The Risk Manager, Spring 2018
Back in the 1990s when email and the Internet were becoming a major method of lawyer communications there was considerable concern whether professional responsibility rules would work with this new technology. After some reflection, ethics authorities realized that the principles of the rules were equally applicable to modern communication systems only needing amendments to emphasize the requirement that lawyers protect client confidences and maintain competence in communication technology.
This resulted in ABA and KBA opinions approving the use of email with cautionary advice on client confidentiality. ABA Ethics Committee Formal Opinion 477R (5/22/17) updated prior opinions with a fresh look at advances in technology and concluded that:
A lawyer generally may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.
The Committee cited the factors in paragraph 18 of the Comment to Model Rule 1.6, Confidentiality of Information, to evaluate when special security precautions are required:
- the sensitivity of the information;
- the likelihood of disclosure if additional safeguards are not employed;
- the cost of employing additional safeguards;
- the difficulty of implementing the safeguards; and
- the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Next the Committee offered this guidance for guarding against disclosures:
- Understand the nature of the threat. Consider the sensitivity of the client’s information and whether it poses a greater risk of cyber theft. If there is a higher risk, greater protections may be warranted.
- Understand how client confidential information is transmitted and where it is stored. Have a basic understanding of how your firm manages and accesses client data. Be aware of the multiple devices such as smartphones, laptops and tablets that are used to access client data, as each device is an access point and should be evaluated for security compliance.
- Understand and use reasonable electronic security measures. Have an understanding of the security measures that are available to provide reasonable protections for client data. What is reasonable may depend on the facts of each case, and may include security procedures such as using secure Wi-Fi, firewalls and anti-spyware/anti-virus software and encryption.
- Determine how electronic communications about clients’ matters should be protected. Discuss with the client the level of security that is appropriate when communicating electronically. If the information is sensitive or warrants extra security, consider safeguards such as encryption or password protection for attachments. Take into account the client’s level of sophistication with electronic communications. If the client is unsophisticated or has limited access to appropriate technology protections, alternative nonelectronic communication may be warranted.
- Label client confidential information. Mark communications as privileged and confidential to put any unintended lawyer recipient on notice that the information is privileged and confidential. Under Model Rule 4.4(b) Respect for Rights of Third Persons, the inadvertent recipient then would be on notice to promptly notify the sender.
- Train lawyers and nonlawyer assistants in technology and information security. Under Model Rules 5.1 and 5.3, take steps to ensure that lawyers and support personnel in the firm understand how to use reasonably secure methods of communication with clients. Also, follow up with law firm personnel to ensure that security procedures are adhered to, and periodically reassess and update security procedures.
- Conduct due diligence on vendors providing communication technology. Take steps to ensure that any outside vendor’s conduct comports with the professional obligations of the lawyer.
Kentucky is in line with the ABA Model Rule standards on the use of email by lawyers. KBA Ethics Opinion E-403 (3/1998) included the following guidance for use of email by Kentucky lawyers:
[B]ecause (1) the expectation of privacy for electronic mail is no less reasonable than the expectation of privacy for ordinary telephone calls, and (2) the unauthorized interception of an electronic message subject to the ECPA is illegal, a lawyer does not violate Rule 1.6 by communicating with a client using electronic mail services, including the Internet, without encryption. …. The Committee recognizes that there may be unusual circumstances involving an extraordinarily sensitive matter that might require enhanced security measures like encryption.
To emphasize that Kentucky lawyers must keep up with computer technology the Kentucky Supreme Court promulgated a change effective January 1, 2018 to paragraph (6) Maintaining Competence of SCR 3.130(1.1) Competence:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. (emphasis added)
Make no mistake – it may be an ethics violation or malpractice not to know what you are doing when sending email or any other e-document. The remainder of this newsletter is a review of the variety of ways email raises risk management issues.