Using unencrypted email in client communications not always enough, ethics opinion indicates
Lawyers must take reasonable efforts to ensure that communications with clients are secure and not subject to inadvertent or unauthorized security breaches, reads a recently released formal ethics opinion from the ABA Standing Committee on Ethics and Professional Responsibility.
Formal Ethics Opinion 477 (PDF) updates Formal Ethics Opinion 99-413, which was issued in 1999 before the widespread use of tablet devices, smartphones, and cloud storage. As the new opinion explains: “Each device and each storage location offer an opportunity for the inadvertent or unauthorized disclosure of information relating to the representation, and thus implicate a lawyer’s ethical duties.”
These ethical duties include competency, confidentiality, and communication. Rule 1.1 of the ABA Model Rules of Professional Conduct covers the duty of competency and includes a technology clause. Comment 8 to the rule says lawyers must stay abreast of “the benefits and risks of associated with relevant technology.”
The bulk of the ethics opinion addresses lawyers’ obligations to ensure the confidentiality of client information. Lawyers must use “reasonable efforts” to ensure the security of client information. Citing the ABA Cybersecurity Handbook, the opinion explains that the reasonable efforts standard is a fact-specific inquiry that requires examining the sensitivity of the information, the risk of disclosure without additional precautions, the cost of additional measures, the difficulty of adding more safeguards, and whether additional safeguards adversely impact the lawyer’s ability to represent the client.
The opinion notes that generally lawyers may use unencrypted email when communicating routinely with clients. However, the phenomenon of cyberthreats, particularly in “highly sensitive industries such as industrial designs, mergers and acquisitions of trade secrets and industries like healthcare, banking, defense or education, may present a higher risk of data theft.” Lawyers in these fields may need to take “greater effort” to ensure secure communication.
The opinion offers seven considerations for guidance, including understanding:
- 1. The nature of the threat.
2. How client confidential info is transmitted and stored.
3. The use of reasonable electronic security measures.
4. How electronic communications should be protected.
5. The need to label client information as privileged and confidential.
6. The need to train lawyers and nonlawyer assistants in technology and cybersecurity.
7. The need to conduct due diligence on vendors who provide technology services.
The opinion also briefly addresses the duty of communication, noting that lawyers should inform the clients about risks inherent when transmitting “highly sensitive confidential client information.”
Updated May 22 to attach revised ethics opinion.