Do lawyers have to use encryption when communicating with a client? It depends on the circumstances, the ABA’s Ethics Committee said in a recent opinion.
The committee’s opinion updates the guidance it released back in 1999, when it concluded that, because “lawyers have a reasonable expectation of privacy in communications made by all forms of email… sent on the internet,” the use of unencrypted email was consistent with a lawyer’s duty “to use reasonable means to maintain the confidentiality” of the client’s information (under Rule 1.6).
Electronic information at risk
A lot has changed since 1999. Now, most business communication is electronic, and information is not just transmitted over the internet, but actually stored on the internet—or, at least, stored in a way to make it accessible through the internet. Plus, as the Ethics Committee noted in the updated opinion, “each device and each storage location offer an opportunity for the inadvertent or unauthorized disclosure … and thus implicate a lawyer’s ethical duties.” Hackers and cyber criminals have also become more skilled and have sophisticated tools for intercepting information in transit or breaking into data storage systems.
Law firm cybersecurity
Law firms are especially attractive targets. The information clients share with their lawyer is likely to be sensitive and of high value. The hacker doesn’t have to do the work of culling the valuable data—because the client has already done it. Also, the measures that a typical lawyer takes to protect the information may not be as strong as those taken by client’s own system, where the information was created and housed, possibly with particular attention to security.
The Ethics Committee’s newly articulated position on cybersecurity is based on the interplay of various duties under the Model Rules of Professional Conduct (MRPC), such as, the duty of competence (Rule 1.1), the duty of confidentiality (Rule 1.6), and the duty to communicate (Rule 1.4). The practical application of these rules have been transformed by technology since they were promulgated. The ABA has tried to address that transformation in 2012, when it adopted the “technology amendments:”
- The duty to communicate and respond promptly now applies to the myriad ways that lawyers now connect to their clients
- The duty of competency now includes technological competency, including the requirement to stay current on technologies affecting the lawyer’s practice and understanding both the benefits and the risks.
- The duty of confidentiality now requires a lawyer “to take reasonable measures to prevent inadvertent or unauthorized disclosure of information relating to the representation of a client,” taking into account growing cybersecurity concerns.
What “reasonable measures” entails can depend on various factors. The committee declined to mandate particular measures such as “firewalls, passwords, and the like,” recommending, instead, that lawyers put in place a “process” to identify the risks on a “case-by-case” basis and respond with specifically tailored security procedures, taking into account such factors as:
- the level of sensitivity involved
- the likelihood of inadvertent or unauthorized disclosure
- the costs and difficulties of implementing additional safeguards
- whether the safeguards adversely effects the lawyer’s ability to effectively represent the client (by deliberately making some information harder to use)
Law firm cybersecurity guidelines
The opinion pointed to the ABA’s Cybersecurity Handbook (published in 2013) for some general guidelines to consider:
- Understand the threat and the client’s security needs. Some clients and some communications (such as financial or proprietary information) may be of greater risk and may require special security measures.
- Discuss security issues with the client at the start of the engagement and develop a cybersecurity strategy together.
- Certain communications may need to be encrypted and/or password-protected or stored in a secure cloud location where only authorized persons can access it by going through extra layers of authentication (rather than emailed), for example.
- The lawyer or firm should also have standard policies and procedures to protect their own information and communication systems. This might include standard security measures such as firewalls and anti-malware software. Employees and others who access the system using their own devices should be required to meet the security standards as firm-issued devices. The committee suggested that “lawyers may consider refusing access to firm systems to devices failing to comply.”
- Train lawyers and nonlawyer assistants in technology and information security.
- Consider labeling client communication as “privileged and confidential” and including disclaimers, as appropriate.
- Thoroughly vet vendors of IT products and services. Check references, credentials, security policies and hiring practices. Click here for a thorough guide to vetting eDiscovery vendors for security.
The opinion advised that lawyers ensure they have the knowledge and skills necessary to protect client confidences and keep pace with the changing technological landscape. Lawyers who lack the necessary expertise must either educate themselves or associate with another lawyer or expert who has the necessary knowledge and skills, the committee said.