Legal Industry Series, Part 1: Are Lawyers Required to Encrypt Client Email?


Thought Leadership

Legal Industry Series, Part 1: Are Lawyers Required to Encrypt Client Email?

Steve Irons

On August 4, 2011, the ABA issued Formal Opinion 11-459, describing a lawyer's “Duty to Protect the Confidentiality of Email Communications with One's Client.” The Formal Opinion addresses what steps lawyers must take to address the risk that third parties may obtain access to a lawyer's email communications with a client.

Duty to Warn the Client About Email Risks
ABA Formal Opinion 11-495 notes that a lawyer has an obligation to warn the client about the risk of using electronic communications (including email) whenever circumstances present a “significant risk” that a third party may gain access to the content of unencrypted electronic communications. The opinion says that the obligation to warn the client arises, at a minimum, whenever the lawyer reasonably should know that the client is likely to send or receive substantive attorney-client electronic communications (including email) in those circumstances.

The duty to warn arises whenever the attorney should reasonably know from the circumstances that any third party has the ability to access the email communications. That could include, for example, situations in which the attorney should reasonably be aware that the client is using a shared computer (hotel, library, family), is using an unsecured device (e.g., the attorney should be aware that the client’s computer or mobile device is not password protected) or is transmitting data via insecure WiFi.

Email Communications in the Workplace
ABA Formal Opinion 11-495 notes that lawyers should ordinarily assume that an employer’s email policy allows it to access employee email on a workplace device or system. Thus, the duty to warn the client arises as soon as the attorney should reasonably know that the client is likely to communicate electronically (including via email) using a device or system to which the client’s employer may have access. The opinion advises attorneys to address this workplace risk by warning the client to communicate with the lawyer in a manner that protects the confidentiality of the email communications.

A Warning Alone May Not Protect Client Information
Lawyers have an ethical duty to use measures that protect the client’s confidential information. Merely warning the client about the risks of using unencrypted email may not completely fulfill the lawyer’s ethical and legal obligations. It may require the lawyer to recommend to the client methods of ensuring that electronic communications remain confidential.

ABA Formal Opinion 11-459 notes that Rule 1.6 (Confidentiality of Information) of the Model Rules of Professional Conduct requires a lawyer to refrain from revealing “information relating to the representation of a client unless the client gives informed consent.” Informed consent for the use of unencrypted email may require more than a warning that email might be intercepted or accessed by unauthorized persons. It may additionally require that the client be advised about the availability of more secure modes of communication – such as encrypted email.

Earlier this year, however, the ABA Commission on Ethics 20/20 issued proposed changes to Model Rule 1.6, which would add the following wording to the existing model rule:

“A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.”

ABA Proposed Model Rule 1.6(c) would, therefore, make explicit that a lawyer has an ethical duty to take reasonable measures to protect a client’s confidential information from inadvertent disclosure and unauthorized access.

[Update 9/9/2011: The ABA Commission on Ethics 20/20 today posted a new version of Proposed Model Rule 1.6 that adds clause 1.6(b)(7) but omits clause (c). It is not clear whether the omission was deliberate. In any case, that duty is explicit in the comments to the current Model Rule 1.6. Comment 17 to Model Rule 1.6 states that when transmitting information related to the representation of a client “the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.” Comment 16 to Model Rule 1.6 says that “a lawyer must act competently to safeguard information related to the representation of the client .”] [Update 9/14/2011: The ABA advises that "The Commission has two proposals relating to Rule 1.6 (one is technology related and a revised version of that will be circulated for comment soon). The Commission has, thus far, been circulating proposals categorized by subject matter (e.g. technology and confidentiality, outsourcing, etc.) instead of by Rule."]

See Part 2 of the ZixCorp Legal Industry Series to gain an understanding of changing circumstances and what is becoming the benchmark ethical practice.