To Encrypt or not to Encrypt

As bar counsel, it has not been my experience that conscience makes cowards of us all as lawyers.  Au contraire, mon frere.  Rather, I’ve found that Vermont lawyers’ collective conscience drives the bar to do the right thing.

Lately, lawyers seem particularly driven to protect client information that is stored and transmitted electronically, in particular whether there is a duty to encrypt email.  This proves timely and coincides with my ongoing discussion of Rule 1.6 and information relating to the representation. This post could easily include a discussion of cloud storage, but it’s already too long, so I’ll try to stick to email and electronic communications.

As Maria said, the beginning is a very good place to start.  My discussion of Rule 1.6 began last week and is HERE.  If you haven’t read it, you might want to start there.

With respect to encrypting email, let’s move to Comment 16.  It says

• “A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’ supervision.” (emphasis added).

So, that’s step 1 – Rules 1.1 and 1.6 work together to require lawyers to act competently to safeguard client information.

Next, Comment 17 informs us that

• “[w]hen transmitting a communication that includes information relating to the representation, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.”

I’d add this suggestion:  be as cognizant of the eyes and ears of unintended recipients as you are of their hands.

Moving on, here’s where encryption starts to come into play.  Comment 17 continues:

• “This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy.”

Of course, no self-respecting lawyer would draft a statute, rule, or comment without hedging, so remember that:

• “Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.”  V.R.Pr.C. 1.6, Comment [17].

One might conclude that encryption is a “special security measure” and, therefore, is not required. Maybe, but that’s not the standard.  The Comment 17 makes it clear that special security measures are not required “if the method of communication affords a reasonable expectation of privacy.”

Does communicating via email afford a reasonable expectation of privacy?

In Advisory Opinion 97-05, the Vermont Bar Association’s Professional Responsibility Committee concluded that an attorney does not violate the ethics rules by communicating with clients via unencrypted email because:

1. there is no less of an expectation of privacy in e-mail than with an ordinary phone call; and,
2. Intercepting an email is against the law.

About a year later, the ABA’s Standing Committee on Ethics & Professional Responsibility issued formal opinion 99-413 in which it reached essentially the same conclusion as the VBA advisory opinion.

Does the VBA opinion’s rationale still hold up?

I’m not going to get into an academic, legal discussion of whether there’s a reasonable expectation of privacy in e-mail.  If such a discussion interests you, you can find plenty of articles online.

I’ll say this, though, if you’re a family practitioner, do you e-mail your clients?  If so, and before you hit “send”, do you ask a client whether her spouse has access to her email account?

To wit: I don’t practice family law but I have a family.  My dad and his wife share an email account.  So, when I need birthday advice, I don’t e-mail my dad’s wife for her take on the things I’m thinking about getting my dad for his birthday.  I call her.

I submit that if spouses share an email account, there’s a significant risk that one will gain access to a substantive communication intended for the other.

Or, what about clients who email you from work?   Have you reviewed their  employee handbooks and discussed the pros and cons of communicating via email from an employer provided computer, tablet, or mobile devices?

These questions are fleshed out in ABA Formal Advisory Opinion 11-459.  Here’s an excerpt from the summary:

• “A lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, where there is a significant risk that a third party may gain access.”

Recognizing a growing awareness that email is inherently unsecure, the ABA opinion stated that:

• “Whenever a lawyer communicates with a client by e-mail, the lawyer must first consider whether, given the client’s situation, there is a significant risk that third parties will have access to the communications. If so, the lawyer must take reasonable care to protect the confidentiality of the communications by giving appropriately tailored advice to the client.”

Well, Mike, that’s great, but what about encryption?

I don’t know.  At the turn of the century, few considered encryption to be a requirement.  It was burdensome, expensive, and there was a reasonable expectation of privacy in unencrypted email.  Encryption is no longer burdensome or expensive, and there is significant debate as to the reasonableness of an expectation of privacy in email.

Here’s an excerpt from the California State Bar’s Formal Opinion 2010-179:

• “encrypting email may be a reasonable step for an attorney to take in an effort to ensure the confidentiality of such communications remain so when the circumstances call for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.”

The full text of the opinion is HERE.

As this article from the State Bar of Wisconsin points out:

• “Encryption is increasingly required in areas like banking and health care and by state data-protection laws. As these requirements continue to increase, it will become more and more difficult for attorneys to justify not using encryption.”

So, let me turn the question back to you: what’s your answer going to be when someone, perhaps a disciplinary prosecutor, asks “why didn’t you think that encrypting that email would be a reasonable precaution?”

(as an aside, if you have clients in the banking and health care industries, are you able to give the competent advice on encrypting data?)

Indeed, some commentators are suggesting that lawyers move away from email and towards systems in which clients use portals to access information relating to the representation.  One of the most helpful posts that I’ve seen on email vs. client portals is this article from Law Technology Today, a publication of the ABA Legal Technology Resource Center.

I’m not trying to keep you up at night. I want you to be able to sleep and even, perchance, dream.  But, as I mentioned above, Rule 1.6 requires lawyers to act competently to safeguard client information, including information that is transmitted electronically.  Rule 1.1’s duty of competence includes a duty to stay “abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”  ABA Model Rule 1.1, Comment 8.  At least one bar association has put the onus of assessing the risks of communicating via electronic means squarely on the lawyer.

In the opinion that I referenced above, the Cal State Bar concluded that the question of whether an attorney violates duty of confidentiality will depend on the particular circumstances, including the lawyer’s ability to assess and advise upon the “level of security attendant to” the particular device or technology.  The opinion went on to state that the attorney should be able to understand:

1. how each technology differs from others;
2. what precautions can, or cannot, be taken with each technology;
3. the likelihood of third parties accessing information stored or transmitted using a particular technology.

This suggests to me that “but how I was supposed to know it wasn’t safe to communicate this way” might not a defense to an allegation that you violated Rule 1.6.  Again, competence includes tech competence.

So there you have it.  My sense is that we will soon reach, if we haven’t already reached, a day upon which it will not be considered reasonable to transmit client information via unencrypted email.  Encryption is not as difficult or expensive as it used to be and more secure alternatives are readily available.

At the very least, lawyers have a duty to warn clients about the risks associated with unencrypted email.  But let’s end on this – the final sentence of Comment 17, heretofore not revealed in this post:

• “A client may require the lawyer to implement special security measures not required by this rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this rule.” (emphasis added).

Maybe that’s your hook – if you’re not going encrypt email, get informed consent from the client.  If you go that route, remember that “informed consent” is defined as “an agreement by a person to a proposed course of conduct after the lawyer has communicated adequate information and explanation about the material risks of and reasonably available alternatives to the proposed course of conduct.”  V.R.Pr.C 1.0(e).  

So, even if informed consent to unencrypted email is your answer, and I’m not certain that it is, it still requires you to provide an adequate explanation about the risks of unencrypted email and the reasonable alternatives thereto.  Again, it always comes back to the fact that the duty of competence includes a duty to understand technology.

Please come back tomorrow for Five For Friday!