Email is a convenient and efficient way for lawyers to communicate with clients, but it also poses ethical challenges and security risks.
For example: When should lawyers use encryption to secure emails or other electronic communications with clients? What discussions should lawyers have with their clients about sharing communications and files? And are there better alternatives to emailing clients when privacy and security are paramount?
I’ve previously detailed the long history of ethical opinions focused on email communication by lawyers. It started in 1999 with ABA Formal Opinion 99-413 allowing email use as affording “a reasonable expectation of privacy from a technological and legal standpoint.”
Nearly 20 years later, ABA Formal Opinion 477R reiterated the general acceptance of email communications with clients. According to this opinion, lawyers must be diligent in analyzing, on a case-by-case basis, the sensitivity of the transmitted information and other factors to determine what security efforts are reasonable.
Most recently, the Pennsylvania Bar Association’s Formal Opinion 2022-400 comes short of mandating that lawyers use encrypted email, but provides guidance on what lawyers may and must do when transmitting client information, discusses the applicable Rules of Professional Conduct, and offers various practice tips on the topic. Also, it includes a helpful appendix of related opinions from other states.
The current posture in the legal profession on email security, consistent with the ethical rules discussed below, can be generally viewed in two parts: (1) an analysis of the sensitivity of the information transmitted and (2) an expectation-setting discussion with the client about the benefits and risks of unencrypted communication.
Below I discuss how several ethical rules relate to email encryption and provide some advice for lawyers to help safeguard sensitive information.
Relevant ethical rules in Illinois
Several of the Illinois Rules of Professional Conduct are relevant to email encryption for lawyers as they can be applied to safeguarding client information, including Competence (Rule 1.1, Comment 8), Communication (Rule 1.4), Confidentiality of Information (Rule 1.6), and Supervision (Rules 5.1 and 5.3).
The duty of competency (Rule 1.1, Comment 8): Illinois and 39 other states (as of publication) have adopted Comment 8 to Rule 1.1 stating that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks of technology…”
The comment emphasizes that lawyers should make reasonable efforts to understand technology’s impact on the legal profession and utilize appropriate technology to provide quality legal services.
Services and tools for storing and sharing client information can advance rapidly, demanding lawyers and related legal professionals stay informed and trained.
The duty of confidentiality (Rule 1.6): Lawyers must protect the confidentiality of information relating to the representation of a client, as stated in Rule 1.6. This duty applies to email and other forms of communication.
Lawyers must make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, client information. This may require using encryption, passwords, or other security measures when sending or storing email messages or attachments.
Lawyers must also be aware of the risks of sending emails to or from public or shared computers, networks, or devices, and take appropriate precautions to avoid unauthorized access or interception.
The duty to communicate (Rule 1.4): Lawyers have a duty to keep their clients reasonably informed about the status of their matters, as stated in Rule 1.4.
Lawyers must communicate with their clients in a timely, clear, and courteous manner, and respond promptly to client inquiries and requests.
Lawyers should have an expectation-setting discussion with clients as to their preferred method of communication and the degree of sensitivity of the information related to their representation, including the use of email and text messages.
The duty to supervise (Rules 5.1 & 5.3): Lawyers must supervise the work of their subordinates, associates, staff, and others, as stated in Rules 5.1 and 5.3.
Lawyers must ensure that the people under their supervision comply with the ethical rules and standards when using email as a means of communication.
Lawyers should establish and enforce policies and procedures for the proper use of email and other tools for transmitting information related to client matters.
Suggested email encryption practices for lawyers
Encrypted email works by using cryptographic algorithms to scramble the content of the email, making it unreadable to anyone without the corresponding decryption key.
Encryption tools may be included in the software you already use, like Google G Suite and Microsoft Office 365. These tools can automatically ensure that an encrypted email remains secure and confidential, even if it is intercepted or accessed by unauthorized individuals.
While some assistance may be needed in selecting and setting up encryption, it is then generally easy to use thereafter.
The Pennsylvania Bar’s Formal Opinion 2022-400 also recommends the following practices for email security:
- Before using email, consider whether it is the best method for the particular communication, including attachments.
- Avoid transmitting files containing information relating to the representation of a client as email attachments, when possible. Also, consider whether to enable the “Encrypt & Prevent Forwarding” feature when available.
- Advise clients not to forward your email or memos to third parties.
- When possible, encrypt communications or use passwords for attachments containing information relating to the representation of a client rather than attaching unprotected information to unencrypted communications.
- Use a central file-sharing portal, cloud storage provider, or similar service to eliminate the need to attach files to an email and eliminate or reduce the likelihood of unauthorized access to confidential or sensitive information. Examples include Citrix ShareFile, Microsoft Encrypt, Microsoft Message Encryption, Dropbox Business, Google Workspace Drive, OneDrive for Business, Box Business Box, and G Suite.
However, the easiest way to protect confidential client information when communicating electronically is through a secure client portal, like the ones built into law practice management software.
By doing so, you avoid the hassle of assessing security risks on a case-by-case basis and can maintain your emails, documents, and even text messages under the same secure protection.
You might already use a secure portal to send messages and share documents with your medical provider or financial advisor. Likewise, secure client portals provide an encrypted dashboard for lawyers and clients to communicate and access materials in a central location.
As I have written before, client portals have benefits beyond improved security such as better communication and convenient billing. And all messages and documents are connected to the appropriate case file, creating a win-win for information management and security for lawyers and clients.
Enhance client service while avoiding liability
It is not surprising that law firms have been described as the most accessible target for the most sensitive information. Lawyers are responsible for protecting client information and a constant stream of emails is one of the greatest risks for unauthorized disclosure.
Lawyers must be aware of these ethical considerations for emailing clients and consider the best practices and guidelines for using email as a means of communication. This may include email encryption for lawyers.
By doing so, lawyers can enhance their client service, protect their client confidentiality, and avoid potential pitfalls and liabilities.