In this legal series, we reviewed the new ABA opinion describing a lawyer's “Duty to Protect the Confidentiality of Email Communications with One's Client” and how email encryption is becoming a legal benchmark for secure client communication. With this foundation in place, let’s move into the factors that lawyers should consider in determining what data security measures are reasonable in the circumstances in order to prevent inadvertent disclosure or interception of client information.
Federal Trade Commission Guidance on Reasonable Data Security
The United States Federal Trade Commission ("FTC") issued in November 2011 the document Protecting Personal Information - A Guide for Business. The FTC cited that guide in its March 2012 report on Protecting Consumer Privacy in an Era of Rapid Change in the section discussing the obligation of businesses to provide "reasonable" data security for consumer information. The guide states: "regular email is not a secure method for sending sensitive data." It directs businesses to "encrypt sensitive information that you send to third parties over public networks (like the Internet)" and to "consider also encrypting email transmissions within your business if they contain personally identifying information." The FTC guidance strongly suggests that lawyers may not be acting reasonably when they send confidential client information via unencrypted email.
Unencrypted Transmission of Electronic Information is Not Universally Permitted
It is common for attorneys to upload documents to cloud file storage without first applying content encryption and to transmit confidential email and attachments “in the clear” without encryption or even password protecting attachments. Many lawyers are under the impression that ethics rules and opinions permit lawyers to use unencrypted email or cloud storage in all circumstances. That is a misconception.
Ethical Duty to Prevent Inadvertent Disclosure and Interception
The ABA Model Rules do not limit an attorney’s ethical obligation to merely warning the client about the risks of using electronic communications. Merely adding a Confidentiality Notice to lawyer emails is not a sufficient measure to protect client information.
ABA Model Rule 1.6 currently requires attorneys to obtain the client’s “informed consent” before exposing client information to interception or unauthorized access. Informed consent is defined by Model Rule 1.0(e) to require an agreement by the client after the lawyer has explained the material risks and reasonable alternative means of communicating. This may require lawyers to recommend to the client reasonable methods to enhance data security and confidentiality.
ABA Model Rule 1.6 also currently includes an affirmative duty to take reasonable steps to prevent disclosure. Although that duty is implicit in the existing version of Model Rule 1.6, it is explicit in the comments to that rule. Comment 17 to Model Rule 1.6 states that when transmitting information related to the representation of a client “the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.” Comment 16 to Model Rule 1.6 says that “a lawyer must act competently to safeguard information related to the representation of the client.” The changes in proposed Model Rule 1.6(c), which were described in the first installment of this series, serve only to emphasize these existing duties.
Moreover, Model Rule 1.15 requires an attorney to appropriately safeguard the property of the client – and property includes electronic information. Comment 1 to Model Rule 1.15 says that a lawyer should hold the client’s property with the care required of a professional fiduciary. In other words, lawyers are required to protect client electronic information with the highest level of care. This further emphasizes the need to take reasonable steps to protect a client’s electronically transmitted or stored information from inadvertent disclosure or interception.
Lawyers May Sometimes Use Unencrypted Email
In Formal Opinion 99-413 (Protecting the Confidentiality of Unencrypted Email), the ABA concluded that, in general, a lawyer may transmit information relating to the representation of a client by unencrypted email. ABA Formal Opinion 99-413 also said that particularly strong protective measures are warranted to protect highly sensitive information and that the lawyer should consult with the client and follow the client’s instructions about the mode of transmitting highly sensitive information. Similarly, the consensus among state bar associations is that lawyers may communicate with clients using unencrypted email – but that approval is conditioned by words such as “under ordinary circumstances,” “in most instances” and “generally.”
Factors in Determining the Care Required
The degree of care, and level of data security, should be reasonable in the circumstances. Digital security is not binary. It is not simply “on” or “off.” Additional levels of protection may be warranted in some situations. In the draft of comment 16 to proposed ABA Model Rule 1.6, the ABA Commission on Ethics 20/20 describes five factors to consider in determining the reasonableness of the lawyer’s efforts to affirmatively protect a client's information, in addition to the client's instructions. The State Bar of California, in Formal Opinion 2010-179, listed six factors that attorneys should consider before using a particular technology (such as cloud document storage or unencrypted email) to store or transmit confidential client information. The checklist below includes relevant factors.
oDegree of sensitivity of the information
oPossible client impact from disclosure
oData breach laws
oLikelihood of disclosure
oInherent level of security
oReasonable steps to increase security
oCost of additional safeguards
oUrgency of the situation
oLegal ramifications of unauthorized interception, access or use
Encrypt When Information is Highly Sensitive
Lawyers should not send highly sensitive client information via unencrypted email or place that information in electronic storage unless the content is encrypted in a manner unique to the lawyer or client. Lawyers should consult with the client about the level of security the client requires for electronic information being stored remotely or transmitted over the internet. It is the client, not the lawyer, who should decide about the sensitivity of the information.
Encrypt When There Is a Heightened Risk of Interception
Similarly, lawyers should not use unencrypted email where there is a particularly high risk that it may be accessed by unauthorized third parties. The New York Bar Association in Opinion 709 (1998) stated that “a lawyer may not transmit client confidences by email where there is a heightened risk of interception.” This includes some of the situations described in ABA Formal Opinion 11-459, such as transmission to a workplace email address or a shared computer. It may also include instances where the client or the lawyer has been the target of hacking attempts or other cyber security incidents.
Encrypt Where It is Legally Directed
Lawyers and law firms are subject to a variety of data protection and privacy laws. The ABA 20/20 Commission declined to address whether a lawyer may be required to take additional steps to safeguard a client’s information in order to comply with those other laws. It does, however, seem that the potential applicability of those laws to client information would bear on the reasonableness of the lawyers decision whether to encrypt email.
Lawyers representing clients who are subject to privacy laws may need to protect information just as the client is required to. If the client is a HIPAA/HITECH covered entity or business associate, for example, the lawyer may also be treated as a business associate with respect to any personal health information, and therefore subject to the privacy and security requirements issued under those laws.
The laws in almost every state require that all businesses – including law firms –take reasonable steps to protect sensitive personal information. Texas Business and Commerce Code section 521.052, for example, requires businesses to “implement and maintain reasonable procedures” to protect sensitive personal information, and it provides a safe harbor from data breach notification requirements if the information was encrypted. Lawyers dealing with information about individuals in Massachusetts or Nevada may be subject to the laws in those states that require personally identifiable information to be encrypted.
The Office of the Privacy Commissioner of Canada recently released A Privacy Handbook for Lawyers titled “PIPEDA and Your Practice.” The handbook notes that client information may be vulnerable in email transmission and recommends that attorneys adopt technological protection measures such as encryption in order to comply with Canada’s Personal Information Protection and Electronic Documents Act.