By Jim Brashear
A Practice Smart(TM) Feature
Jim Brashear is General Counsel for Zix Corporation, a
leading provider of email encryption services. He earned
his JD, magna cum laude, from the University of San Diego
School of Law. He is a member of the Bar of the United
State Supreme Court, the State Bar of Texas and the
California Bar Association.
Recent State Bar ethics guidance allows lawyers to use Cloud services, so long as the lawyer takes reasonable steps to protect client information. Oddly, though, that guidance excludes the Cloud service most used by lawyers to transmit and store client information – email. Lawyers send vast numbers of emails with sensitive content and attachments. Unlike other Cloud services, once email leaves your firm’s network, lawyers cannot know or control: the locations of the multiple servers through which the data might be routed, whether and for how long the data is stored on those servers, how the data is secured by the various service providers, the ability of third parties to access the data, or the terms and conditions of all of the relevant email service participants. There is a higher risk that email may be intercepted or accessed without authorization.
Unreasonable Expectations
Many State Bar ethics opinions from the 1990s said lawyers could use unencrypted email in most circumstances – although some lawyers mistakenly believe the opinions allow unencrypted email in every circumstance. Those opinions were premised largely on the notion that lawyers might expect confidentiality because of laws that criminalize intercepting email or accessing it without authorization. Because of how people use Web email today, that expectation is misplaced for three reasons:
- Laws that were written decades ago may not still adequately protect email as it is used today. For example, the South Carolina Supreme Court recently considered in Jennings v. Jennings, a domestic dispute in which a party’s Yahoo! email account was accessed without authorization. The Court rejected the account holder’s assertion that the access violated the Stored Communications Act (SCA). The Court concluded that the SCA protects emails when they are stored on the Web for the purposes of backup protection but not when the only copies of the emails were those saved on the Webmail provider’s server. Many individuals today use email in the same way the account holder did in Jennings, and the confidentiality of that email is not guaranteed by the SCA.
- The limits of the expectation of privacy in electronic communications are evolving. The United States Supreme Court in City of Ontario v. Quon declined to conclude that employees are entitled to any expectation of privacy in electronic communications using employer-provided systems. The Court said “rapid changes in the dynamics of communication and information transmission are evident not just in the technology itself but in what society accepts as proper behavior” and that “the Court would have difficulty predicting how employees’ privacy expectations will be shaped by those changes or the degree to which society will be prepared to recognize those expectations as reasonable.” Last century’s expectation of privacy in email may no longer be appropriate.
- Those ethics opinions rely on the logical fallacy that criminalizing a particular behavior allows us to deem that it does not occur at all. Based on that fiction, the opinions conclude there is no need to take reasonable steps to protect against the criminal act of email interception. That reasoning is a convenient rationalization, but the reality is that email is frequently intercepted and read without authorization. The reasoning is like concluding that lawyers need not bother to lock up client files in their offices, because criminal law prohibits trespass and burglary. No lawyer would assert that it is reasonable to leave confidential client papers unsecured. Likewise, it is not reasonable to leave confidential electronic files unprotected and accessible to third parties.
Duty to Warn Clients about Email Risks
ABA Formal Opinion 11-495 advised that lawyers must warn their clients about the risk of using electronic communications (including email) whenever circumstances present a “significant risk” that a third party may gain access to the content of unencrypted electronic communications. That could include, for example, situations in which the attorney should reasonably be aware that the client is using a shared computer (hotel, library, family), is using an unsecured device (e.g., the attorney should be aware that the client’s computer or mobile device is not password protected) or is transmitting data via insecure WiFi.
However, merely warning the client about the risks inherent in using unencrypted email may not completely fulfill the lawyer’s ethical and legal obligations. The American Bar Association recently revised Rule 1.6 (Confidentiality of Information) of the Model Rule of Professional Conduct, and new Rule 1.6(c) requires that “a lawyer shall make reasonable efforts to prevent … unauthorized access to … information relating to the representation of a client.” Comment 16 to Model Rule 1.6 says that “Paragraph (c) requires a lawyer to act competently to safeguard information related to the representation of the client against unauthorized access by third parties ….” The comment goes on to say that unauthorized access does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. This is not a new requirement but rather a clarification of pre-existing standards that lawyers have an ethical duty to use measures that actually protect the client’s confidential information.
Ethics Obligations When Using Email
The latest ethics guidance demonstrates that lawyers should:
- implement reasonable security measures to protect electronically transmitted client information in all circumstances, and
- warn clients about the risk of using electronic communications (including unencrypted email) whenever circumstances present a “significant risk” that a third party may gain access to the content.
The latest ethics guidance also indicates two circumstances in which lawyers may be required to take additional steps to protect client data:
- when a client requires the lawyer to implement special security measures, and
- when required in order to comply with law, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information.
Lawyers should consider describing in engagement letters:
- lawyer’s duty of confidentiality
- risks of inadvertent disclosure, interception or unauthorized access of electronic information by third parties (some clients or matters may present a heightened risk)
- potential adverse consequences to the client (e.g., loss of attorney-client privilege, loss of trade secret status, exposure to identity theft)
- lawyer’s use of cloud services – including email – to transmit and store information related to the representation of the client
- a summary of relevant data security practices (e.g., reference to written procedures)
- that signing the engagement letter constitutes the client’s informed consent to use email and other cloud services
Beyond Ethics – Privacy Laws
Clients, lawyers and law firms also are subject to a variety of federal and state data protection and privacy laws, and to industry data security and privacy standards. If you represent clients who are subject to privacy laws, your firm may be subject to the same data security and privacy requirements. For example, when clients are subject to HIPAA and the HITECH Act, their lawyers may be “business associates” with privacy and security obligations to meet. Similar issues apply for clients in the financial services industry and those who work with government entities. In addition, laws in almost every state require that businesses – including law firms – take reasonable steps to protect sensitive personal information. Texas Business and Commerce Code section 521.052, for example, requires businesses to “implement and maintain reasonable procedures” to protect sensitive personal information. These state laws often provide a safe harbor from data breach notification requirements if the information was encrypted. You also may be subject to long-arm privacy laws. Massachusetts 201 CMR 17.00 and Nevada S.B. No. 227 require that personal information of their states’ residents be encrypted when it is transmitted in email, no matter who sends or receives the email or where they’re located.
Beyond Ethics – Industry Standards
Some of your clients’ key regulators very likely are communicating using encrypted email. This means public company lawyers get encrypted email from the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA). Financial services clients get encrypted email from federal and state financial regulators. If your clients’ key regulators think encrypted email is reasonable and necessary, that’s a hint that you and your clients should too.
The Federal Trade Commission published Protecting Personal Information – A Guide for Business. The guide contains advice for businesses that collect and store personally identifying information, including physical and electronic security. The guide notes that “regular email is not a secure method for sending sensitive data.” The FTC guide directs businesses to “encrypt sensitive information that you send to third parties over public networks (like the Internet)” and to “consider also encrypting email transmissions within your business if they contain personally identifying information.” In June, the FTC sued global hospitality company Wyndham Worldwide Corporation for alleged data security failures that led to three data breaches at Wyndham hotels in less than two years. The FTC’s guide and lawsuit demonstrate that today’s standard of care for privacy and data security is higher than it was in the 1990s.
Encryption is the Legal Industry Benchmark for Reasonable Data Security Practices
Lawyers may be required in an ethics investigation, enforcement action, risk assessment or malpractice claim to demonstrate that their data security practices conform to a reasonable standard of care and are not negligent. Some lawyers may think that the legal industry is subject to its own standard of care for data security. That does not seem to be true. In fact, lawyers may not be acting reasonably when they send or store unencrypted confidential client information using email or other Cloud services. The Attorneys’ Liability Assurance Society recommended that law firms “encrypt all protected information sent from or stored on any electronic device” in its 2011 ALAS Loss Prevention Journal article titled Data and Privacy Protection in a Regulated World. The International Legal Technical Standards Organization proposed in its 2011 Guidelines for Legal Professionals that “whenever client data is transmitted across the Internet, it must be encrypted at every point.” The State Bar of California, in Formal Opinion 2010-179, said that “encrypting email may be a reasonable step for an attorney to take in an effort to ensure the confidentiality of such communications remain so when the circumstance calls for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.” Using encrypted email is clearly a best practice to protect the security of client confidences.
What to Consider Before Hitting Send
Email is a crucial communication tool – but one with a significant security gap. Fortunately, solving the email security problem can be both simple and cost effective. Email encryption is no longer a complicated and costly technology. Today’s email encryption solutions are simple to install, maintain and use. Email encryption can easily be added to your firm’s existing email system – whether it’s on-premise or managed in the Cloud, like Google Apps or Microsoft Office 365. Some solutions automatically encrypt emails and attachments based on their content and automatically decrypt inbound messages. They make the process transparent to users and integrate seamlessly with your existing email archiving and management processes. You and your clients can conveniently access encrypted email from mobile devices, like smartphones and tablet computers. You don’t need to worry about exchanging encryption keys and managing digital identity certificates; the vendor can manage those for you as part of a Software-as-a-Service (SaaS) Cloud solution. At a monthly expense of $12 or less per user, email encryption is not expensive – it’s cheap insurance. In fact, it would be difficult for lawyers to justify why they did not implement automated email encryption for all substantive client communication. Under developing standards, lawyers simply may be acting unreasonably when they don’t first encrypt confidential client information sent or stored using email or other Cloud services.
The information in this article is provided for informational purposes only and with the understanding that the author is not engaged in rendering legal, accounting, tax or other professional advice or services. The discussion is not intended to be relied on for any purpose and no warranties of any kind, either express or implied, are made. For help with a particular situation, you should seek the services of a qualified professional.
Practice SmartTM Features are a service of Michael Blum and Appeal Funding Partners, LLC. The Features are thoughts from a variety of sources on our practices, on being trial lawyers and things of importance to trial lawyers and their clients.
Michael Blum is a trial attorney and CEO of Appeal Funding Partners, LLC with over 17 years experience providing appeal finance risk mitigation services and non-recourse appeal funding to attorneys and plaintiffs with money judgments on appeal. He has served on the Board of Directors of the Consumer Attorneys of California and of the Marin Trial Lawyers Association and regularly speaks to trial-lawyer groups and has written for TLA magazines on the financial management of a contingency-fee law firm. He may be contacted at 415-729-4214 or mgblum@appealfundingpartners.com.
http://www.appealfundingpartners.com, or call 1-866-667-1237.
If you would like to be informed of these Articles, please CLICK HERE to fill in your details.