The ABA Standing Committee on Ethics and Professional Responsibility has issued an opinion providing guidance for securing electronic communication of protected client information. ABA Formal Opinion 477R, "Securing Communication of Protected Client Information," cautions practitioners to undertake reasonable efforts to prevent inadvertent or unauthorized access to information. In some circumstances, attorneys may be required to implement special security measures like encryption.
Reassessing Communication Standards
Formal Opinion 477R updates Formal Opinion 99-413, "Protecting the Confidentiality of Unencrypted E-Mail," and is based on Model Rules of Professional Conduct 1.1 and 1.6. Model Rule 1.6 mandates that, with limited exceptions, a "lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent" or "the disclosure is impliedly authorized in order to carry out the representation." When a lawyer transmits a communication that includes protected information, "the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients." Model Rule 1.1 similarly requires an attorney to keep abreast of the benefits and risks associated with relevant technology.
What is considered "reasonable" when it comes to electronic communication has changed over time. In 1999, when multiple methods of communication were prevalent, the ABA concluded that lawyers had "a reasonable expectation of privacy in communications made by all forms of email, including unencrypted email sent on the Internet, despite some risk of interception and disclosure." Formal Opinion 99-413 therefore found unencrypted emails to be "consistent with the duty under Rule 1.6 to use reasonable means to maintain the confidentiality of information relating to a client's representation."
Much has changed since then. Today, email is the primary method of communication. Attorneys regularly use desktop, laptop, and notebook computers; tablet devices; smartphones; and cloud resource and storage locations to create, transmit, and store confidential communications. In this "post-Opinion 99-413 world," hacking and data loss are matters of "when," and not "if." The Standing Committee on Ethics and Professional Responsibility issued its conclusions on the core duty of confidentiality in this new "ever-changing technological world" in Formal Opinion 477R.
"Reasonable Efforts" to Prevent Inadvertent or Unauthorized Access
Formal Opinion 477R requires that attorneys undertake reasonable efforts, based on a case-by-case analysis, to prevent inadvertent or unauthorized access when sending protected information via email. In determining what is reasonable, the opinion suggests that attorneys consider (1) the sensitivity of a client's information and the client's risk level for cyber intrusion, (2) the location and transmission routes of firm and client data, (3) available security measures for a firm's technology system and transmissions, (4) a client's input on the necessary levels of security for electronic communications, (5) adequate labeling of confidential information, (6) training for lawyers and staff in technology and information security, and (7) due diligence on communication technology vendors.
Use of unencrypted routine email generally remains an acceptable method of lawyer-client communication, according to Formal Opinion 477R. However, given the proliferation of cyber-threats and the fact-sensitive requirements of the Model Rules, "particularly strong protective measures, like encryption, are warranted in some circumstances."
Security Measures Require Technical Knowledge and Human Oversight
"The ABA struck the right balance with encryption," states Aaron Krauss, Philadelphia, PA, cochair of the ABA Section of Litigation's Health Law Litigation Committee. "For information that is truly confidential, it makes all the sense in the world." But if encryption is used as a default, "it slows communication down and creates a practical problem in recording and accessing email," adds Krauss.
It is also "important to recognize the difference between encrypting a transmission and encrypting a message," counsels Sean W. Fernandes, Raleigh, NC, member of the Section of Litigation's Privacy & Data Security Committee. "Encrypting a transmission protects the contents from interception, but can leave the message exposed if the sender or recipient is hacked. Encrypting the message protects the delivered messages as well."
Aside from considering whether and what type of encryption is appropriate, lawyers should establish common electronic security measures, advises Fernandes. Firms should acquire "desktops, laptops, and portable storage devices that enable full disk encryption; create and enforce a policy of frequently changing passwords and require passwords that are not used elsewhere; and ensure wireless networks used by the firm are at least WPA2 and utilize long and complex passwords," according to Fernandes.
Fernandes recommends that attorneys consider pursuing an ISO/IEC 27001:2013 certification, which is useful for establishing, implementing, maintaining, and continually improving an information security management system. "Many corporate clients will require this, and fulfilling the certification will force you to develop best practices," notes Fernandes.
Although keeping up with technological developments is critical, cybersecurity is also a human resources issue, cautions Krauss. "If a password is written on a post-it note under your keyboard, it is not worth much. Common sense is not too common," he observes. Formal Opinion 477R notes that Model Rule 5.1 requires lawyers with supervising authority to take reasonable steps to assure that the conduct of other attorneys and assistants in the firm complies with the ethical duties of the supervising lawyer. By balancing technical knowledge with continual oversight of how that technology is used in practice, firms can ensure that they are meeting the requirements of the Model Rules.
Matthew S. Mulqueen is an associate editor of Litigation News.
Keywords: cybersecurity, data breach, encryption, Model Rules
- ABA Comm. on Ethics & Prof’l Responsibility, Formal Op. 477R (2017).
- ABA Comm. on Ethics & Prof’l Responsibility, Formal Op. 99-413 (1999).
- Model Rule of Professional Conduct 1.1: Competence.
- Model Rule of Professional Conduct 5.1: Responsibilities of a Partner or Supervisory Lawyer.
- ABA Commission on Ethics 20/20 Report 105A (Aug. 2012).
- ABA Cybersecurity Handbook.