The ABA Standing Committee on Ethics and Prof. Responsibility has published a new ethics opinion, Formal Opinion 11-459 “Duty to Protect the Confidentiality of E-mail Communications with One’s Client”. I didn’t see this one coming, but I think it’s a move in the right direction.
The situation described in the opinion relates to when an attorney has reason to believe that his or her client is sending the attorney or anyone else confidential information via email and the client’s employer has keystroke logging on their system or some other way of monitoring the employee’s activities where there is a risk that the employer could access that confidential information.
However, the opinion is worded broadly and might expand to more than just email and to more than just these workplace situations. Check out the last paragraph of the opinion:
As noted at the outset, the employment scenario is not the only one in which attorney-client electronic communications may be accessed by third parties. A lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, to which a third party may gain access. The risk may vary. Whenever a lawyer communicates with a client by e-mail, the lawyer must first consider whether, given the client’s situation, there is a significant risk that third parties will have access to the communications. If so, the lawyer must take reasonable care to protect the confidentiality of the communications by giving appropriately tailored advice to the client. (emphasis added)
So this is going to extend beyond the risk that a client’s employer had a keystroke logging on the system or is reading their email. “Any third party” gaining access could be anything from using an unencrypted cloud-based app. to a risk of clicking on a link in a SM application that puts malware on their system whether it’s on the work computer, laptop or other mobile device.
Then there is the footnote to the opinion that provides that if the attorney finds out that the client is receiving their personal email on a workplace machine they need to caution them against it and if the client does not stop, the attorney should discontinue emailing them at both the personal and any other email address.
Here are my thoughts. I don’t think this opinion requires us to investigate our clients’ tech savvy or their own computer set-up before communicating with them. Obviously I can’t hop over to my client’s workplace or home and make sure they are minimizing the risks from their end. Think about the use of mobile devices by employees that end up being used for both personal and business matters simply because no one wants to carry around two devices.
However, it is within our control to initiative the digital communication with the client by using a method that does protect them more regardless of their situation. Instead of inviting clients to use unencrypted email to send communications about their legal matter, use encrypted email or a system that requires you both to log into a secure, encrypted area to communicate. (If you haven’t already, check out the ILTSO legal tech standards which strongly recommend more secure use of technology such as this.) By my interpretation of this opinion, doing so would met the reasonable care standard as well as minimizing the risk for both the attorney and the clients.
In addition to inviting clients to communicate using more secure methods, the attorney might simply add a line or two in their engagement agreement about the use of technology to communicate, regardless of the technology they use, and how there is some risk of third-party access in almost any method of communication whether it’s snail mail or a cloud-based solution. Educating clients on the safest use of technology to communicate with their attorneys is not a bad best practice, and frankly, I don’t think it takes that much effort on the attorney’s part to do this.
And again, if we are initiating the communication, we should choose the most secure method based on the current technology available to us. We pay thousands a year for malpractice insurance, we can add less than $50/month for safer communications to our list of things we have to have to fulfill our professional responsibilities.
What I really hope doesn’t happen as a result of this opinion: more pointless, unread disclaimer messages tacked on to the end of attorney emails. Come on. Your clients wouldn’t read it and even if they did they wouldn’t know how to react. You just emailed them. They’re going to respond to your initiation of using unencrypted email to communicate. In the time it would take you to add that to your email, you could have put it in your engagement agreement or posted it on your website and invested a minimal amount in an encrypted form of protecting your clients’ confidential information.
Is this opinion a move in the direction of the ABA saying that unencrypted emails can no longer be viewed as fulfilling the duty to protect client’s confidential information under Rule 1.6(a)? For years I’ve gotten tons of push-back from attorneys about how email is totally safe and here to stay and how they’re clients wouldn’t/couldn’t possibly use anything else. I still think the tide is turning, however slowly toward more secure systems for legal transactions, and this opinion and how it questions the “reasonable care” standard in the use of unencrypted email is a big nudge forward.