In May, the American Bar Association (ABA) updated a rule concerning the ethics of email and electronic communications between lawyers and their clients.
There is some concern that the rule may not be entirely workable in the field where attorneys deal with various cases at once.
The ABA’s Standing Committee on Ethics and Professional Responsibility recently issued its opinion, Formal Opinion 477, to address changes in the way communications are handled in the digital world. Formal Opinion 477 updates Formal Opinion 99-413 from 1999. The newest opinion also amends the ABA’s Model Rules of Professional Conduct with relation to an attorney’s duty of technological competence and client communications. (Model Rules 1.1 and Rule 1.6 respectively.) Avoidance of the new legal landscape when dealing with safe and secure client communications is not an option.
The opinion states, in summary, “A lawyer generally may transmit information relating to the representation of a client over the internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.”
One notable change in the new opinion concerns encryption. The opinion goes on to state that in some cases, a lawyer must use a “particularly strong protective measure,” such as encryption, when communicating with clients — a significant change in point-of-view from 1999 when the ABA indicated unencrypted emails were acceptable. Formerly, the ABA's reasoning held that lawyers had a reasonable expectation of privacy in all forms of email media.
The recent spate of highly-publicized hacks and security breaches worldwide has made it impossible to expect privacy in online communication.
Ever since records have gone primarily digital, the difficulty in determining how to handle them has been a contentious point in many courtrooms. This became clear in 2004 in the landmark case, Zubulake v. UBS Warburg. In it, Judge Shira Scheindlin issued a series of rulings that are some of the most often cited opinions regarding e-discovery issues.
Judge Scheindlin issued five distinct rulings in an attempt to clarify what e-evidence could be discoverable, how the cost of retrieving and converting the records should be shared, and whether or not sanctions could be ordered for not producing electronic evidence. In Zubulake v. UBS, the opinion stated that UBS did not take all necessary steps to guarantee the preservation of relevant data. As a result, sanctions were issued. This helped set a new standard for electronic data storage obligations.
The question then became what foundations or basis is there for deciding what electronic information is okay to use and what is not okay to use.
U.S. judges are still tweaking the law in this area as it relates to e-discovery, largely because the Federal Rules of Civil Procedure and Federal Rules of Evidence are merely guidelines. It is up to judges to make a determination whether or not digital evidence is reasonably accessible. Thus it is not simply a matter of labelling something as e-evidence since what qualifies as discoverable is tied in some respect to how the attorney of record for a client handles communications with that individual.
As technology grows and develops, attorneys add gadgets to their firms to make their communication more instant and files more accessible. Lawyers and judges are in the position of having to figure out whether the devices being used, and the information sent and received on them, is useable for trial.
The ABA has not set down hard rules and failed to outline when encryption of communications is required or what other security measures attorneys should take. Instead, they offer guidelines that urge lawyers to use a “fact-based analysis” on a case-by-case basis to determine what they need to use to communicate safely and securely. For some cases, encryption is necessary, for others, standard security measures are sufficient.
The Factors Attorneys Should Consider
Cyber-threats, ransomware, phishing attempts, malware, mobile applications and different e-communications devices have changed the online communication landscape. It is not always reasonable to use unencrypted email.
Here are the guidelines laid out by the ABA on what to consider when sending emails dealing with possibly sensitive legal matters:
- How sensitive is the information being communicated?
- How likely is disclosure if additional safety features to communicate are not used?
- How much would it cost to put additional safety features in place?
- How difficult would it be to implement the safeguards? E.g. encryption, cloud storage
- How would the use of such safeguards impair the ability of an attorney to represent clients?
The Seven Considerations
In addition to the questions the ABA laid out for attorneys, seven considerations are provided for lawyers regarding sensitive materials:
The nature of the potential threat. How sensitive is the data? Does the information deal with highly critical industries such as defense, healthcare, financial matters or trade secrets?
How the information is sent and where it is stored. The attorney handling sensitive material needs to know where data is held and all avenues that may be used to access it. Being aware of potential data breaches helps manage the risk of unauthorized disclosure of client’s confidential material.
Understanding of reasonable security measures. There are a number of ways to breach data, ranging from hacking into a law firm’s system to intercepting it during transmission. An attorney needs to understand the process and use appropriate security, like complex, frequently changing passwords; VPNs; strong firewalls; security patches and anti-virus applications.
Pin down how e-communications relating to client material should be protected. Determine how to securely transmit sensitive material with the client from the beginning. Highly sensitive material should likely use encryption, with password protection for documents. Alternatively, documents could be stored and exchanged through a third-party cloud-based storage system. Clients should not use work or public computers to reply to attorney emails.
Appropriately label confidential client information. Marking e-mails as privileged and confidential alerts those who receive an email in error. This may not change the outcome of having sent a sensitive email to the wrong person who chooses to disclose it.
Train all staff and attorneys in information technology and information security. Attorneys are mandated to supervise law firm staff to ensure ethical rules are followed.
Perform due diligence when hiring IT communication professionals. Check credentials, references, company hiring practices, security policies, use of confidentiality agreements, availability of legal relief for vendors violating agreement and the company’s conflict of interest check system.
One troubling question remains in light of these recent changes in the ABA rules: What is the definition of “reasonable efforts” to ensure the security of client information? In most instances, the answer to the question would rest in the circumstances of the case. The difficulty is that not only does technology change frequently, but case circumstances may also change, necessitating a quick change in the way material is communicated to a client.
Ensuring safe, ethical and secure e-communications when needed has become increasingly complex and technical for lawyers. To adequately assess security concerns, experts may be necessary to assist in determining what would work for the law firm and its clients.