Standard email is inherently unsecure and, surprisingly, many lawyers are unaware of this disconcerting fact. As each email travels to its intended destination, it traverses an untold number of servers and can be intercepted and viewed by virtually anyone with the proper technological know-how and desire. This is because emails are unencrypted and thus no more than mere postcards, their contents readily viewable by anyone who cares to look. This inherent security flaw in email as it now exists arguably places confidential client data at risk.
The WSJ Law Blog recently acknowledged this troubling reality in a post about the security issues presented by new technologies:
Lawyers sling millions of gigabytes of confidential information daily through cyberspace, conducting much of their business via email or smartphones and other mobile devices that provide ready access to documents. But the new tools also offer tempting targets for hackers, who experts say regard law firms as “soft targets” in their hunt for insider scoops on mergers, patents and other deals, as WSJ detailed in this Monday’s Law Journal.
Now lawyers are being asked to encrypt emails, lock up their smartphones and iPads with bust-proof passwords, and think twice before shooting off a reply to that corporate client who’s traveling in a country where internet communications are routinely monitored.
Of course, concerns regarding new technologies are nothing new; lawyers have always been suspicious of emerging technologies, and rightly so, since we have an obligation to ensure that confidential client information remains just that: confidential. But we also have an obligation to learn about and acclimate to new technologies, including new forms of communicating with clients.
As a profession, we first grappled with the issue of electronic communications in the mid-1990s. Back then, email was a fairly new phenomenon and a number of state bar associations wanted nothing to do with it. For example, ethics committees in both South Carolina (Opinion 94-27 1995)) and Iowa (Iowa Ethics Opinion 96-1 1996) concluded that the use of email by lawyers to communicate with clients breached confidentiality unless precautions were taken to prevent interception or client consent acknowledging the risks of using of email was obtained.
A few years later, in 1999, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility helped to reverse the email backlash trend when it issued ABA Formal Opinion No. 99-413. In this opinion, the Committee concluded that client consent regarding the use of email was unnecessary: “Although earlier state bar ethics opinions on the use of Internet e-mail tended to find a violation of the state analogues of Rule 1.6 because of the susceptibility to interception by unauthorized persons and, therefore, required express client consent to the use of e-mail, more recent opinions reflecting lawyers’ greater understanding of the technology involved approve the use of unencrypted Internet e-mail without express client consent.”
The ABA Committee on Ethics and Personal Responsibility wasn’t alone in this conclusion. In fact, ethics committees in multiple jurisdictions have reached the same conclusion, holding that, in most cases, attorneys may use unencrypted e-mail to communicate with clients without violating their ethical obligations to maintain client confidentiality. See, for example, N.Y. State 709 (1998), State of Maine Ethics Opinion #195 (2008), Ohio Ethics Opinion No. 99-2 (April 9, 1999), Hawaii Ethics Opinion No. 40 (April 26, 2001), Utah Ethics Opinion No. 00-01 (March 9, 2000), Florida Ethics Opinion No. 00-4 (July 15, 2000), Delaware Ethics Opinion No. 2001-2 (2001), and Virginia Ethics Opinion No. 1791 (December 22, 2003).
In doing so, these ethics committees gave their blessing to the use of email for communications with clients and implicitly condoned attorneys’ use of unencrypted electronic communications with their clients.
Recently, however, because of the rapidly changing technological landscape and the availability of newfound means to encrypt and protect electronic communications, the issue of an attorney’s obligations to protect confidential attorney/client communications is being revisited.
In fact, the American Bar Association’s Committee on Ethics 20/20 is in the process of tackling this issue. If you’re not familiar with this committee, it was established in 2009 with the goal of performing “a thorough review of the ABA Model Rules of Professional Conduct and the U.S. system of lawyer regulation in the context of advances in technology and global legal practice developments.”
As part of its efforts, the Committee has proposed the revision of Model Rule 1.6, which addresses a lawyer’s duty to maintain confidential information, to add the following section to the rule: “(c) A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.”
The Committee has proposed that the following be added to the comments to this section, in order to further clarify an attorney’s obligations (emphasis added):
Acting Competently to Preserve Confidentiality…
 When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule. Whether a lawyer may be required to take additional steps in order to comply with other law, such as state and federal laws that govern data privacy, is beyond the scope of these Rules.
By setting forth specific factors to consider, including the sensitivity of the data, the Committee is attempting to offer lawyers an elastic standard while at the same time providing guidance in implementing any form of client communication, including email, while still protecting client confidentiality.
But risks of disclosing confidential information and security issues aren’t the only problems with email. Email is already becoming an antiquated, and arguably dysfunctional, form of comunication. As detailed in this recent NYT Bits blog post, between spam, untold numbers of mailing lists and marketing ploys, people are simply inundated with unwanted and unnecessary emails and some believe that this outmoded form of communication is on its last legs:
Last year, Royal Pingdom, which monitors Internet usage,said that in 2010, 107 trillion e-mails were sent. A report this year from the Radicati Group, a market research firm, found that in 2011, there were 3.1 billion active e-mail accounts in the world. The report noted that, on average, corporate employees sent and received 105 e-mails a day.
Sure, some of those e-mails are important. But 105 a day?
All of this has led me to believe that something is terribly wrong with e-mail. What’s more, I don’t believe it can be fixed.
Accordingly, because email is outmoded, inherently unsecure, and there are now more secure forms of electronic communication available, I predict that within two years or so, lawyers in most jurisdictions will choose to, or be required to, communicate and collaborate with clients using encrypted communications. And, the platform of choice will be encrypted communication via cloud computing systems. In fact, switching to secure communication via cloud computing platforms will be one of the keys to putting attorneys’ (and ethics’ committees) minds at ease regarding the risks of communicating via unsecured electronic means.
Many cloud computing platforms, including MyCase, already incorporate some form of encrypted client communication into their platforms, thus providing a ready-made solution to the problem of unencrypted, unsecure email. For many lawyers, this may well be the primary factor that convinces them to accept cloud computing services as a legitimate law practice management alternative to traditional software packages. Of course, I may be wrong. Only time will tell. So, tune in tomorrow and see.