On May 11 of this year, the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477, “Securing Communication of Protected Client Information.” The Opinion revisits attorneys’ duty to use encryption and other safeguards to protect e-mail and electronic communications in light of evolving threats, developing technology, and available safeguards. It suggests a fact-based analysis and concludes “the use of un-encrypted routine email generally remains an acceptable method of lawyer-client communication,” but “particularly strong protective measures, like encryption, are warranted in some circumstances.” It has now reached the point where all attorneys should generally understand encryption and have encryption available for use in appropriate circumstances.
E-mail and electronic communications have become everyday communications forms for attorneys. They are fast, convenient, and inexpensive, but also present serious risks, particularly in the area of confidentiality. It is important for attorneys to understand and address these risks.
ABA Formal Opinion No. 99-413, “Protecting the Confidentiality of Un-encrypted E-Mail” (March 10, 1999) concluded that attorneys are not generally required to employ “special security measures,” like encryption, to protect e-mail. Its conclusions included “based upon current technology and law as we are informed of it …a lawyer sending confidential client information by un-encrypted e-mail does not violate Model Rule 1.6(a)…” and “…this opinion does not, however, diminish a lawyer’s obligation to consider with her client the sensitivity of the communication, the costs of its disclosure, and the relative security of the contemplated medium of communication. Particularly strong protective measures are warranted to guard against the disclosure of highly sensitive matters.”
Several state ethics opinions in the same time-frame also concluded that special security measures, like encryption, are not generally required for confidential attorney e-mail. Like the ABA opinion, they included exceptions to the general rule for more sensitive information.
The Ethics 2000 Amendments
The Ethics 2000 revisions to the ABA Model Rules, over 15 years ago, added Comment 17 [now 19] to Model Rule 1.6. This comment requires reasonable precautions to safeguard confidential information during electronic transmission. As later amended in accordance with the Ethics 20/20 recommendations (underlined), it provides: When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule. Whether a lawyer may be required to take additional steps in order to comply with other law, such as state and federal laws that govern data privacy, is beyond the scope of these Rules.
This Comment requires attorneys to take “reasonable precautions” to protect the confidentiality of electronic communications. Its language about “special security measures” has often been viewed by attorneys as providing that attorneys never need to use encryption. While it does state that “special security measures” are not generally required, it contains qualifications and notes that “special circumstances” may warrant “special precautions.” It includes the important qualification – “if the method of communication affords a reasonable expectation of privacy.” There are, however, questions about whether today’s Internet e-mail affords a reasonable expectation of privacy.
A Reasonable Expectation of Privacy?
Respected security professionals for years have compared un-encrypted e-mail to postcards or postcards written in pencil. A June 2014 post by Google on the Google Official Blog and a July 2014 New York Times article use the same analogy – comparing the security of un-encrypted e-mails to postcards.
The Ethics 2020 Amendments
The ABA Commission on Ethics 20/20 conducted a review of the ABA Model Rules of Professional Conduct and the U.S. system of lawyer regulation in the context of advances in technology and global legal practice developments. One of its core areas of focus was technology and confidentiality. Its Revised Draft Resolutions in this area were adopted by the ABA at its Annual Meeting in August of 2012.
The 2012 amendments include the addition of the following underlined language to the Comment to Model Rule 1.1 Competence:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology…
As of March 2017, 27 states have adopted the new comment to Model Rule 1.1, some with variations from the ABA language.
The Ethics 20/20 amendments also added the following new subsection (underlined) to Model Rule 1.6 Confidentiality of Information:
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
This requirement covers two areas – inadvertent disclosure and unauthorized access. Inadvertent disclosure includes threats like leaving a briefcase, laptop, or smartphone in a taxi or restaurant, sending a confidential e-mail to the wrong recipient, producing privileged documents or data in litigation, or exposing confidential metadata. Unauthorized access includes threats like hackers, criminals, malware, and insider threats.
The amendments also revised Comment  to this rule to provide more detail on what are “reasonable efforts,” including a risk-based analysis.
Later Ethics Opinions
Consistent with the questions raised by security experts about the security of un-encrypted
e-mail, some later ethics opinions postdating the 1999 ABA opinion) express a stronger view that encryption may be required. For example, New Jersey Opinion 701 (April, 2006) notes at the end: “where a document is transmitted to [the attorney] … by email over the Internet, the lawyer should password a confidential document (as is now possible in all common electronic formats, including PDF), since it is not possible to secure the Internet itself against third party access.” This opinion actually called for encryption because file password protection in some software, like current versions of Microsoft Office, Adobe Acrobat, and WinZip uses encryption to protect security. This was over ten years ago. (It is often easier to use than encryption of e-mail and attachments. However, the protection can be limited by the use of weak passwords that are easy to break or “crack.” )
California Formal Opinion No. 2010-179 notes that “encrypting email may be a reasonable step for an attorney in an effort to ensure the confidentiality of such communications remain so when circumstances call for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.”
A Pennsylvania ethics opinion on cloud computing concludes that “attorneys may use email but must, under appropriate circumstances, take additional precautions to assure client confidentiality.” It discusses encryption as an additional precaution that may be required when using services like web mail. Pennsylvania Formal Opinion 2011-200.
Texas Ethics Opinion 648 (2015) takes the same approach:
In general, considering the present state of technology and email usage, a lawyer may communicate confidential information by email. In some circumstances, however, a lawyer should consider whether the confidentiality of the information will be protected if communicated by email and whether it is prudent to use encrypted email or another form of communication.
Summarizing these more recent opinions, a July, 2015 ABA article notes:
The potential for unauthorized receipt of electronic data has caused some experts to revisit the topic and issue [ethics] opinions suggesting that in some circumstances, encryption or other safeguards for certain email communications may be required.
Formal Opinion 477
The new ABA Opinion is consistent with these newer opinions and the article, concluding that special security measures may sometimes be required. The Opinion concludes:
Rule 1.1 requires a lawyer to provide competent representation to a client. Comment  to Rule 1.1 advises lawyers that to maintain the requisite knowledge and skill for competent representation, a lawyer should keep abreast of the benefits and risks associated with relevant technology. Rule 1.6(c) requires a lawyer to make “reasonable efforts” to prevent the inadvertent or unauthorized disclosure of or access to information relating to the representation.
A lawyer generally may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.
The Opinion lists seven factors for the fact-based consideration of necessary safeguards:
- Understand the Nature of the Threat.
- Understand How Client Confidential Information is Transmitted and Where It Is Stored.
- Understand and Use Reasonable Electronic Security Measures.
- Determine How Electronic Communications About Clients Matters Should Be Protected.
- Label Client Confidential Information.
- Train Lawyers and Nonlawyer Assistants in Technology and Information Security.
- Conduct Due Diligence on Vendors Providing Communication Technology.
It references the Ethics 20/20 amendments to Comment 18 to Rule 1.6, which lists the following factors for determining competent and reasonable efforts:
Factors to be considered in determining the reasonableness of the lawyer’s efforts include the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
The Opinion includes observations that:
- “What constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors. In turn, those factors depend on the multitude of possible types of information being communicated (ranging along a spectrum from highly sensitive information to insignificant), the methods of electronic communications employed, and the types of available security measures for each method.”
- “A fact-based analysis means that particularly strong protective measures, like encryption, are warranted in some circumstances.”
- “Thus, the use of un-encrypted routine email generally remains an acceptable method of lawyer-client communication.”
- “However, cyber-threats and the proliferation of electronic communications devices have changed the landscape and it is not always reasonable to rely on the use of unencrypted email.”
- “Therefore, lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters, applying the Comment  factors to determine what effort is reasonable.”
Options for Encryption
As noted in Opinion 477, Comment 18 to ABA Model Rule 1.6 provides for a risk-based analysis to determine reasonable safeguards, including availability of safeguards, their cost, difficulty of implementation, and effect on usability of the technology. There are multiple options available today for protection of electronic communications, which are inexpensive, easy to implement and easy to use. While some attorneys will need assistance in selecting and setting up encryption, it is then generally easy – either automatic or point and click.
There are multiple secure e-mail service providers that offer inexpensive and easy-to-use options. Examples include AppRiver, Citrix ShareFile, DataMotion, HP SecureMail, Mimecast, Proton Mail and ZixCorp. Google G Suite (GAME encryption) and Microsoft Office 365 also offer optional e-mail encryption.
Another option is Transport Layer Security (TLS) that provides encryption from e-mail gateway to e-mail gateway. For example, if a law firm and client both have e-mail servers that support TLS encryption, all traffic between them will be encrypted after they are set up. It protects traffic between the servers (e.g., over the Internet), but may not protect traffic within the sender’s and recipient’s networks. Protection can also be lost if e-mails are copied to or forwarded to recipients in systems that do not support TLS.
As discussed above, file password protection in some software, like current versions of Microsoft Office, Adobe Acrobat, and WinZip, uses encryption to protect security. It is often easier to use than full encryption of e-mail and attachments. However, the protection can be limited by use of weak passwords that are easy to break or “crack.” The confidential information can be included in a password-protected (encrypted) attachment rather than in the body of the e-mail. The password should be transmitted securely to the recipient (e.g., in a phone call or text message) and certainly not in the same e-mail as the attachment.
For additional information on encryption options, see Encryption Made Simple for Lawyers (American Bar Association 2015), Law Practice Division resources (Law Practice magazine, Law Technology Today, Law Practice Today, webinars, and the Legal Technology Resource Center).
The Electronic Information Privacy Center maintains a website with information on encryption and other tools to protect privacy. It includes encryption options for e-mail and messaging.
The new Opinion reflects an evolution of attorneys’ duty to safeguard electronic communications in light of evolving threats, developing technology, and available safeguards. In addition to complying with any applicable contractual and legal requirements, the most prudent approach to protecting confidentiality is to have an express understanding with clients (preferably in an engagement letter or other writing) about the nature of communications that will be (and will not be) sent electronically and whether or not encryption and other security measures will be utilized. It has now reached the point where all attorneys should generally understand encryption and have encryption available for use in appropriate circumstances.