Although bar associations gave lawyers the green light to use email to communicate with clients in the late 1990s, the fact remains that standard email is inherently unsecure. Surprisingly, many lawyers are unaware of this disconcerting fact.
The truth is that most emails are unencrypted and thus are the online equivalent to a postcard written in pencil. As each email travels to its intended destination, it traverses an untold number of servers and can be intercepted and viewed by virtually anyone with the proper technological know-how. This inherent security flaw in email as it now exists arguably places confidential client data at risk.
The legal procession first addressed the issue of email security in the mid-1990s. At the time, email was a fairly new phenomenon and was frowned upon by most bar associations. For example, ethics committees in South Carolina (Opinion 94-27 1995) and Iowa (Iowa Ethics Opinion 96-1 1996) both concluded that the use of email by lawyers to communicate with clients breached confidentiality unless precautions were taken to prevent interception, or client consent was obtained acknowledging the risks of using of email.
The tide turned in 1999 when the American Bar Association’s Standing Committee on Ethics and Professional Responsibility issued ABA Formal Opinion No. 99-413, wherein the Committee concluded that client consent regarding the use of email was unnecessary. The Committee explained:
“Although earlier state bar ethics opinions on the use of Internet e-mail tended to find a violation of the state analogues of Rule 1.6 because of the susceptibility to interception by unauthorized persons and, therefore, required express client consent to the use of e-mail, more recent opinions reflecting lawyers’ greater understanding of the technology involved approve the use of unencrypted Internet e-mail without express client consent.”
The ABA Committee on Ethics and Personal Responsibility wasn’t alone in this conclusion. In fact, ethics committees in multiple jurisdictions eventually reached the same conclusion, holding that, in most cases, attorneys may use unencrypted email to communicate with clients without violating their ethical obligations to maintain client confidentiality. See, for example, N.Y. State 709 (1998), State of Maine Ethics Opinion #195 (2008), Ohio Ethics Opinion No. 99-2 (April 9, 1999), Hawaii Ethics Opinion No. 40 (April 26, 2001), Utah Ethics Opinion No. 00-01 (March 9, 2000), Florida Ethics Opinion No. 00-4 (July 15, 2000), Delaware Ethics Opinion No. 2001-2 (2001), and Virginia Ethics Opinion No. 1791 (December 22, 2003).
In doing so, these ethics committees gave their blessing to the use of email for communications with clients and implicitly condoned attorneys’ use of unencrypted electronic communications with their clients.
Due to the rapidly changing technological landscape and the availability of newfound means to encrypt and protect electronic communications, the issue of an attorney’s obligations to protect confidential attorney/client communications is being revisited. For example, in 2011 in ABA Formal Opinion 11-459, the Committee concluded that lawyers must warn clients about the risks of sending confidential communications when using email:
“Whenever a lawyer communicates with a client by e-mail, the lawyer must first consider whether, given the client’s situation, there is a significant risk that third parties will have access to the communications. If so, the lawyer must take reasonable care to protect the confidentiality of the communications by giving appropriately tailored advice to the client.”
The rationale behind this holding is based on the fact that email is inherently unsecure. Fortunately, as will be discussed next month in Part 2 of this series, there are now more secure forms of electronic communication available to lawyers. For example, many law practice management software platforms, including MyCase, already incorporate some form of encrypted client communication into their platforms, thus providing a ready-made solution to the problem of unencrypted, unsecure email.
Tune in next month to learn how communication tools like client portals can help to solve the security and confidentiality problems presented by email.