You may have heard of Edward Snowden—the infamously labeled “NSA whistleblower.” Regardless of your personal opinion on Snowden’s actions, the fact remains: Professionals, particularly those in fields where confidentiality is paramount (such as the medical or legal professions) must take additional steps to ensure data privacy.
A brief history of opinions on encryption
No matter how steeped in tradition the field of law remains, it doesn’t exist in a vacuum. Times are changing rapidly, and technology’s impact on law enforcement and legal practice is transforming the face of the industry. But still, certain things don’t change. Consider ABA Rule 1.6: Confidentiality of Information
A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
For accountants, doctors, lawyers, and any other profession that has a duty to protect clients’ confidentiality, this creates a bit of a problem. Why? By default, the emails between you and your clients are not encrypted. That means that they can be read by anyone who intercepts them—and unfortunately, interception is actually not that difficult.
Currently, there is no blanket obligation to encrypt email communications. Up until recently, this method was presumed to have the same reasonable expectation of privacy that you would have with mailing a letter or sending a fax. However, some ethics opinions have considered the need for lawyers to consider the risk of emails being intercepted.
For example, California’s Formal Ethics Opinion No. 2010-179 suggests that encrypting email may be a reasonable step when the circumstance calls for it, particularly if the information is highly sensitive and the use of encryption is not onerous.
In 2011, the American Bar Association (ABA) issued Formal Ethics Opinion 11-459 – Duty to Protect the Confidentiality of Email Communications with One’s Client. Where there is a ‘significant risk’ that a third party may gain access to an electronic communication, lawyers must warn their clients about that risk. They must also take reasonable care to protect the confidentiality of the communications by giving appropriately tailored advice to clients. This opinion distinguishes itself from the ABA’s earlier stance in ABA Op. 99-413 (1999) (“Protecting the Confidentiality of Unencrypted E-Mail”). In the earlier opinion, the ABA considered email to offer a reasonable expectation of privacy, and merely cautioned lawyers to follow clients’ instructions when transmitting highly sensitive information.
The ABA’s recent ethics opinion is different, in that it requires lawyers to look beyond the type of data being sent and to also consider the client’s situation when transmitting electronic data.
In the opinion, an example was given that a lawyer should not email a client if they know, in an employment dispute, that there is a risk of the client’s employer having access to the email. The opinion goes on to state that an employment dispute is not the only situation where third parties may have access to confidential email communications.
Most recently, the ABA issued a new ethics opinion, Formal Opinion 477, which further stresses the need to take additional security precautions (e.g., encryption) in certain situations. It states:
[C]yber-threats and the proliferation of electronic communications devices have changed the landscape and it is not always reasonable to rely on the use of unencrypted email … Therefore, lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters, applying the Comment  factors to determine what effort is reasonable.
The opinion notes that the factors from Comment  to Model Rule 1.6(c) include:
- The sensitivity of the information,
- The likelihood of disclosure if additional safeguards are not employed,
- The cost of employing additional safeguards,
- The difficulty of implementing the safeguards, and
- The extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Opinion 477 also offers additional guidance on how to protect client information. It suggests that lawyers take time to understand how electronic communications should be protected, and consider the need to train lawyers and nonlawyer assistants in technology and cybersecurity, as well as conduct due diligence on vendors who provide technology services.
Put simply, if lawyers believe there’s a significant risk that an email may be intercepted, they must take reasonable care to protect the client’s confidentiality.
How to protect your client communications
One tool that a lawyer can turn towards in such situations? Email encryption.
There are two options for encrypting communications between you and your client. You can install encryption software to encode your email or you can use a client portal. The problem with installing encryption software is that it requires both you and your client to be security experts. You’ll both need to purchase and install the software on your devices, and you both need to use them perfectly to avoid a chance of inadvertent disclosure. This may be too onerous, referring back to the California ethics opinion.
Client portals, on the other hand, use state-of-the-art, bank-grade security to protect your and your clients’ data (at least, they should). For example, if you’re using Clio Connect, Clio’s client portal, your clients can access and collaborate with you on documents, see their invoices, and communicate with you using the portal’s secure messaging feature. You can even add your own logo and look to what your clients’ see when they log in. Best of all, this information is instantly and seamlessly encrypted, without any extra effort on the part of you or your client.
In addition to using tools like client portals to protect client communications, it’s worth educating yourself more broadly on why encryption is needed and how to protect your clients online. For example, look for information from organizations like the Electronic Frontier Foundation (EFF) that are working to protect lawyers’ and their clients’ privacy. The EFF is currently active in dozens of cases involving freedom of speech, privacy, and security, and offers a guide to communicating securely online.
In short, think very carefully before emailing confidential information to your clients. Look for your state to start adopting the ABA’s guidance on encryption, especially given the rapid adoption of technology competency rules by most states. Get ahead of this potential risk by employing tools that are already secure when communicating with your clients.