The Lawyer's Lawyer
Encryption Ethics
Q. After emailing several documents to opposing counsel, she slammed me for failing to encrypt the message and exposing records on her client's medical history. Must I encrypt these emails?
A. There are no rules which expressly require an attorney to encrypt email messages. But you must still make reasonable efforts to protect the privacy of sensitive data and communications.
Where attorney-client communications are concerned, the Rules of Professional Conduct provide that an "attorney shall not reveal information relating to representation of a client." In response to the increasing threat of data breaches among law firms, many states have begun to implement a rule requiring lawyers to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." Modifying its Model Rules to account for technological change, the American Bar Association has commented that "competent" lawyers "should keep abreast of ... the benefits and risks associated with relevant technology."
Though the ABA has yet to require that attorney-client communications be encrypted, its Cybersecurity Handbook "adopts a fact-specific approach to business security obligations that requires a 'process' to assess risks, identify and implement appropriate security measures." Recognizing that " particularly strong protective measures, like encryption, are warranted in some circumstances," the ABA advises law firms to consider the sensitivity of the information, the danger of unauthorized disclosure, the cost of implementing security, and whether the safeguards will render communications "excessively difficult."
Even in states that have not modified their ethics rules to account for technological challenges, the need to conduct such an assessment remains an important step in protecting the privacy of clients.
But what about information pertaining to adversaries and other third parties? To date, most of the literature focuses on attorney-client communications. But the rules recognize an attorney's duty to respect the rights of third persons. Just as Rule 4.4(b) requires a lawyer to notify the sender of "electronically stored information ... relating to the representation of the attorney's client" that may have been "inadvertently sent," the same degree of professionalism should apply to sensitive information on these individuals.
Like technology, our ethics rules continue to evolve. But as encryption and other safeguards get less expensive and cumbersome, your duty to implement these measures will undoubtedly increase.