Are Lawyers Required to Encrypt Email Exchanges with Clients? The ABA’s Latest Guidance
It’s hard to imagine practicing law without email. Whether it’s coordinating lunch with a colleague, exchanging draft proposed orders with opposing counsel, sharing a confidential settlement agreement with a client, or arranging hearing details with the court, email is the lawyer’s ever-present companion and business communication tool.
And yet all of us are aware that – in 2018 – email can be inherently insecure. Targeted “spear-fishing” email attacks continue to inundate our inboxes because, unfortunately, they work despite our best efforts at education and training. All manner of spyware and malware can be delivered through email. And with enough effort, the plain text of entire emails – and their attachments – can be intercepted and reviewed.
So it’s no surprise that the American Bar Association’s Standing Committee on Ethics and Professional Responsibility felt the need to weigh in regarding whether an attorney breaches their duty of confidentiality by using email. They did so for the first time back in 1999 when the Committee issued Formal Opinion 99-413 (available here). At the time, the Committee held that “[l]awyers have a reasonable expectation of privacy in communications made by all forms of e-mail, including unencrypted e-mail sent on the Internet, despite some risk of interception and disclosure. It therefore follows that its use is consistent with the duty under Rule 1.6 to use reasonable means to maintain the confidentiality of information relating to a client’s representation.” Formal Op. 99-413, at 11.
Fast forward some 18 years and the Committee has updated its prior holding by publishing Formal Opinion 477R (available here, with an ABA Section of Litigation article discussing same available here). The updated Opinion recommends that attorneys use a fact-based analysis to determine what constitutes reasonable efforts in protecting client information, including what efforts might be reasonably required to secure email communications. Non-exclusive factors to consider when making a reasonable efforts determination include:
- The sensitivity of the information
- The likelihood of disclosure if additional safeguards are not employed
- The cost of employing additional safeguards
- The difficulty of implementing the safeguards
- The extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Formal Op. 477R, at 4-5.
Many commentators, myself included, believe it is only a matter of time before the ABA recommends – and controlling state bar regulators require – that attorneys at least use encrypted email when communicating or discussing information related to a client’s representation. (See, for example, Ralph Losey and the eDiscovery Team’s excellent commentary, available here.) Law firms wishing to be proactive in their service and protection of clients should begin the dialogue with clients now, involving IT and cybersecurity professionals as appropriate. And clients should likewise be proactive in asking their outside counsel and other advisors about their plans to ensure that email remains a convenient – but secure – way to share attorney-client privileged and work product-protected material.