Part one of our discussion of the evolving ethics rules about lawyers’ use of Cloud services covered Massachusetts State Bar Opinion 12-03 (May 2012). In part two, I’d like to explore steps lawyers should consider in light of the Massachusetts Bar Association Opinion.
Risk of Interception and Reasonable Preventative Measures
The Massachusetts Bar Association acknowledges in Opinion 12-03 that the use of Cloud services involves "a small, but genuine risk of unauthorized access or interception." It cites Opinion 00-1 (1998) which notes that email also carry some risk of interception. Opinion 00-1 asserts, however, that lawyers and clients are entitled to a reasonable expectation of privacy in email based principally on the fact that interception of email is a crime under the federal Electronic Communications Privacy Act. Accordingly, the 1998 opinion concludes that lawyers generally have no duty to protect their email communications against interception. Although the opinion is consistent with others issued around the same time, the reasoning seems more like rationalization. It is like concluding that lawyers need not bother to secure client files in their offices, because Massachusetts criminal law prohibits stealing property in a building. No lawyer would assert that it is reasonable to leave confidential client files lying out in an unlocked office. So why would anyone conclude it is reasonable to leave confidential electronic files unprotected and accessible to third parties?
Cloudy Privacy Expectations
A generalized expectation of privacy in electronic communications may no longer be reasonable. The ABA said in Formal Opinion 11-459 that a lawyer has an obligation to warn the client about the risk of using electronic communications (including email) whenever circumstances present a “significant risk” that a third party may gain access to the content of unencrypted electronic communications. The opinion says the duty to warn arises whenever the attorney should reasonably know from the circumstances that any third party has the ability to access the email communications. Clearly, in those contexts, a lawyer is not entitled to rely on an expectation of privacy. I discussed the ABA opinion at length in an earlier post.
In the employment context, the United States Supreme Court in City of Ontario v. Quon declined in 2010 to conclude that employees are entitled to any expectation of privacy in electronic communications using employer-provided systems. The Court said “rapid changes in the dynamics of communication and information transmission are evident not just in the technology itself but in what society accepts as proper behavior” and that “the Court would have difficulty predicting how employees' privacy expectations will be shaped by those changes or the degree to which society will be prepared to recognize those expectations as reasonable.”
Particularly Sensitive Data
Opinion 12-03 says that Massachusetts lawyers "should refrain from storing or transmitting particularly sensitive client information by means of the Internet without first seeking and obtaining the client's express consent to do so." Similarly, the earlier Opinion 00-1 states that “lawyers would be well-advised to refrain from transmitting particularly sensitive confidential information via unencrypted Internet e-mail without first obtaining the client's express consent.”
Neither opinion provides any guidance about what constitutes particularly sensitive information that would prompt the need for express consent from the client. Trade secrets come to mind, as well as information that might embarrass the client, cause it financial harm, result in law enforcement action, etc. Information that is subject to state or federal privacy law is very likely to be considered particularly sensitive. It is likely, however, that clients will assert with 20/20 hindsight in a malpractice action or ethics complaint that leaked information is "particularly sensitive" and was exposed without client consent due to the lawyer’s inadequate data security. Thus, it makes sense for lawyers to be conservative in treating client information as if it were particularly sensitive.
Client Permission and Instructions
The need for advance consent before potentially revealing confidential client information via the Cloud is not a new ethics requirement. Rule 1.6 of the Massachusetts Rules of Professional Conduct prohibits lawyers from revealing confidential information relating to the representation of a client unless the client “consents after consultation.” The rules define "consultation" to mean the communication of information reasonably sufficient to permit the client to appreciate the significance of the matter in question. In other words, the rules require the client’s informed consent before confidential information can be revealed – and regardless of the sensitivity of the information. Similar ethics guidance applies to lawyers in other states.
Lawyers should, therefore, consider describing in engagement letters:
• lawyer’s duty of confidentiality;
• risks of inadvertent disclosure, interception or unauthorized access of electronic information by third parties (some clients or matters may present a heightened risk);
• potential adverse consequences to the client (e.g., loss of attorney-client privilege, loss of trade secret status, exposure to identity theft);
• lawyer’s use of cloud services – including email – to transmit and store information related to the representation of the client;
• a summary of relevant data security practices (e.g., reference to written procedures); and
• that signing the engagement letter constitutes the client’s consent to use cloud services.
Evolving Standard of Care
Lawyers may be required in an ethics investigation, enforcement action, risk assessment or malpractice claim to demonstrate that their data security practices conform to a reasonable standard of care and are not negligent. Lawyers may not be acting reasonably when they send or store unencrypted confidential client information using email or other cloud services. The reasoning of ethics opinions from the 1990s don’t reflect how technology is used today. They don’t reflect up-to-date data security standards of care. The standard of care has already changed.
The Federal Trade Commission published Protecting Personal Information – A Guide for Business. The guide contains advice for businesses that collect and store personally identifying information, including physical and electronic security. The FTC guide directs businesses to “encrypt sensitive information that you send to third parties over public networks (like the Internet)” and to “consider also encrypting email transmissions within your business if they contain personally identifying information.” The guide notes that “regular email is not a secure method for sending sensitive data.” This guide reflects that the expectation of privacy and standard of care are not what they were in the late 1990s. Today, the expectation of privacy is lower, and the standard of care is higher.
Some lawyers may think that the legal industry may be subject to its own, lower data security standard of care for electronic communications. That does not seem to be true. The American Legal Assurance Society in a 2011 ALAS Loss Prevention Journal article titled “Data and Privacy Protection in a Regulated World” recommends that law firms “encrypt all protected information sent from or stored on any electronic device.” The International Legal Technical Standards Organization proposed in its 2011 Guidelines for Legal Professionals that “whenever client data is transmitted across the Internet, it must be encrypted at every point.”
Make Data Security the Rule, Not an Exception
In a recent article on the media Web site GovInfoSecurity.com, Gartner analyst Anton Chuvakin notes that Cloud service customers tend to focus on the convenience of storing less sensitive information via the Cloud without considering the implications of using the same technology for more sensitive information. The post notes that a potential for disaster exists when critical information is hosted using the same technology. Therefore, it may be better to use the same data security procedures to protect all client information stored or transmitted via the Cloud – as if all of the information were particularly sensitive. That necessitates choosing automated solutions that make those procedures reasonably convenient.
Don’t Expect Privacy –Take Reasonable Steps to Protect It
Rather than simply relying on misplaced expectations of privacy when storing or transmitting client data using Cloud services, Opinion 12-03 requires that lawyers take a practical, proactive approach. The opinion instructs Massachusetts lawyers to use reasonable efforts to ensure that the Cloud service provider's terms, policies, practices and procedures are compatible with the lawyer's ethical obligations. This approach is consistent with the guidance provided by The State Bar of California in Formal Opinion 2010-179 (2010). A California attorney’s duties of confidentiality and competence require the attorney to take appropriate steps to ensure that use of technology (such as WiFi or unencrypted email) does not subject confidential client information to an undue risk of unauthorized disclosure. This approach also reflects proposed ABA Model Rule 1.6(c), which would clarify lawyers’ responsibilities to take reasonable steps to protect electronic information related to the representation of a client.
Opinion 12-03 provides lawyers with a non-exclusive list of vendor diligence steps. I described those steps in an earlier post. Diligence of the Cloud vendor is a good first step, but lawyers also should use measures to prevent unauthorized access or interception that are reasonable in the circumstances. In another earlier post, I listed ten considerations that influence whether additional security measures may be warranted.
Steps beyond Vendor Diligence
Massachusetts has one of the most rigorous state privacy laws in the United States. 201 CMR 17.00 mandates a broad set of requirements for the protection of personal information of the state’s residents. Opinion 12-03 said that lawyers’ reasonable efforts “would include” conducting Cloud vendor diligence. That is consistent with the requirement in 201 CMR 17.03 that law firms and other covered entities take reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal information consistent with the state’s regulations and federal regulations. That rule also requires that covered entities require third-party service providers by contract to implement and maintain those appropriate security measures. Nevertheless, conducting vendor diligence is not sufficient, by itself, to meet the developing standard of care for information security and assurance. Other steps are typically required of businesses that handle sensitive information. For example:
Written Procedures: Most states require businesses, including law firms, to have reasonable procedures to protect personal information collected in the regular course of business. See, for example, Texas Business and Commerce Code section 521.052. The privacy law in Massachusetts goes much farther. 201 CMR 17.03 requires every person (including a lawyer) that owns or licenses personal information about Massachusetts resident to develop, implement and maintain a comprehensive, written information security program. It also requires those persons to contractually require third-party service providers (including law firms) to implement and maintain appropriate security measures to protect that personal information. Massachusetts lawyers should refer to A Small Business Guide: Formulating A Comprehensive Written Information Security Program and the 201 CMR 17.00 Compliance Checklist.
Training: 201 CMR 17.03 requires that every person (including a lawyer) that owns or licenses personal information about Massachusetts resident conduct ongoing employee (including temporary and contract employee) training in appropriate data security.
Monitoring and Audits: 201 CMR 17.03 requires regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information.
Encryption: In Massachusetts, it is not enough to assert a reasonable expectation of privacy in unencrypted data being transmitted over public networks such as the Internet. Massachusetts lawyers cannot use unencrypted email to transmit protected personal information of a Massachusetts resident. Subsection 17.04(3) requires "[e]ncryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly." The rule applies to all lawyers handling personal information of Massachusetts residents, regardless of whether the lawyer is practicing in Massachusetts. Federal privacy laws, including HIPAA and Gramm-Leach-Bliley, or other states’ long-arm privacy laws, may also apply to lawyers’ files and communications.
Automated Encryption before Transmission
Opinion 00-1 implies that there are some instances (although not "most instances") in which lawyers must encrypt email before it is transmitted. The opinion does not, however, specify when it is appropriate for Massachusetts lawyers to use encrypted email. Similarly, Opinion 12-03 does not address issues such as when or whether lawyers should use client-side encryption before storing particularly sensitive documents with a Cloud vendor, or whether it is reasonable to simply rely on the Cloud vendor's data security.
It is relatively easy and inexpensive to use automated applications, such as BoxCryptor, Cloudfogger, SecretSync or SugarSync, to encrypt files at your desktop before they are transmitted to Cloud storage. You simply save the files in the automated encryption folder on your computer, rather than the normal cloud storage synchronization folder. The local software encrypts the files using your encryption key and then sends the documents to your Cloud storage folder, such as Dropbox. At present, these solutions have limited ability to share encrypted folders or documents with third parties. Cloudfogger says its protected files can be shared with other Cloudfogger users. BoxCryptor and SugarSync enable users to share encrypted folders but not individual documents. Users cannot currently share SecretSync encrypted folders or documents, although the company hinted in May 2012 that it would have news to “share.” Lawyers could use a local file encryption application (e.g., using the Encrypt with Password function in Microsoft Office 2010) and then save the resulting encrypted file to Cloud storage. If you are sharing the files, these solutions require sharing the decryption password with the recipient separately. It can be administratively burdensome to manage different decryption passwords for various clients or matters.
It is much easier to share confidential information using automated email encryption, like that provided by ZixCorp. Users can simply attach a file to an email and select “send encrypted.” ZixGateway can even be configured to automatically encrypt emails and attachments based on parameters defined by the law firm or customer (e.g., automatically encrypt all email to Client ABC or containing personally identifying information). Inbound messages from ZixCorp customers are automatically decrypted and delivered to the lawyer’s normal email inbox. And ZixCorp handles the encryption key management for more than 32 million email addresses, so lawyers don’t have to deal with sending decryption keys to the recipients. That makes it easy for lawyers to share confidential information securely and satisfy the latest ethics guidance.