ABA Issues Major Ruling on Ethics of Email and Electronic Communications

The American Bar Association’s Standing Committee on Ethics and Professional Responsibility has issued a major new opinion providing guidance on the steps lawyers should take to protect client confidentiality in electronic communications.

The new opinion, Formal Opinion 477 (embedded copy below), updates Formal Opinion 99-413, issued in 1999, to reflect changes in the digital landscape as well as 2012 changes to the ABA’s Model Rules of Professional Conduct, particularly the addition of the duty of technology competence in Model Rule 1.1 and changes to Rule 1.6 regarding client confidences.

Most notably, the opinion says that some circumstances warrant lawyers using “particularly strong protective measures” such as encryption. In the 1999 opinion, the committee concluded that unencrypted email was acceptable because lawyers have a reasonable expectation of privacy in all forms of email communications.

In this new opinion, the committee declined to draw a bright line as to when encryption is required or as to the other security measures lawyers should take. Instead, the committee recommended that lawyers undergo a “fact-based analysis” that includes evaluating factors such as:

  • The sensitivity of the information.
  • The likelihood of disclosure if additional safeguards are not employed.
  • The cost of employing additional safeguards.
  • The difficulty of implementing the safeguards.
  • The extent to which the safeguards adversely affect the lawyer’s ability to represent
    clients (e.g., by making a device or important piece of software excessively difficult
    to use).

In some cases that will require encryption, the committee said, while for matters of “normal or low sensitivity,” standard security measures will suffice.

In the technological landscape of Opinion 99-413, and due to the reasonable expectations of privacy available to email communications at the time, unencrypted email posed no greater risk of interception or disclosure than other non-electronic forms of communication. This basic premise remains true today for routine communication with clients, presuming the lawyer has implemented basic and reasonably available methods of common electronic security measures. Thus, the use of unencrypted routine email generally remains an acceptable method of lawyer-client communication.

However, cyber-threats and the proliferation of electronic communications devices have changed the landscape and it is not always reasonable to rely on the use of unencrypted email. For example, electronic communication through certain mobile applications or on message boards or via unsecured networks may lack the basic expectation of privacy afforded to email communications. Therefore, lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters, applying the [above] factors to determine what effort is reasonable.

While the opinion urged lawyers to take reasonable steps to protect client communications, it said that it was beyond its scope to specify the steps for any given set of facts. Instead, the opinion listed seven considerations that should guide lawyers:

1. Understand the Nature of the Threat.

This includes consideration of the sensitivity of a client’s information and whether the client’s matter is a higher risk for cyber intrusion. “Client matters involving proprietary information in highly sensitive industries such as industrial designs, mergers and acquisitions or trade secrets, and industries like healthcare, banking, defense or education, may present a higher risk of data theft.”

2. Understand How Client Confidential Information is Transmitted and Where It Is Stored.

A lawyer should understand how their firm’s electronic communications are created, where client data resides, and what avenues exist to access that information, so that the lawyer can better manage the risk of inadvertent or unauthorized disclosure of client-related information.

3. Understand and Use Reasonable Electronic Security Measures.

Because access to client communications can occur in different forms, ranging from a direct intrusion into a law firm’s systems to theft or interception of information during the transmission process, a lawyer’s reasonable efforts include analysis of security measures applied to both disclosure and access to a law firm’s technology system and transmissions. Further, a lawyer should understand and use electronic security measures such as VPNs or other secure internet portals, use unique complex passwords that are changed periodically, implement firewalls, use anti-malware/anti-spyware/anti-virus software, and apply all necessary security patches.

4. Determine How Electronic Communications About Clients Matters Should Be Protected.

The opinion urges that, at the beginning of the client-lawyer relationship, the lawyer and client should discuss what levels of security will be necessary for client communications. For sensitive communications, a lawyer should use encryption and should consider the use of password protection for any attachments. “Alternatively, lawyers can consider the use of a well vetted and secure third-party cloud based file storage system to exchange documents normally attached to emails.” The opinion further notes that a client’s lack of technological sophistication or lack of available technology “may require alternative non-electronic forms of communication altogether.” Finally, the opinion notes that extra caution is required when a client uses computers subject to the access or control of a third party (such as a work computer).

5. Label Client Confidential Information.

Lawyers should mark privileged and confidential client communications as such in order to alert anyone to whom the communication was inadvertently disclosed that the communication is intended to be privileged and confidential. “This can also consist of something as simple as appending a message or “disclaimer” to client emails, where such a disclaimer is accurate and appropriate for the communication.”

6. Train Lawyers and Nonlawyer Assistants in Technology and Information Security.

Lawyers are ethically obligated to supervise their employees and subordinates to ensure compliance with ethical rules, and that obligation extends to electronic communications, the opinion says. For this reason, lawyers must establish policies and procedures, and periodically train employees, subordinates and others assisting in the delivery of legal services, in the use of reasonably secure methods of electronic communications with clients, as well as on reasonable measures for access to and storage of those communications.

7. Conduct Due Diligence on Vendors Providing Communication Technology.

The opinion reaffirms the principle that lawyers must perform due diligence when selecting an outside vendor. Factors to consider include:

  • Reference checks and vendor credentials.
  • Vendor’s security policies and protocols.
  • Vendor’s hiring practices.
  • The use of confidentiality agreements.
  • Vendor’s conflicts check system to screen for adversity.
  • The availability and accessibility of a legal forum for legal relief for violations of the vendor agreement.

If the lawyer lacks the competence to evaluate the vendor, the lawyer may perform the evaluation by associating with another lawyer or expert, or may educate him or herself.

The opinion also says that, when retaining a nonlawyer from outside the firm, the lawyer has further obligations to ensure that the nonlawyer’s services are provided in a manner that is compatible with the lawyer’s professional obligations.

Duty to Communicate

In addition to the seven factors summarized above, the opinion emphasizes that a lawyer has a duty to communicate with a client about the nature and method of electronic communications.

When the lawyer reasonably believes that highly sensitive confidential client information is being transmitted so that extra measures to protect the email transmission are warranted, the lawyer should inform the client about the risks involved. The lawyer and client then should decide whether another mode of transmission, such as high level encryption or personal delivery is warranted. Similarly, a lawyer should consult with the client as to how to appropriately and safely use technology in their communication, in compliance with other laws that might be applicable to the client.

Changes to Model Rules

The opinion relies heavily on two 2012 changes to the Model Rules. I’ve written frequently here about the duty of technology competence and I’ve been maintaining a tally of the states that have adopted the duty. This opinion expressly refers to that duty as one of the reasons for issuing an update to its 1999 opinion on email communications.

It also references the 2012 change to Rule 1.6 on confidentiality, which added a new duty in paragraph (c): “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

The committee concludes its opinion with this summary:

A lawyer generally may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.

This is an extremely important opinion that every lawyer should stop and read today.

For your convenience, the opinion is embedded below.

Posted in:
Tagged:
Updated:
  • Excellent summary of ABA Formal Opinion 477. Thank you.

    Jeffrey A. Franklin, Esq.
    Principal Consultant
    BrightLine Tech Solutions, LLC
    610-314-7130 (o)
    JFranklin@BrightLineTechSolutions.com
    http://www.BrightLineTechSolutions.com
    Twitter | LinkedIn | Clio

    • Bob Ambrogi

      Thanks Jeffrey.

  • Pingback: Securing Client Communications: ABA Issues New Ethics Opinion on Attorney-Client Email | @ComplexD()

  • David John O’Connell

    After having experienced major difficulties in attempting to implement encrypted email for client matters, I do not look forward to a second attempt. The market for encryption has not caught up to the need, for one very simple reason: the user cannot enforce compliance by recipients, either to use the necessary protocols to decrypt the mails, or to use the same system to reply. Frequently the addressee simply ignores the incoming encrypted mail, and claims not to have received anything, or deletes it as suspected SPAM. Worse, the addressee, either client, opposing counsel, or simply bypasses the protocols altogether, sending mails with confidential materials included in the clear. I have tried Azure Blue, Hushmail, and a Microsoft Exchange implementation in which a simple addition to the subject line encrypts the mail. Each has its difficulties and advantages, but the problem is how to get the other guy to protect himself or his client by using the simple process that is offered.

    I have been on the other end of this equation, usually in dealing with health care providers administration about financial matters, and strangely not with physicians or staff in discussions of my health. Those organizations force use of clunky third-party service like ZipMail, with which I admit my own resistance. But, as those administrators are impossible to contact by telephone, and will completely ignore you unless you comply with their communication rules, one grinds one’s teeth in the steps to comply.

    Will this become the new seat belt? Intrusive, clunky, for your own good, but still a pain in the butt.

  • Gary Singer

    I have to concur with Mr. O’Connell’s comments below. We have been trying to implement encryption for a couple of years and have hit major resistance from recipients, from people demanding that we just email it “the normal way” to ignoring anything we sent encrypted. We have also dealt with several major law firms that seem to have an automated policy to quarantine and not deliver encrypted emails to their recipients, causing us to get a receipt that the email was delivered but not delivering the emails to the actual recipients within that firm. We have had more than one client threaten to find another law firm that does not make communication “so difficult”. We have tried several major providers with similar results. I won’t even go down the road of trying to get people to use a secure portal! We will keep trying to use encrypted communication since it is the “right” and responsible thing to do, but until recipients start accepting it, it will not get any sort of widespread traction. Personally, I think that the solution is not to make the individual email users use add-on services, but rather for the major email providers fix the way that email works. If the big technology companies, such as Microsoft, Google, Apple, Comcast, etc., got together and said “This is the new SAFE email standard going forward” all other providers would quickly jump on the bandwagon. Until something like that happens, the small minority of us that are actually trying to protect our clients private information are fighting a losing battle.

    • Bob Ambrogi

      Interesting, but not surprising, that clients and other firms become the obstacles to using encryption. One workaround is to encrypt only the attachment and keep the body of the email generic — something like, “Please review the attached.” I written before about a service such as Citrix Sharefile that makes it easy to encrypt attachments while leaving the message itself unencrypted.

      The ABA’s opinion seems to suggest that if the client doesn’t want to use encryption and gives you informed consent to communicate without encryption, then you’re OK.

  • Pingback: Three Considerations for Attorneys after Major ABA Ethics Ruling - This Business of Law()