The Risk Manager, Fall 2015

KBA Ethics Opinion E-403 (1998) provided a general rule for answering this question when responding to the issue: May a lawyer use electronic mail services including the Internet to communicate with clients without encryption? The opinion held that Kentucky lawyers may use electronic mail services to communicate with clients without encryption unless unusual circumstances require enhanced security measures.

Now ethics experts are raising the question whether this general rule is still valid with all the changes in technology and massive computer hacking going on today. Are these unusual circumstances that a competent lawyer concerned with protecting client confidentiality should heed by using special security measures such as encryption when using the Internet?

The Professional Ethics Committee for the State Bar of Texas Opinion No. 648 (2015) is one of the first ethics opinions addressing this new concern. The opinion responded to this inquiry from a firm:

When they started practicing law, the lawyers typically delivered written communication by facsimile or the U.S. Postal Service. Now, most of their written communication is delivered by web-based email, such as unencrypted Gmail.

Having read reports about email accounts being hacked and the National Security Agency obtaining email communications without a search warrant, the lawyers are concerned about whether it is proper for them to continue using email to communicate confidential information.

The Committee concluded after a careful review of numerous ethics opinions dealing with email communications that:

In general, considering the present state of technology and email usage, a lawyer may communicate confidential information by email. In some circumstances, however, a lawyer should consider whether the confidentiality of the information will be protected if communicated by email and whether it is prudent to use encrypted email or another form of communication. Examples of such circumstances are:

1. communicating highly sensitive or confidential information via email or unencrypted email connections;
2. sending an email to or from an account that the email sender or recipient shares with others;
3. sending an email to a client when it is possible that a third person (such as a spouse in a divorce case) knows the password to the email account, or to an individual client at that client’s work email account, especially if the email relates to a client’s employment dispute with his employer (see ABA Comm. on Ethics and Prof ’l Responsibility, Formal Op. 11-459 (2011));
4. sending an email from a public computer or a borrowed computer or where the lawyer knows that the emails the lawyer sends are being read on a public or borrowed computer or on an unsecure network;
5. sending an email if the lawyer knows that the email recipient is accessing the email on devices that are potentially accessible to third persons or are not protected by a password; or
6. sending an email if the lawyer is concerned that the NSA or other law enforcement agency may read the lawyer’s email communication, with or without a warrant.

Editor’s note: One of the best risk management procedures for dealing with the use of electronic mail services is to obtain client consent in a letter of engagement for use of email, smart phones, cloud computing, and any other electronic device the firm uses to send client confidential information.