Attorneys owe their clients a duty of confidentiality and competence. But when an attorney uses wireless Internet to communicate or access files, such as in an airport or other public location, is that communication over an unencrypted wireless network confidential? And is an attorney competent if he or she broadcasts client confidences, including employer confidences for in-house counsel, over an unencrypted network?
On January 20, 2011, the State Bar of California issued formal opinion no. 2010-179, addressing these questions. The opinion provides six factors that attorneys should consider when determining whether a particular technology is appropriate for their communication.
- The level of security afforded by that technology, including whether reasonable precautions may be taken to increase that level of security by, for example, encrypting email.
- The legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information—that is, whether the form of communication is protected by law, like telephones and information stored on computers.
- The degree of sensitivity of the information—the more sensitive the information, the more security is appropriate.
- The possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product—again, the more severe the consequences, the more security is appropriate.
- The urgency of the situation—if a message absolutely must be delivered immediately, security is a secondary consideration.
- The client’s instructions and circumstances, such as access by others to the client’s devices and communications—if, for example, a client has specified that email is not confidential enough, or that a particular kind of communication must be encrypted, the attorney must comply with those instructions.
The opinion also gives specific guidance on the use of public, unencrypted wireless connections. Communicating over a public, unencrypted connection “risks violating [an attorney’s] duties of confidentiality and competence in using the wireless connection to work on [the client’s] matter.” These risks can be reduced by “using a combination of file encryption, encryption of wireless transmissions, and a personal firewall.” Also, if the subject matter of the communication is sensitive, or the potential impact particularly grave, such as waiver of attorney-client privilege, the attorney may need to avoid public, unencrypted connections entirely or disclose their use to the client. Use of VPN software, a “virtual private network” that creates an encrypted “tunnel” within an unencrypted connection, seems likely to reduce the risk of disclosure.
Finally, the opinion creates a safe harbor for communications over encrypted wireless connections, providing that “if [the] Attorney’s personal wireless system has been configured with appropriate security features, the Committee does not believe that Attorney violates his duties of confidentiality and competence by working on Client’s matter at home.” Encryption features, such as Wi-Fi Protected Access (“WPA” or “WPA2”) are generally available on wireless access points for home use. In light of the opinion, attorneys who use their home wireless connections to do work for clients, including in-house counsel who work at home or on the road, would be well advised to activate WPA or WPA2 encryption to prevent potential exposure.