In May, the American Bar Association (“ABA”) released a Formal Opinion 477, providing guidance on attorney use of emails in communication with clients. In doing so, the ABA has promulgated a new standard when considering the level of protections necessary while using technology to converse about a legal representation. According to the ABA, a lawyer generally may transmit information relating to the representation of a client over the Internet when the lawyer has undertaken “reasonable efforts” to prevent inadvertent or unauthorized access to information relating to the representation. Under this reasonable-efforts standard, however, the ABA explicitly warns that a lawyer may be required to take special security precautions, like the use of encrypted emails, when the information warrants a higher degree of security.
This Formal Opinion comes at a time when data hacks and breaches are placing greater scrutiny on Internet privacy and security, and as such, the ABA felt the need to update its rules in light of the current technological landscape. In its 1999 Formal Opinion addressing a lawyer’s obligations when communicating with clients via e-mail (Opinion 99-413), the ABA concluded: “Lawyers have a reasonable expectation of privacy in communications made by all forms of e-mail, including unencrypted e-mail sent on the Internet, despite some risks of interception and disclosure.” Currently, however, the ABA views the state of Internet security far differently – one where “law enforcement discusses hacking and data loss in terms of ‘when,’ not ‘if.’” The ABA now recognizes that “[e]ach device and each storage location offer an opportunity for the inadvertent or unauthorized disclosure of information relating to [a lawyer’s] representation, and thus implications a lawyer’s ethical duties.”
With its new Formal Opinion, the ABA now requires lawyers to “exercise reasonable efforts when using technology in communicating about client matters.” Citing the ABA Cybersecurity Handbook, the Opinion acknowledges that the determination as to what constitutes reasonable efforts is a fact-specific inquiry. With this in mind, the ABA lists five nonexclusive factors meant to aid lawyers in making the reasonable-efforts determination:
- The sensitivity of the information;
- The likelihood of disclosure if additional safeguards are not employed;
- The cost of employing additional safeguards;
- The difficulty of implementing the safeguards; and
- The extent to which the safeguards adversely affect the lawyer’s ability to represent clients.
In fleshing out these factors, the ABA maintains its basic premise that unencrypted emails are sufficient for routine client communications of “normal or low sensitivity,” assuming the lawyer has implemented basic and reasonably available security methods. The ABA suggests a variety of standard security methods that a lawyer can use to ensure the security communications of normal to low sensitivity: (i) secure Internet access methods to communicate and store client information, such as secure Wi-Fi, the use of a Virtual Private Network, or another secure Internet portal; (ii) unique complex passwords that are changed periodically; (iii) firewalls and programs protecting against Malware, Spyware, or viruses; and (iv) regularly applying all necessary security patches and updates. The ABA notes that each of these measures is routinely accessible and often affordable or free.
Under the reasonable-efforts standard, however, stronger protective measures are required for client communications of higher sensitivity. The lawyer may have to encrypt such information or avoid using technology altogether. In line with the recommendations of the ABA Commission on Ethics 20/20, the Formal Opinion does not address in greater specificity any stronger protective measures under the reasonable-efforts standard. The ABA Commission on Ethics concluded that technology is changing too rapidly to offer much particular guidance, simply noting that lawyers should change their measures as technology evolves and new risks emerge. Therefore, conversations between lawyer and client as to the strength and cost of enhanced security measure, like encryption, are particularly important. The ABA notes that a lawyer may need to explain to the client the costs involved in using enhanced security measures and obtain informed consent before using those measures.
As advised by ABA Formal Opinion 477, lawyers should not be lulled into complacency by the speed and convenience of communicating with clients by e-mail. They should instead always be cognizant of the type of client information they are communicating, whether it is of low, normal, or high sensitivity, and weigh whether the circumstances call for the encryption of sensitive data.