor about their past divorces to prove they can handle yours – it would never happen.”

Part 1 (4^th December 2017) challenged the assumption that sharing previous client information demonstrates trustworthiness. It used everyday examples like taxi drivers, alarm installers, and lawyers to make a key point. In nearly every other industry, discussing former clients would be considered unprofessional, if not a breach of duty. Why should IT and information security be any different?

Even now, procurement teams and hiring managers sometimes equate name-dropping past clients with credibility. Sharing details about past clients to win future work may signal cooperation, but it also demonstrates a lack of discretion and professionalism.

During my years running a small business, I often found myself pressured to list previous clients. This expectation not only contradicted the NDAs I had signed, but also reflected a fundamental misunderstanding of professional discretion. This isn’t to say that referencing clients is always wrong, but it must be:

• Done with clear consent

• Aligned with contractual terms

• Handled with the client’s reputation and privacy in mind.

Anything less risks crossing the line from credibility to compromise. In my case, I relied on client-provided testimonials, which offered a transparent and ethical way to demonstrate value without breaching confidentiality.

• Red flags in procurement – Requests for client names during early-stage procurement discussions could mask poor information governance practices.

• Professional codes of conduct – While IT lacks formal licensing, many adjacent fields, including law, healthcare, and finance, would consider such disclosure a breach of conduct. Expectations in tech are starting to catch up.

• Trust is built, not bought – Professional trust is earned through process, integrity, and insight, not by exposing others’ confidential work.

• Cognitive dissonance – Clients who ask you to sign a Non-Disclosure Agreement (NDA) while requesting information about your past clients fail to see the contradiction.

• Alternative marketing – Referencing industries served, or challenges solved is usually sufficient; naming clients is rarely necessary.

• Protect client reputations – Professionalism includes protecting client reputations long after the contract ends, reinforcing trust and encouraging future referrals.

Spotting Red Flags in Early Conversations

The second article shifted from theory to practice, warning about misleading early-stage discussions.

“A 15-minute call that’s all about your past clients and nothing about current needs? This is not a sales lead; it is a red flag.”

Part 2 (12^th December 2017) moved from principle to practice, focusing on identifying conversations that veer into information mining rather than genuine engagement. If a potential client spends more time asking about previous engagements than outlining their own needs, it’s likely not a real opportunity.

With AI-powered voice impersonation, deepfakes, and corporate espionage now part of the landscape, the original advice has only grown in relevance.

• AI-enhanced phishing – Voice cloning, spoofed job interviews, and fake procurement exercises are becoming advanced tools for corporate surveillance.

• Context matters – If the caller avoids basic discovery questions like “What are your current pain points?” it’s likely not a real opportunity.

• Pretexting attacks – Attackers now use believable personas (recruiters, clients, journalists) to harvest sensitive business intelligence.

• Mutual due diligence – Ethical conversations involve reciprocal openness. You shouldn’t share anything confidential if they are unwilling to share anything about their needs.

• Training needed – Professionals don’t always know how to identify social engineering, which happens before the obvious red flags; it needs to change.

• Process, not paranoia – Having a clear discovery script or intake process can help deflect and detect bad actors while remaining professional.

When Disclosure Becomes Expected

Part three took a more candid tone, acknowledging that indiscretion is sometimes rewarded, even incentivised, in the workplace.

“Those who break confidentiality are often rewarded with a contract opportunity, not because they are professional, but because they cooperate in breaching confidentiality.”

Part 3 (18^th December 2017) took a sharper tone, acknowledging the grim reality that disclosing confidential information helps people win work. This behaviour has become normalised in sectors like IT and information security, where no professional licence to revoke and no external body enforcing ethical standards.

We still see this today, especially in competitive bids where clients and employers reward name-dropping and logo slides. ISO standards, frameworks, and organisational codes of conduct are slowly shifting this culture by embedding expectations of privacy, discretion, and ethical information handling.

• Reward structures misaligned – Selection teams often reward evidence of previous client activities over ethics, perpetuating indiscretion as a competitive advantage.

• Governance maturity gaps – Many organisations still treat confidentiality as optional unless regulated, a sign of weak internal controls.

• Contractual ambiguity – Vague NDA terms or lack of policy enforcement can open confidentiality to interpretation.

• Culture shift in motion – Society is slowly reframing discretion as a strength, especially in vendor risk assessments.

• Risk of litigation – In regulated sectors, disclosing client details without authorisation now carries legal risk, not just reputational damage.

A Professional Alternative

To counter the trend of oversharing, the fourth article offered a proactive solution: shifting the focus to structured, client-first engagement.

“Credibility should come from solving real problems, not showcasing someone else’s private history.”

Part 4 (4^th January 2018), and the final article in this series, offered a way forward: a professional five-step process for engaging with clients. It helps avoid off-topic digressions about past work and puts the focus where it belongs, on solving the client’s current problems through a structured, ethical dialogue.

As procurement and supplier due diligence processes become more rigorous, driven by regulatory scrutiny, AI governance, and Environmental, Social, and Governance (ESG), structured professional processes are no longer a luxury. They’re essential for resilience, trust, and legal protection.

• Credibility through repeatable processes – A professional engagement process builds more trust than any client list ever could.

• Focus on expertise, not exposure – Clients want insights into their problems, not a retrospective on someone else’s problems.

• Structured onboarding protects both sides – When done well, it guards against phishing and reputational risk for both parties.

• Modern due diligence expectations – Clients are increasingly judged by what they ask and how they conduct vendor selection ethically.

• Buyers expect maturity – Especially in regulated or AI-governed environments, buyer organisations are now penalised for lax supplier onboarding.

• Resilience through process – Repeatable processes ensure you maintain credibility through moments of pressure, ambiguity, or inconsistency.

Recruitment: A Parallel Problem

The follow-up article expanded the issue into recruitment, highlighting the ethical risks of sharing confidential information when changing jobs.

“If you’re willing to use your current employer’s clients now to get a new job, you’ll likely do the same to your next employer.”

In this follow-up article, Avoid Revealing Employer’s Clients (12^th April 2018), I explored how the same confidentiality breaches play out during recruitment. Candidates sometimes list their employer’s clients on public profiles and CVs or refer to them in interviews, thinking it shows breadth of experience. However, the ethical problem is the same: those clients aren’t theirs to share.

Today, these disclosures can end careers before they start. Many firms now treat unauthorised disclosure of client identities as a breach of NDA, contract, or even data protection law, and rightly so. Confidentiality applies just as much when leaving a company as when engaging with a new one.

• CV red flags – Listing employer clients without authorisation can violate contracts and raise character concerns — even before the interview stage.

• Reputation risk in hiring – Employers increasingly filter out candidates who appear to treat sensitive data as a personal asset.

• Due diligence extends to applicants – Some roles now include applicant-level risk profiling — where client name-dropping is seen as a security weakness.

• Confidentiality clauses apply post-exit – NDAs, employment contracts, and professional ethics don’t expire when you change jobs.

• Professionalism – The best candidates increasingly demonstrate judgement, not just experience.

• Culture fit matters – Organisations with strong governance cultures actively avoid hiring people who treat discretion as optional.

• Recruiters need clarity – Some recruitment agents still encourage “name-dropping” for profile strength, but this can backfire for both candidates and the agency.

Additional Thoughts

Whether in recruitment or procurement, the heart of this matter remains unchanged. Professionalism in this context is about discretion, not disclosure. We can’t gain trust and establish credibility by revealing what we did for others; we can only demonstrate what we can do for future clients or employers.

That said, one fact remains the same. Suppose people and businesses are forced to choose between disclosing client names (along with what was done and when) or risking the conversation about future work ending abruptly. In that case, they often choose the opportunity first.

Unfortunately, many professional cultures still reward indiscretion while overlooking integrity, especially when disclosure offers a short-term advantage. This isn’t just a question of professionalism; it’s a systemic problem.

It reminds me of the UK smoking ban in pubs. Many landlords wanted to implement a smoke-free policy years before it became law, not just for the health benefits but also to create a better environment for their customers and staff. They couldn’t because if one pub acted alone, the smokers would go next door, taking away a significant portion of their revenue. There were a few exceptions, but it wasn’t until the ban became a legal standard that everyone could act without fear of competitive loss.

Confidentiality suffers from a similar imbalance. Clients, employers, and recruiters are legally entitled to ask questions. Employees, consultants, and small business owners often feel compelled to respond, as not answering might mean losing the opportunity.

Change will remain slow until our professional culture matures to reward discretion and due process rather than indiscretion and shortcut credibility. It will remain impossible to lead alone, and the cycle will continue.