In December 2015, I posted To Encrypt or not to Encrypt?
The post began with an analysis of how Rules 1.1 and 1.6 work together to impose a duty to act competently to safeguard client information, including information that is stored and transmitted by electronic means.
From there, I walked readers through a series advisory ethics opinions. Over time, the opinions moved from concluding that the duty to act competently to safeguard client information did not include a duty to encrypt to concluding that it might.
I stated that, at the very least, lawyers had a duty to warn clients about the risks associated with unencrypted electronic communications. Then, I wrote:
- “My sense is that we will soon reach, if we haven’t already reached, a day upon which it will not be considered reasonable to transmit client information via unencrypted email. Encryption is not as difficult or expensive as it used to be and more secure alternatives are readily available.”
Last week, that day drew closer.
On May 11, the ABA’s Standing Committee on Ethics & Professional Responsibility issued Formal Opinion 477: Securing Communication of Protected Client Information. The opinion analyzes the duties imposed by Rules 1.1 and 1.6. It reviews a series of advisory ethics opinions and discusses the trend towards requiring lawyers to encrypt electronic client communications.
Opinion 477 concludes that lawyers must make reasonable efforts to safeguard client information. It states that “[w]hat constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors.” That is, lawyers must employ a “fact-based analysis” when transmitting & storing client information. Factors in the analysis include:
- the sensitivity of the information,
- the likelihood of disclosure if special safeguards are not used,
- the cost of using special safeguards, and
- the difficulty of using special safeguards.
With respect to these factors, the opinion concludes that lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters . . . to determine what effort is reasonable.”
The opinion makes clear that lawyers must remain cognizant that the analysis will change as technology evolves. In other words, what’s reasonable today might not be reasonable in 2020.
More importantly, what was unreasonable in 1997 might be reasonable today. For example, as the opinion notes, “a fact-based analysis means that particularly strong protective measures, like encryption, are warranted in some circumstances.”
The opinion suggests that the duty to safeguard client communications likely requires lawyers to:
- Understand the nature of the threat,
- Understand how information is transmitted & where it is stored,
- Understand & use reasonable electronic security measures,
- Determine how electronic communications should be protected,
- Label communications as “privileged & confidential,”
- Train partners, associates, and nonlawyer assistants in information security, and
- Exercise due diligence when choosing a vendor.
For more on each, see pages 5-9 of formal opinion 477.
In my view, the opinion sends a strong signal that the failure to use basic and widely available tools violates the duties imposed by Rules 1.1 and 1.6. Those tools include:
- Within an office, using adequate login passwords
- Changing those passwords on a regular basis
- Password protecting email attachments
- Using secure WiFi (as in, not the coffee shop’s Wifi)
- Installing & updating firewalls, anti-malware, anti-spyware, and anti-virus software
- Using client portals instead of email
- Using established & secure cloud-based file storage vendors to send, exchange, and view documents
- Remembering that client information is on, or has been accessed from, multiple devices: cell phones, tablets, remote log-ins
If you take anything away from this, as usual, let it be my refrain that “competence includes tech competence.” For, if you find yourself in times of trouble, it will not be acceptable to respond “but that tech stuff is too complicated!”
As technology evolves, so evolves the standard of “reasonable efforts to safeguard client information.”
Have you evolved?