The ABA has released Ethics Opinion 477 (May 11, 2017) on encryption of attorney-client email.
Those who do not want any rule requiring email encryption will rejoice if they skip down to the opinion’s conclusion and read:
- “A lawyer generally may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.”
They would be rejoicing prematurely at the absence of the words “email encryption required.” The opinion notes that a hard and fast rule cannot be be crafted to apply to all situations, and therefore:
- “A fact-based analysis means that particularly strong protective measures, like encryption, are warranted in some circumstances. Model Rule 1.4 may require a lawyer to discuss security safeguards with clients. Under certain circumstances, the lawyer may need to obtain informed consent from the client regarding whether to the use enhanced security measures …”
- “In contrast, for matters of normal or low sensitivity, standard security methods with low to reasonable costs to implement, may be sufficient to meet the reasonable-efforts standard to protect client information from inadvertent and unauthorized disclosure.”
My first reading is that this is along the line of my suggestion that a text to a client asking “Court starts in 5 minutes. Where are you?” is not a problem even if you are using unencrypted SMS texting because of the low sensitivity of the information, the relative security of texting and urgency overrule the extremely slight risk. See my article Email Attachments vs. Client Portals.
Among the things that lawyers should understand is how confidential client information is transmitted and stored. The opinion also suggests that every device and access point “should be evaluated for security compliance.” The law firm must have appropriate policies and procedures. They must train staff and supervise them on reasonably secure methods of communications.
Only then can the lawyer make the decision that a particular electronic client communication need not be encrypted.
I have just read this today and may have additional thoughts upon reflection. But there is some language to quibble with:
“In the technological landscape of Opinion 99-413, and due to the reasonable expectations of privacy available to email communications at the time, unencrypted email posed no greater risk of interception or disclosure than other non-electronic forms of communication. This basic premise remains true today for routine communication with clients, presuming the lawyer has implemented basic and reasonably available methods of common electronic security measures.14 Thus, the use of unencrypted routine email generally remains an acceptable method of lawyer-client communication.”
To say that there is no greater risk of email interception and/or disclosure today than there was in 1999 is just nonfactual.
But overall, this opinion sends a clear signal that law firms have to pay attention to security of email and other client communication. Most law firms have already determined that is the correct policy. I still suggest lawyers also read Texas Legal Ethics Opinion 648 in addition to this opinion.