A New Ethics Standard for Client Email?

A long time ago, in a galaxy far, far away the ABA issued Formal Ethics Opinion 99-413, the gist of which was to give law firms a free pass when it came to email encryption. Since 1999, technology has evolved by leaps and bounds, the ABA has updated its model rules, and cybersecurity is a national concern.  Therefore, it should be no surprise the ABA chose to revisit its 18 year-old position on email and electronic communications.

The New ABA Standard

Is email encryption required by the new ABA opinion?  Yes and no.

As Bob Ambrogi reports in his blog:

In this new opinion, the committee declined to draw a bright line as to when encryption is required or as to the other security measures lawyers should take. Instead, the committee recommended that lawyers undergo a “fact-based analysis” that includes evaluating factors such as:

  • The sensitivity of the information.
  • The likelihood of disclosure if additional safeguards are not employed.
  • The cost of employing additional safeguards.
  • The difficulty of implementing the safeguards.
  • The extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).

However, special security precautions may be required “to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.” ABA Formal Opinion 477.

The Oregon Standard

The last bit of ABA Formal Opinion 477 may sound familiar to Oregon lawyers.  In this article written by Helen Hierschbiel in 2010, the bar gave us some insight on the topic of electronic communications, including email:

Although use of electronic communications is not a per se violation of the duty of confidentiality, special precautions may be necessary in particular circumstances. For example, if information is particularly sensitive or subject to a confidentiality agreement, a lawyer may need to implement special security measures. Also, if a client requests it, a lawyer may be required to avoid, or be allowed to use, a particular type of electronic communication notwithstanding expectations of privacy in the communication method.

While the article cites to a model rule that was later amended, the parallels between Hierschbiel’s language and that of the new opinion are hard to miss.  Bottom line? Email encryption is required if the circumstances warrant it.

Choosing an Email Encryption App

Fortunately, Bob Ambrogi has come to our rescue yet again.  In his article, Encryption so Easy a Lawyer Can Do It, Bob discusses three incredibly simple solutions that allow lawyers to send encrypted messages.  No more clunky interface requiring the sender to transmit keys before the recipient decrypts the message.  No more need for both parties to use the same software.  (Although a simple plug-in may be needed, depending on the software you choose.)

With secure cloud-based solutions Enlocked, Virtru, or Delivery Trust, Ambrogi concludes:

What all three programs have in common is that they make encryption as easy as the push of a button.  If you use email to communicate with clients or colleagues about sensitive matters – and what lawyer does not? – you have no excuse not to encrypt.

What To Do Next

  • Encrypt all client email, not some client email.  Why?  Mainly to eliminate guesswork, reduce risk, and preserve your sanity.  Not convinced?  Consider how clients might view on again/off again encryption: some messages are worth protecting and other’s aren’t?  Hmmm….
  • Put sensitive content behind a secure client portal.  Many practice management programs have this functionality, but if yours doesn’t, consider Slack.
  • Discuss electronic communication policies with clients and reiterate them in your fee agreement or engagement letter.

All Rights Reserved Beverly Michaelis 2017

The Standard for Email Communications

What is the standard for electronic client communications?  Can lawyers freely use email, without a worry or care about encryption?

In “Odds & Ends – Safeguarding Client Information in a Digital World,” Oregon State Bar General Counsel Helen Hierschbiel sets us straight:

The first ethics opinions that addressed the use of electronic communications prohibited lawyers from using cell phones and unencrypted e-mail…. More recently, ethics authorities condone the practice, recognizing that the expectation of privacy in these modern methods of communication is comparable to and as reasonable as that of older methods of communication. For example, ABA Formal Ethics Op 99-413 (1999) states:

E-mail communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy… The risk of unauthorized interception and disclosure exists in every medium of communication, including e-mail. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of [the law].

Does this mean lawyers get a free pass to use unencrypted email?

The answer is no, as Helen points out.  Special precautions need to be taken if:

  • The information to be transmitted is particularly sensitive
  • The contents of the email are subject to a confidentiality agreement
  • The client instructs the lawyer to avoid using email

Can a client waive the security risks associated with unencrypted email?

Yes.  “If a client requests it, a lawyer may … be allowed to use … a particular type of electronic communication notwithstanding expectations of privacy in the communication method.”

What role does metadata play?

As Helen notes, metadata may be a bigger danger than unauthorized interception of email  messages:

[C]ompetent representation requires that lawyers understand what information may be hidden in documents that they plan to send by e-mail so that appropriate steps can be taken to protect against inadvertent disclosure of what could be confidential or sensitive information. See, e.g., Arizona Ethics Op 07-03(2007) (lawyer must take “reasonable precautions” to prevent communication of metadata containing client information) and ABA Formal Op 06-442.

Since Helen’s article was published, Oregon has issued its own metadata opinion: Competency: Disclosure of Metadata, OSB Formal Opinion 2011-187.

Where does this leave us with encryption?

If your clients have consented to use of unencrypted email (or don’t care) and your messages are not particularly sensitive or subject to a confidentiality agreement, why should you give a whit about encryption?  In a phrase: ease of use.

What used to be difficult is no longer.

In the article “Encryption So Easy a Lawyer Can Do It,” Bob Ambrogi discusses three incredibly simple solutions that allow lawyers to send encrypted messages.  No more clunky interface requiring the sender to transmit keys before the recipient decrypts the message.  No more need for both parties to use the same software.  (Although a simple plug-in may be needed, depending on the software you choose.)

With secure cloud-based solutions like Enlocked, Virtru, or Delivery Trust from Identillect, Ambrogi concludes:

What all three programs have in common is that they make encryption as easy as the push of a button.  If you use email to communicate with clients or colleagues about sensitive matters – and what lawyer does not? – you have no excuse not to encrypt.”

 [All Rights Reserved 2015 Beverly Michaelis]

The State of Law Firm Security

Viruses are More Common at Law Firms than Encryption, ABA Survey Shows

Firms-with-virus

“Nearly half of law firms were infected with viruses, spyware or malware last year, according to the latest ABA Legal Technology Survey Report. At the same time, only a quarter of law firms had any kind of email encryption available for their lawyers to use, the survey found.

Also, 14% of law firms experienced a security breach last year in the form of a lost or stolen computer or smartphone, a hacker, a break-in or a website exploit.”

Bob Ambrogi

Read the full post here.

Crowdsourcing Legal Research with Casetext and Mootus

One of the more interesting ideas discussed at ABA TECHSHOW was the concept of crowdsourcing legal research using Casetext or Mootus:

“On Casetext, judicial opinions and statutes are annotated with analysis by prominent law professors and attorneys at leading firms, giving you unique insight. And everything is 100% free.”

Mootus “…helps law students and lawyers at all levels build reputation and knowledge through competitive, collaborative legal argument.

Okay … but what is it exactly?

Here are three quick answers curated from the 2014 ABA TECHSHOW:

  • Crowdsourcing: people contribute to a common project. Social curation: filtering info for others – e.g. Twitter. @lisasolomon
  • Mootus: crowdsourcing (offers) answers to legal questions. Users vote up/down contributions (also a Casetext feature). @lisasolomon
  • Crowdsourced annotations, links to blog posts and commentary big benefit of @casetext approach to legal research. @RealSheree

It turns out that crowdsourcing isn’t exactly new.  Bob Ambrogi first wrote about it in 2010 for the Oregon State Bar Bulletin.  See “Crowdsourcing the Law: Trends and Other Innovations.”  

Here is Bob’s more recent take on Casetext, which I recommend you read if you are at all interested in this approach to research. In a very rudimentary way, think of it as Fastcase + Wikipedia together in one place.  Here is a snippet from Bob’s post:

“But what makes the site unique is the ability of its users to add descriptions and annotations to the cases. When you view a case, the screen is divided in half. On the left side, what you first see is a section of “Quick Facts” about the case — its holding, citation, court, judges, docket number and the like. After that comes a section called “Case Wiki” with a more narrative description of the case. Following those two sections comes the case itself.

Both of those first two sections — Quick Facts and Case Wiki — are fully editable by registered users. Simply click the “edit” button and revise or supplement any of the text. Click the “revisions” button to see the full history of edits by all users.

Similarly, the right side of the screen contains sections for “tags,” “cases,” “sources,” “analysis,” and “record.” Users can create and edit any of these items.”

Thank you Bob Ambrogi!