In Part 1 of this series, we discussed recently-issued American Bar Association (ABA) Formal Opinion 11-459, describing a lawyer's “Duty to Protect the Confidentiality of Email Communications with One's Client.” We examined ethical guidelines about steps lawyers must take to address the risk that third parties may obtain access to attorney-client email communications. We concluded by noting that ABA Proposed Model Rule 1.6(c) would clarify that a lawyer has an ethical duty to take reasonable measures to protect a client’s confidential information from inadvertent disclosure and unauthorized access.
Ethical Standards in a Changing Environment
What constitutes “reasonable measures to protect a client’s confidential information” depends on the client’s perception of what measures are reasonable in light of the client’s belief about the sensitivity of the information. It also depends upon the circumstances – and the circumstances are varied and constantly evolving. Email-related technology is changing, how clients use the technology is changing, the ethical rules are changing and the risk of interception of email or access to stored email is changing. Lawyers should not assume they can keep sending unencrypted email as they’ve done for decades.
In Opinion 709 (1998), the New York State Bar Association pointed out that “[a] lawyer who uses internet email must also stay abreast of this evolving technology to assess any changes in the likelihood of interception as well as the availability of improved technologies that may reduce such risks at reasonable cost.” Similarly, Comment 6 to ABA Proposed Model Rule 1.1 says that “to maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with technology.”
Email: In the Cloud and Everywhere
Current and proposed Model Rule 1.6 apply to, among other things, confidential client data in the cloud. Lawyers are increasingly focused on ensuring the security of client data stored in the cloud. What many lawyers fail to recognize is that internet-based email is data that is transmitted and stored in the cloud. Cloud-based email presents different, additional risks than do other cloud data services. With internet email, the lawyer does not control the locations of the multiple servers through which the data might be routed, whether and for how long the data is stored on those servers, the ability of third parties to access the data or the terms and conditions of all of the relevant email service participants. In other words, there is a heightened risk that data in unencrypted email could be intercepted and accessed by third parties.
Increasing Risks of Unsecured Internet Email
Many lawyers believe they can rely on HTTPS browser sessions for secure transmission of client email over the web. That protocol relies on the validity of SSL certificates, which validate the identity of the email Web site. An HTTPS session creates an encrypted “pipeline” or “channel” between the user’s computer and the Webmail server. The problem is that both HTTP and HTTPS sessions are vulnerable to interception.
Courts in the Netherlands recently advised lawyers to stop using email. In July 2011, a hacker infiltrated DigiNotar, the digital certificate authority used by the Dutch government, and issued false SSL certificates. That allowed the hacker to imitate the official government Web sites. According to the Wall Street Journal, Dutch lawyers were urged in September to use fax machines and old-fashioned paper mail instead of email. One lawyer described the situation as “an administrative nightmare.” In April 2010, a huge amount of Internet traffic was diverted by hackers traced to China. Diverted email messages could easily have been copied and methodically searched. According to the Attorneys’ Liability Assurance Society (ALAS), law firms are being specifically targeted by hackers.
How Email Encryption Better Protects Information
Content encryption is different from channel encryption. It does not rely on the validity of SSL certificates, unlike an HTTPS connection. Encrypting email secures the message and its attachments even if they are intercepted. Content encryption makes the contents, both the message text and attachments, indecipherable to individuals other than the addressee. Encryption uses a complex mathematical equation to convert the original email content into an information package that cannot be read until the addressee unlocks the message.
Email Encryption as a Benchmark Ethical Practice
ALAS recently recommended that law firms “encrypt all protected information sent from or stored on any electronic device” in a 2011 ALAS Loss Prevention Journal article titled “Data and Privacy Protection in a Regulated World.”
The International Legal Technical Standards Organization proposed in its 2011 Guidelines for Legal Professionals that “whenever client data is transmitted across the Internet, it must be encrypted at every point.”
The State Bar of California, in Formal Opinion 2010-179, said that “encrypting email may be a reasonable step for an attorney to take in an effort to ensure the confidentiality of such communications remain so when the circumstance calls for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.”
The Office of the Privacy Commissioner of Canada recently released A Privacy Handbook for Lawyers titled PIPEDA and Your Practice.” The handbook notes that client information may be vulnerable in email transmission and recommends that attorneys adopt technological protection measures such as encryption in order to comply with Canada’s Personal Information Protection and Electronic Documents Act.
The Law Society of England and Wales in its November 2005 Email Guidelines for Solicitors recommended that law firms adopt systems that “automatically encrypt all outgoing e-mail to those offering similar facilities.” The guidelines note that “most unencrypted e-mail is vulnerable to unauthorized access and alteration as it passes over the Internet.” The Law Society recommended that “firms should not include confidential information in non-encrypted email without the informed consent of clients.” The Law Society also advised solicitors to ensure that their individual clients fully appreciate all of the risks inherent in using non-encrypted email.
Lawyers and law firms also are subject to a variety of data protection and privacy laws. The ABA 20/20 Commission declined to address whether a lawyer may be required to take additional steps to safeguard a client’s information in order to comply with those other laws. It does, however, seem that the potential applicability of those laws to client information would bear on the reasonableness of the lawyers decision whether to encrypt email.
Email Encryption is Simple and Inexpensive
Email encryption is inexpensive “insurance” for a privacy data breach or a malpractice claim arising from disclosure of unencrypted client data. Today, encrypted email can be simple to install, maintain and use. A monthly expense of $12 or less per user for email encryption does not present an unreasonable cost barrier to adoption, regardless of the sensitivity of the data or likelihood of its disclosure. In fact, at that price, it would be difficult for attorneys to justify not implementing automated email encryption for all substantive client communication.
Read Part 3 of the ZixCorp Legal Industry Series to learn the factors that lawyers should consider in assessing the reasonableness of their efforts to protect client information and the circumstances in which lawyers should use email encryption.