The ABA Standing Committee on Ethics and Prof. Responsibility has published a new ethics opinion, Formal Opinion 11-459 “Duty to Protect the Confidentiality of E-mail Communications with One’s Client”. I didn’t see this one coming, but I think it’s a move in the right direction.
The situation described in the opinion relates to when an attorney has reason to believe that his or her client is sending the attorney or anyone else confidential information via email and the client’s employer has keystroke logging on their system or some other way of monitoring the employee’s activities where there is a risk that the employer could access that confidential information.
However, the opinion is worded broadly and might expand to more than just email and to more than just these workplace situations. Check out the last paragraph of the opinion:
As noted at the outset, the employment scenario is not the only one in which attorney-client electronic communications may be accessed by third parties. A lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, to which a third party may gain access. The risk may vary. Whenever a lawyer communicates with a client by e-mail, the lawyer must first consider whether, given the client’s situation, there is a significant risk that third parties will have access to the communications. If so, the lawyer must take reasonable care to protect the confidentiality of the communications by giving appropriately tailored advice to the client. (emphasis added)
So this is going to extend beyond the risk that a client’s employer had a keystroke logging on the system or is reading their email. “Any third party” gaining access could be anything from using an unencrypted cloud-based app. to a risk of clicking on a link in a SM application that puts malware on their system whether it’s on the work computer, laptop or other mobile device.
Then there is the footnote to the opinion that provides that if the attorney finds out that the client is receiving their personal email on a workplace machine they need to caution them against it and if the client does not stop, the attorney should discontinue emailing them at both the personal and any other email address.
Here are my thoughts. I don’t think this opinion requires us to investigate our clients’ tech savvy or their own computer set-up before communicating with them. Obviously I can’t hop over to my client’s workplace or home and make sure they are minimizing the risks from their end. Think about the use of mobile devices by employees that end up being used for both personal and business matters simply because no one wants to carry around two devices.
However, it is within our control to initiative the digital communication with the client by using a method that does protect them more regardless of their situation. Instead of inviting clients to use unencrypted email to send communications about their legal matter, use encrypted email or a system that requires you both to log into a secure, encrypted area to communicate. (If you haven’t already, check out the ILTSO legal tech standards which strongly recommend more secure use of technology such as this.) By my interpretation of this opinion, doing so would met the reasonable care standard as well as minimizing the risk for both the attorney and the clients.
In addition to inviting clients to communicate using more secure methods, the attorney might simply add a line or two in their engagement agreement about the use of technology to communicate, regardless of the technology they use, and how there is some risk of third-party access in almost any method of communication whether it’s snail mail or a cloud-based solution. Educating clients on the safest use of technology to communicate with their attorneys is not a bad best practice, and frankly, I don’t think it takes that much effort on the attorney’s part to do this.
And again, if we are initiating the communication, we should choose the most secure method based on the current technology available to us. We pay thousands a year for malpractice insurance, we can add less than $50/month for safer communications to our list of things we have to have to fulfill our professional responsibilities.
What I really hope doesn’t happen as a result of this opinion: more pointless, unread disclaimer messages tacked on to the end of attorney emails. Come on. Your clients wouldn’t read it and even if they did they wouldn’t know how to react. You just emailed them. They’re going to respond to your initiation of using unencrypted email to communicate. In the time it would take you to add that to your email, you could have put it in your engagement agreement or posted it on your website and invested a minimal amount in an encrypted form of protecting your clients’ confidential information.
Is this opinion a move in the direction of the ABA saying that unencrypted emails can no longer be viewed as fulfilling the duty to protect client’s confidential information under Rule 1.6(a)? For years I’ve gotten tons of push-back from attorneys about how email is totally safe and here to stay and how they’re clients wouldn’t/couldn’t possibly use anything else. I still think the tide is turning, however slowly toward more secure systems for legal transactions, and this opinion and how it questions the “reasonable care” standard in the use of unencrypted email is a big nudge forward.
Stephanie, I agree with you wholeheartedly about the pointless disclaimers. Those have become so ubiquitous that many – if not most – clients don’t read them. Maybe skim, at best. Back in 2008, as a first step, I went the route of making modifications/additions to my engagement agreement that spoke to these issues and did so in a way that reasonably brought the client’s attention to the issues. I am glad you mentioned that as one possible, initial way of meeting the obligations of this opinion imposes in a way that imposes very little burden on the attorney.
There is a big difference between using encrypted email where there is a known threat to privilege and requiring encrypted email at all times. There is ample case law that provides that employees have no expectation of privacy even when using a web-based email system (e.g., Gmail, Yahoo) on a work machine and for that reason, I would simply advise a client in an employment case to refrain from communicating with the attorney while at work. However, there’s no reason to prohibit unencrypted email based on a situation that can be avoided. After all, we don’t ban criminal defense lawyers from using the phone simply because jailhouse phone calls may be recorded.
Where the risk of transmitting information by email is high – e.g., sending social security numbers or personal identifiable information, I can understand that encryption of email is justified. But other than that, it makes more sense to simply refrain from using email in certain situations (e.g., emailing a client at work).
Otherwise, I see no problem with unencrypted emails. If we put up more barriers to communicating with clients so that we can’t get information from them, that is a worse result than the tiny possibility that a client may forward the email to someone else. Also, when clients become frustrated with having to go into a portal, download information and then circulate it, they may very well simply give their portal password to someone else, which is also problematic. I work with relatively sophisticated clients and have been using portals for 3 years now, but it is still nearly impossible to get them to retrieve documents from the portal, let alone leave comments up at the portal as opposed to email. In the press of a deadline, no one wants to be logging in and out of a portal, or going through an added layer to open an email.
Finally, though the ILTSO requirements have some merit, I do not agree with the encryption requirements. I do not believe that encryption is standard practice in any industry except perhaps where required by law (e.g., HIPAA or state/federal data protection) and I don’t think it makes sense to impose it on lawyers.
I respect your opinion, Carolyn, and maybe the best way that the ABA and state bars could address the issue of security and confidentiality would be to keep it as a recommendation – a practice decision that the attorney must make on a case by case basis depending on his or her clients and their unique situations. That would be preferable to a requirement of encryption locked into an ethics opinion because of the instances that you mention. I don’t think this opinion goes quite that far as to make it a requirement. It does seem to leave it to the attorney’s judgment of the client’s situation. But I think it’s a good thing to raise awareness of the risk with attorneys and for it to constitute reasonable care to that this risk into consideration.
I’ve had a different experience working with my clients. Some of them are not so computer-savvy, but they do not find it a hassle to log into a secure client space to work with me. It’s not any more complicated that logging into web-based email or clicking to open an email attachment and does not take any longer to do. The problem I have is trying to get the client to make the distinction between what communication should be handled through email and which needed to be sent more securely because they shared their email address with a family member or used a public or work computer. Once I respond to a client by email, they turn to this for everything and it’s not possible to prevent them from attaching sensitive information, like an older version of their Will or account information when I handled estate administration. I could tell them to communicate that information through a portal, but they would forget or just understand when it was necessary. So in my case, I’ve found it more beneficial to my clients to just start out with encrypted communication. But I can see how a more sophisticated client base might be able to make this distinction for themselves.
The special case of communicating with an individual client while using the client’s employer’s email merits special attention, but that shouldn’t be driving the rest of this discussion that has leaked into every-day emailing.
If I had a sense that they’d impose this same logic and rigor on all possible means of communicating with clients, I might have more respect for the added barriers being placed on email communications (if this is in fact a new barrier — it is vague). But, FedEx can freely open my packages as they wish (for ‘good purposes’ maybe, but they still have the right), bicycle messengers could easily rifle through my goods as they do their duties (Law of the Biker notwithstanding, do we know they don’t?), and essentially every form of communication poses some risk of unwanted disclosure (I’ve yet to see a fully functional Cone of Silence, although I’d love to have one) — Yet we still manage to go about our business as lawyers, safe in the knowledge that good enough might be good enough to meet our duties.
Admittedly each of those situations does pose moments when the lawyer should take additional precautions (move out of the elevator before continuing the chat). We’ve not really needed to formalize common sense in that line of thought, and probably do not need to formalize common sense in the email situation.
If this new opinion is essentially saying, “Don’t talk in the elevator”, then I can support it, although I question if it’s really necessary. If it’s imposing levels of concerns that are materially more than I’m forced to do for any other means of communicating, and we’re not simultaneously saying we have to clean up everything else, I cannot support the notion of yet another Internet Exceptionalism instance.
Great article! You have to assume that anything transmitted through the Internet can be available to just about anyone. But taking the steps to make the system more secure and keeping clients informed is the responsible thing for every law office to do.
Good perspective Stephanie. I interpret the ABA’s new opinion as requiring lawyers to:
Be reasonably aware of how and where their clients are accessing attorney-client communications. The opinion focused particularly on access in a workplace or using employer-provided devices, but it was not limited to that scenario.
To make a practical risk assessment about whether the circumstances present a significant risk that third parties might access or seek to intercept the communications. For example, if the client is traveling and accessing communications using a hotel business center computer, or if the engagement is a high profile matter or the communication includes especially sensitive content.
To warn the client about the risks and the need to maintain confidentiality, as well as to protect the attorney-client privilege.
To obtain informed consent from the client before using a particular mode of electronic communications that presents a significant risk of access or interception. This would require the lawyer to suggest other, more secure, modes of communication.
ABA Proposed Model Rule 1.6(c) would clarify that a lawyer has an ethical duty to take reasonable measures to protect a client’s confidential information from inadvertent disclosure and unauthorized access. What constitutes “reasonable measures to protect a client’s confidential information” depends on the client’s perception of what measures are reasonable in light of the client’s belief about the sensitivity of the information. It also depends upon the circumstances – and the circumstances are varied and constantly evolving.
Among other changed circumstances, how clients access their email has changed in the 10+ years since the ABA and state bars decided that lawyers can freely use unencrypted email. Email is increasingly stored in the cloud and accessed via mobile devices. The risk of interception has changed in recent years. According to the Attorneys’ Liability Assurance Society (ALAS), which provides malpractice coverage to major U.S. law firms, law firms are being specifically targeted by hackers seeking confidential and proprietary client data. ALAS recently recommended that law firms “encrypt all protected information sent from or stored on any electronic device” in a 2011 ALAS Loss Prevention Journal article titled “Data and Privacy Protection in a Regulated World.”
See part 2 of my series on this topic over at the ZixCorp Insight blog.
[Disclaimer: I represent ZixCorp, the leading provider of email encryption services.]