ABA Issues Major Ruling on Ethics of Email and Electronic Communications

The American Bar Association’s Standing Committee on Ethics and Professional Responsibility has issued a major new opinion providing guidance on the steps lawyers should take to protect client confidentiality in electronic communications.

The new opinion, Formal Opinion 477 (embedded copy below), updates Formal Opinion 99-413, issued in 1999, to reflect changes in the digital landscape as well as 2012 changes to the ABA’s Model Rules of Professional Conduct, particularly the addition of the duty of technology competence in Model Rule 1.1 and changes to Rule 1.6 regarding client confidences.

Most notably, the opinion says that some circumstances warrant lawyers using “particularly strong protective measures” such as encryption. In the 1999 opinion, the committee concluded that unencrypted email was acceptable because lawyers have a reasonable expectation of privacy in all forms of email communications.

In this new opinion, the committee declined to draw a bright line as to when encryption is required or as to the other security measures lawyers should take. Instead, the committee recommended that lawyers undergo a “fact-based analysis” that includes evaluating factors such as:

  • The sensitivity of the information.
  • The likelihood of disclosure if additional safeguards are not employed.
  • The cost of employing additional safeguards.
  • The difficulty of implementing the safeguards.
  • The extent to which the safeguards adversely affect the lawyer’s ability to represent
    clients (e.g., by making a device or important piece of software excessively difficult
    to use).

In some cases that will require encryption, the committee said, while for matters of “normal or low sensitivity,” standard security measures will suffice.

In the technological landscape of Opinion 99-413, and due to the reasonable expectations of privacy available to email communications at the time, unencrypted email posed no greater risk of interception or disclosure than other non-electronic forms of communication. This basic premise remains true today for routine communication with clients, presuming the lawyer has implemented basic and reasonably available methods of common electronic security measures. Thus, the use of unencrypted routine email generally remains an acceptable method of lawyer-client communication.

However, cyber-threats and the proliferation of electronic communications devices have changed the landscape and it is not always reasonable to rely on the use of unencrypted email. For example, electronic communication through certain mobile applications or on message boards or via unsecured networks may lack the basic expectation of privacy afforded to email communications. Therefore, lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters, applying the [above] factors to determine what effort is reasonable.

While the opinion urged lawyers to take reasonable steps to protect client communications, it said that it was beyond its scope to specify the steps for any given set of facts. Instead, the opinion listed seven considerations that should guide lawyers:

1. Understand the Nature of the Threat.

This includes consideration of the sensitivity of a client’s information and whether the client’s matter is a higher risk for cyber intrusion. “Client matters involving proprietary information in highly sensitive industries such as industrial designs, mergers and acquisitions or trade secrets, and industries like healthcare, banking, defense or education, may present a higher risk of data theft.”

2. Understand How Client Confidential Information is Transmitted and Where It Is Stored.

A lawyer should understand how their firm’s electronic communications are created, where client data resides, and what avenues exist to access that information, so that the lawyer can better manage the risk of inadvertent or unauthorized disclosure of client-related information.

3. Understand and Use Reasonable Electronic Security Measures.

Because access to client communications can occur in different forms, ranging from a direct intrusion into a law firm’s systems to theft or interception of information during the transmission process, a lawyer’s reasonable efforts include analysis of security measures applied to both disclosure and access to a law firm’s technology system and transmissions. Further, a lawyer should understand and use electronic security measures such as VPNs or other secure internet portals, use unique complex passwords that are changed periodically, implement firewalls, use anti-malware/anti-spyware/anti-virus software, and apply all necessary security patches.

4. Determine How Electronic Communications About Clients Matters Should Be Protected.

The opinion urges that, at the beginning of the client-lawyer relationship, the lawyer and client should discuss what levels of security will be necessary for client communications. For sensitive communications, a lawyer should use encryption and should consider the use of password protection for any attachments. “Alternatively, lawyers can consider the use of a well vetted and secure third-party cloud based file storage system to exchange documents normally attached to emails.” The opinion further notes that a client’s lack of technological sophistication or lack of available technology “may require alternative non-electronic forms of communication altogether.” Finally, the opinion notes that extra caution is required when a client uses computers subject to the access or control of a third party (such as a work computer).

5. Label Client Confidential Information.

Lawyers should mark privileged and confidential client communications as such in order to alert anyone to whom the communication was inadvertently disclosed that the communication is intended to be privileged and confidential. “This can also consist of something as simple as appending a message or “disclaimer” to client emails, where such a disclaimer is accurate and appropriate for the communication.”

6. Train Lawyers and Nonlawyer Assistants in Technology and Information Security.

Lawyers are ethically obligated to supervise their employees and subordinates to ensure compliance with ethical rules, and that obligation extends to electronic communications, the opinion says. For this reason, lawyers must establish policies and procedures, and periodically train employees, subordinates and others assisting in the delivery of legal services, in the use of reasonably secure methods of electronic communications with clients, as well as on reasonable measures for access to and storage of those communications.

7. Conduct Due Diligence on Vendors Providing Communication Technology.

The opinion reaffirms the principle that lawyers must perform due diligence when selecting an outside vendor. Factors to consider include:

  • Reference checks and vendor credentials.
  • Vendor’s security policies and protocols.
  • Vendor’s hiring practices.
  • The use of confidentiality agreements.
  • Vendor’s conflicts check system to screen for adversity.
  • The availability and accessibility of a legal forum for legal relief for violations of the vendor agreement.

If the lawyer lacks the competence to evaluate the vendor, the lawyer may perform the evaluation by associating with another lawyer or expert, or may educate him or herself.

The opinion also says that, when retaining a nonlawyer from outside the firm, the lawyer has further obligations to ensure that the nonlawyer’s services are provided in a manner that is compatible with the lawyer’s professional obligations.

Duty to Communicate

In addition to the seven factors summarized above, the opinion emphasizes that a lawyer has a duty to communicate with a client about the nature and method of electronic communications.

When the lawyer reasonably believes that highly sensitive confidential client information is being transmitted so that extra measures to protect the email transmission are warranted, the lawyer should inform the client about the risks involved. The lawyer and client then should decide whether another mode of transmission, such as high level encryption or personal delivery is warranted. Similarly, a lawyer should consult with the client as to how to appropriately and safely use technology in their communication, in compliance with other laws that might be applicable to the client.

Changes to Model Rules

The opinion relies heavily on two 2012 changes to the Model Rules. I’ve written frequently here about the duty of technology competence and I’ve been maintaining a tally of the states that have adopted the duty. This opinion expressly refers to that duty as one of the reasons for issuing an update to its 1999 opinion on email communications.

It also references the 2012 change to Rule 1.6 on confidentiality, which added a new duty in paragraph (c): “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

The committee concludes its opinion with this summary:

A lawyer generally may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.

This is an extremely important opinion that every lawyer should stop and read today.

For your convenience, the opinion is embedded below.

Posted in:
Tagged:
Updated:
  • Excellent summary of ABA Formal Opinion 477. Thank you.

    Jeffrey A. Franklin, Esq.
    Principal Consultant
    BrightLine Tech Solutions, LLC
    610-314-7130 (o)
    JFranklin@BrightLineTechSolutions.com
    http://www.BrightLineTechSolutions.com
    Twitter | LinkedIn | Clio

    • Bob Ambrogi

      Thanks Jeffrey.

  • Pingback: Securing Client Communications: ABA Issues New Ethics Opinion on Attorney-Client Email | @ComplexD()

  • David John O’Connell

    After having experienced major difficulties in attempting to implement encrypted email for client matters, I do not look forward to a second attempt. The market for encryption has not caught up to the need, for one very simple reason: the user cannot enforce compliance by recipients, either to use the necessary protocols to decrypt the mails, or to use the same system to reply. Frequently the addressee simply ignores the incoming encrypted mail, and claims not to have received anything, or deletes it as suspected SPAM. Worse, the addressee, either client, opposing counsel, or simply bypasses the protocols altogether, sending mails with confidential materials included in the clear. I have tried Azure Blue, Hushmail, and a Microsoft Exchange implementation in which a simple addition to the subject line encrypts the mail. Each has its difficulties and advantages, but the problem is how to get the other guy to protect himself or his client by using the simple process that is offered.

    I have been on the other end of this equation, usually in dealing with health care providers administration about financial matters, and strangely not with physicians or staff in discussions of my health. Those organizations force use of clunky third-party service like ZipMail, with which I admit my own resistance. But, as those administrators are impossible to contact by telephone, and will completely ignore you unless you comply with their communication rules, one grinds one’s teeth in the steps to comply.

    Will this become the new seat belt? Intrusive, clunky, for your own good, but still a pain in the butt.

  • Gary Singer

    I have to concur with Mr. O’Connell’s comments below. We have been trying to implement encryption for a couple of years and have hit major resistance from recipients, from people demanding that we just email it “the normal way” to ignoring anything we sent encrypted. We have also dealt with several major law firms that seem to have an automated policy to quarantine and not deliver encrypted emails to their recipients, causing us to get a receipt that the email was delivered but not delivering the emails to the actual recipients within that firm. We have had more than one client threaten to find another law firm that does not make communication “so difficult”. We have tried several major providers with similar results. I won’t even go down the road of trying to get people to use a secure portal! We will keep trying to use encrypted communication since it is the “right” and responsible thing to do, but until recipients start accepting it, it will not get any sort of widespread traction. Personally, I think that the solution is not to make the individual email users use add-on services, but rather for the major email providers fix the way that email works. If the big technology companies, such as Microsoft, Google, Apple, Comcast, etc., got together and said “This is the new SAFE email standard going forward” all other providers would quickly jump on the bandwagon. Until something like that happens, the small minority of us that are actually trying to protect our clients private information are fighting a losing battle.

    • Bob Ambrogi

      Interesting, but not surprising, that clients and other firms become the obstacles to using encryption. One workaround is to encrypt only the attachment and keep the body of the email generic — something like, “Please review the attached.” I written before about a service such as Citrix Sharefile that makes it easy to encrypt attachments while leaving the message itself unencrypted.

      The ABA’s opinion seems to suggest that if the client doesn’t want to use encryption and gives you informed consent to communicate without encryption, then you’re OK.

    • Jake Kiser

      Hi Gary,

      Thanks for sharing your perspective. It’s valuable to hear how people are living this out on the ground, as I have the perspective of someone from the cybersecurity industry trying to design solutions for people like you. I may have some good news for you! You rightfully say that companies like Microsoft and other big players need to get on board a standard protocol. This is happening through a group called the FIDO Alliance (http://fidoalliance.org). This standard is quickly becoming more popular — you can currently log into your Gmail, Salesforce, Facebook, and many other places using various means of authentication (USB, Bluetooth, biometrics, etc.)

      Do you think such a standard would still be met with resistance from your clients, if it was more useful across the web, and not just a one-off?

      Thanks,
      Jake

      • Gary Singer

        Jake, that is good news! I think that if the standard was universal, my clients would be fine with it. Most people (mostly) want to do the safe and correct thing, but are confused and frustrated by the difficulty of it all. We all want things bright and shiny and are mad that our cars don’t fly yet. The underlying problem is that we have ALL been promised things that the tech companies have yet to deliver. I love me my tech toys, but my iphone still crashes (not nearly as much as MS Outlook), and in 2017 EVERYONE I know is still worried about cyber-crime. Just like in society, this is really a choice between freedom and security. The underlying problem is that most people’s lawyers are not important enough in their lives to warrant logging into a secure system. And now, even if they were willing to do so, it would probably be a phishing scam anyway…. With some universal security in place, we (the lawyers) would be just a small part of the same solution and so our clients would accept it. For example, if the solution is 2FA and you also needed the same dongle to communicate with your attorney that you needed to check on your prescription with Walgreens and you Amazon order, everyone would be happy to do it.

        • Jake Kiser

          Thanks, Gary. I think your comments are spot on. Universal is a significant reach 🙂 but we hope to get there! At the current moment, the same FIDO dongle could log you into many different websites and applications, but certainly not all. The good news would be that you would not need a different physical key for all the different sites — the same one would do. So as long as you have your car keys with you, you’re all set. I really appreciate your insights into individual behavior — thanks for sharing.

          If you’re interested, we’re rolling out a beta test of this new product. I’d be happy to chat with you and see if you’d like to participate, seeing as you’re interested in the topic. My email is jkiser@gmail.com. (Forum moderates – please feel free to delete / edit this comment if it’s not in good taste with the site to exchange personal emails).

          Thanks!
          Jake

  • Pingback: When It Comes To Cybersecurity, Solos Need Best Practices, Not Ethics – SideExit()

  • Pingback: When It Comes To Cybersecurity, Solos Need Best Practices, Not Ethics | ATL Small Firm Center / presented by Smokeball()

  • Pingback: Three Considerations for Attorneys after Major ABA Ethics Ruling - This Business of Law()

  • Blake Duncan

    In this day in age, privacy is a thing of the past. Different forms of electronic communication have led to many different circumstances involving exploitation. I’m currently enrolled in an ethics and communication course at Drury University and we’re learning the fundamentals of this type of ethical and unethical behavior. Social media has led to many problems over the previous years and as technology advances, the privacy and safety of each individual is diminishing. I really like how the article goes into detail about certain evaluation factors to consider when dealing with electronic communication problems. The authors of Ethics in Human Communication (2008) state that “the ethical demand of veracity, or truthfulness, is crucial. Through communication we not only transmit established knowledge, but we also create or construct knowledge” (Johannesen pg. 44). As the article states, electronic communication through certain mobile applications or via unsecured networks may lack the basic expectation of privacy afforded to email communications. This is so important to consider when lawyers are working on their specific cases. Hillary Clinton is a good example of what happens when you don’t constantly analyze your email records or protect your online communication. Once it’s out there in the enormous network of online messages, there’s really no taking it back. People need to be more cautious and smart when it comes to what they’re saying through electronic communication platforms, whether it’s lawyers, presidents, etc. “Hiding the truth, falsifying evidence, or using faulty reasoning are among the tactics condemned as unethical” (Johannesen pg. 44).
    Blake Duncan
    Drury University
    Johannesen, R. L., Valde, K. S., & Whedbee, K. E. (2008). Ethics in human communication (6th ed.). Long Grove, IL: Waveland Press.