Last week during a guest lecture on virtual law practice at the University of Dayton School of Law, the subject of protecting client property and confidentiality of client data in electronic communications came up again. My prediction (perhaps overly optimistic) is that in the next few years the state bars will recognize that unencrypted email communication between attorney and client is not the highest standard. The state bars will look at the newer data privacy laws in Nevada and Massachusetts and reconsider why attorneys should be using unencrypted email in our profession while other business professionals are required to encrypt personal client data.
The standard that the ABA Model Rules of Professional Conduct and most state bars take is encapsulated in Rule 1.6 (a) of the ABA’s Model Rules of Professional Conduct. This rule states “[a] lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation.…” Specifically comment 17 to this rule provides that lawyers must take “reasonable precautions” to safeguard confidential information and prevent it from going to unintended recipients during the transmission. The ABA Formal Opinion No. 99-413 added in March 10, 1999 specifically allows for the use of unencrypted email.
“Reasonable precautions.” What qualifies as “reasonable” should change as technology to communicate with our clients and other professionals develops and security risks in those electronic methods are exposed. Encrypt your email (although this may not help your client if he or she does not have the resources to do the same from the other end), use a web-based system of delivery with end to end encryption, set up a secure client portal or open a virtual law office that forces clients to use a secure method of transmitting information to the attorney. There are ways to take updated “reasonable precautions.” No excuses.
The professor who was kind enough to allow me to speak with his LLM students last week raised the issue that requiring a higher standard for attorney electronic communication in the form of encryption would be difficult to get into place. Law firms and attorneys who rely on email or other unencypted methods of storing or gathering prospective and existing client data would fight any such atttempt at regulation tooth and nail. I’m sure he is correct about that. I can hear the massive uproar now.
Yet, the ABA is investigating cloud computing in law practice with full-force. By the way, most web-based practice management systems created for legal professionals are encrypted, and SaaS providers are a firm’s 24/7, 365 automatic security watch and update, maintenance and backup systems. But unencrypted email is still a “reasonable” standard in the rules.
During presentations I find it slightly amusing when I’m questioned about my ability to protect my clients’ confidentiality and client property using a virtual law office that has end to end encryption. Almost always the person asking is relying on email in his or her firm to transfer sensitive information to clients, co-counsel and opposing counsel without a thought for the security of the system used. Some of them are not only using unencypted email but a public email service like gmail or yahoo for firm correspondence.
Technology standards change even if rules do not. To protect our clients we need to recognize this and change our practices as well by going beyond the bare minimum and out of date standards in a rule or ethics opinion. It may cost a firm and its attorneys time and resources and a painful transition from a much-loved and comfortable system of communication. This is why most cloud computing apps are focused on compatibility and transferrablity of data in standard file formats; they recognize that a firm may need to make this process less painful in the future.
The rule-writers need to keep technology-related rules and regulations broad recognizing that any specific standards will be quickly out-dated. It may even be dangerous to have specifics in rules and opinions because for years it permits firms and attorneys to be slow and apathetic to keeping up to date with technology and security issues. Keeping rules and opinions broad and focused on guidance to resources and education instead would be a better alternative than setting up additional road blocks for those attorneys who are up to date on the technology and security and privacy issues and who are doing their best to make sure the systems they are using are in their clients’ best interests as well as their own.