Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

When Must Lawyers Ethically Encrypt Data? Texas Answers.

July 7, 2015

The times they are a-changing when it comes to the transmission of confidential data by lawyers. In 1999, ABA Formal Opinion 99-413 approved the use of unencrypted e-mail for the transmission of confidential information with the caveat that under circumstances where the information to be communicated is highly sensitive the lawyer should forgo e-mail, just as he or she would from making a phone call or sending a fax, and consult with the client about the best way to transmit the information.

Most of the opinions from those "early days" took the view that e-mail is appropriate for lawyer/client communication, since it is just as illegal to intercept an email as it is to tap a phone call. A couple of states, including Arizona and Missouri, were a little more cautious.

Then both the ABA Ethics 2000 Commission (E2K) and the Ethics 20/20 Commission expanded the caution, advising in paragraphs 18 and 19 of the Comment to Rule 1.6 Confidentiality of Information that, in effect, the more sensitive the nature of the information that is to be transmitted, the more the lawyer should consider whether it is appropriate to consult with the client about the extent to which additional safeguards should be employed.

An Ethics 20/20 inspired amendment to Rule 1.1 Competence requires lawyers to have a basic understanding of the technology that they use so that they can advise their clients as to the risks and advantages of different means of communication.

Few people think of e-mail as private anymore, given the ease with which it can be monitored by employers and intercepted by hackers and law enforcement.

The pendulum began to swing toward considering encryption with opinions issued by the State Bar of California and the Pennsylvania Bar Association's Committee on Ethics and professional Responsibility.

Most recently, the State Bar of Texas addressed the issue squarely and provided specific guidance. Opinion 648 (2015) identified several instances where encryption or some other method of security may be appropriate, including:

  • communicating highly sensitive or confidential information via e-mail or unencrypted e-mail connections;
  • sending an e-mail to or from an account that the e-mail sender or recipient shares with others;
  • sending an e-mail to a client when it is possible that a third person (such as a spouse in a divorce case) knows the password to the e-mail account, or to an individual client at that client’s work e-mail account, especially if the e-mail relates to a client’s employment dispute with his employer;
  • sending an e-mail from a public computer or a borrowed computer or where the lawyer knows that the e-mails the lawyer sends are being read on a public or borrowed computer or on an unsecure network;
  • sending an e-mail if the lawyer knows that the e-mail recipient is accessing the e-mail on devices that are potentially accessible to third persons or are not protected by a password; or
  • sending an e-mail if the lawyer is concerned that the NSA or other law enforcement agency may read the lawyer’s e-mail communication, with or without a warrant.

Texas is now at the forefront of a swelling movement that lawyers should heed – encrypting e-mail is now so simple and inexpensive that it may be unethical NOT to use it in many instances. If you are not encrypting your e-mail where appropriate, you certainly are not managing risk well – and you may find yourself in ethical hot water sooner rather than later. The current Rules 1.1 and Rule 1.6, which have been adopted in many states, are enough to potentially sustain a finding of unethical conduct where encryption should have been used and was not. And as state bars begin to issue opinions essentially mirroring the Texas opinion, and they will likely do so, adoption of encryption where appropriate will become an ethical necessity.

Hat tip to Dave Ries.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson