This essay focuses on a lawyer’s ethical duty of confidentiality. It consists of a video of my lecture on this subject discussing the main ethics opinions on electronic communications and encryption. Just a few days after the video was made, the American Bar Association Standing Committee on Ethics and Professional Responsibility published an important new Formal Opinion 477 (May 11, 2017) entitled Securing Communication of Protected Client Information. This new Opinion is covered in some detail after the videos.
The duty to protect a client’s secrets is so important that I have also added these videos to the eighty-five class e-Discovery Team Training course in Module 4-K. I have also added the written discussion on the new Formal Opinion 477.
Rule 1.6 – Confidentiality of Information
The following Duty of Confidentiality lecture is based on the ABA Model Ethics Rule 1.6 – Confidentiality of Information:
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
See eg: NY Bar Opinion 749, 2/21/17 (“Duty to protect a client’s confidential information from cybersecurity risk and handling e-discovery when representing clients in a litigation or government investigation.”)
See: ABA Formal Op. 99-413 (Mar. 10, 1999):
A lawyer may transmit information relating to the representation of a client by unencrypted e-mail… because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint.
Also see: Cal. Op. 2010-179
Encrypting email may be a reasonable step for an attorney to take … when the circumstance calls for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.
- communicating highly sensitive or confidential information via email;
- sending an email to or from an account that the email sender or recipient shares;
- sending an email to a client when it is possible that a third person (such as a spouse in a divorce case) knows the password to the email account, or to an individual client at that client’s work email account, especially if the email relates to a client’s employment dispute with his employer (see ABA Comm. on Ethics and Prof’l Responsibility, Formal Op. 11-459 (2011));
- sending an email if the lawyer is concerned that the NSA or other law enforcement agency may read the lawyer’s email communication, with or without a warrant.
May 11th 2017 ABA Opinion: Securing Communication of Protected Client Information
After I created the above video the ABA published a new opinion on lawyer confidentiality, Formal Opinion 477 (May 11, 2017) (hereinafter “Opinion“). The Opinion was written by the American Bar Association Standing Committee on Ethics and Professional Responsibility. It addresses the reasonable efforts lawyers and law firms must take to ensure that communications with clients are secure and not subject to inadvertent or unauthorized security breaches. It updates Formal Opinion 99-413 quoted above and discussed in the video. This update was sorely needed and very well done. My congratulations to the Committee. I expect many state Bars to follow and adopt this ABA recommendation. I urge you to carefully read this new Opinion in full. Here is the ABA introductory synopsis:
Securing Communication of Protected Client Information
The Standing Committee on Ethics and Professional Responsibility goes on to explain in the Opinion how much things have changed since the 1999 opinion on the use of unencrypted email.
[T]he term “cybersecurity” has come into existence to encompass the broad range of issues relating to preserving individual privacy from intrusion by nefarious actors throughout the Internet. Cybersecurity recognizes a post-Opinion 99-413 world where law enforcement discusses hacking and data loss in terms of “when,” and not “if.”4 Law firms are targets for two general reasons: (1) they obtain, store and use highly sensitive information about their clients while at times utilizing safeguards to shield that information that may be inferior to those deployed by the client, and (2) the information in their possession is more likely to be of interest to a hacker and likely less voluminous than that held by the client.5
Opinion pg. 2.
The Standing Committee again “rejects requirements for specific security measures (such as firewalls, passwords, and the like)” and stays with the “reasonable efforts” standard. This somewhat controversial position is made in reliance of the ABA Cybersecurity Handbook (ABA 2013) which, instead of mandating specific security measures such as encryption:
… adopts a fact-specific approach to business security obligations that requires a “process” to assess risks, identify and implement 101 appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.12
Opinion quoting Cybersecurity Handbook at pg. 4. You see the Committee is moving slowly and cautiously. That is prudent here because so much training is required to bring the Bar up to speed on the many arcane technicalities involved in cybersecurity and encryption. This is fast becoming The Hot Specialty in the legal profession. Electronic Discovery is so yesterday. If I were not so involved in the AI aspects of searching for evidence in near-infinite haystacks of information, I would try to include this specialty too. But for now at least it is too challenging to try to do both at once.
The Opinion points out that a fact-based analysis means that strong protective measures, like encryption, are necessary in some circumstances. Encryption software and use-procedures are becoming easier. Now any intelligent person can understand the processes and use them effectively, not just cryptologists. All lawyers should either learn this or associate with an attorney who does. We all need more training in this area, myself included, to stay competent in the fast-moving information explosion era. All of the illegal hacking going on today is outrageous.
In other circumstances involving certain highly sensitive information (such as, in my opinion, classified military information, or certain trade secrets sought by Chinese corporations, as well as certain personal and corporate divorce investigations or political) it may be reasonable to avoid electronic communications altogether. Opinion at pgs. 4-5.
But in most circumstances,
… for matters of normal or low sensitivity, standard security methods with low to reasonable costs to implement, may be sufficient to meet the reasonable efforts standard to protect client information from inadvertent and unauthorized disclosure.
Opinion at pg. 5.
The Committee does not specify the reasonable efforts required in such matters, but does say that “unencrypted routine email generally remains an acceptable method of lawyer-client communication.” Opinion pg. 5. The Opinion at pgs. 5-10 then provides a list of considerations as guidance:
- Understand the Nature of the Threat.
- Understand How Client Confidential Information is Transmitted and Where It Is Stored.
- Understand and Use Reasonable Electronic Security Measures.
- Determine How Electronic Communications About Clients Matters Should Be Protected.
- Label Client Confidential Information.
- Train Lawyers and Nonlawyer Assistants in Technology and Information Security.
- Conduct Due Diligence on Vendors Providing Communication Technology.
Well done by the Committee. An update on this topic was sorely needed. Now a wide-spread education program to explain the seven guidance points is in order. Time will tell how long this complex technical guidance will suffice. How long will it be before encryption of some level becomes a per se rule. How long before encryption is required in all attorney communications. It will be required some day, of that I am sure. Just not today. Still, if I were the Committee I would be working on a draft.
My Prediction of Future Tightening of Attorney Ethics Due to Increased Cybersecurity Concerns
The Opinion is the last word for now, but I predict that sometime within the next five years the American Bar Association Standing Committee on Ethics and Professional Responsibility will agree on a new Formal Ethics Opinion. The next opinion will, I predict, require encryption in all electronic communications and all Electronic Information, whether in transit or in storage. The “it depends” exceptions in the current Opinion will be eliminated. The predicted opinion will likely impose additional duties on attorneys and law firms to protect client data.
The expected expanded duties will cause disruptive change to the profession. It will be difficult for many lawyers and law firms to keep up. But I predict the Bar will have no choice but to do so because of accelerating advances in hacker technology. These advances will further empower criminal and state hacking. We are already seeing these developments now. See eg.: Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool (NYT, 5/12/17); Keren Elazari, We must act now to prevent future malware epidemics (Financial Times, 5/14/17).,
The development of Bitcoin and other anonymous currencies adds to our problem because they facilitate untraceable extortion payment schemes, one form of which is known as ransomware. We are seeing this now in the WannaCry exploit. Damian Global Cyberattack Exploits Known Vulnerabilities (Jackson Lewis, 5/15/17); What is WannaCry and how does ransomware work? (The Telegraph, 5/13/17); WannaCry cyber attack (wikipedia); Scott & Wingfield, Hacking Attack Has Security Experts Scrambling to Contain Fallout (NYT 5/13/17).
Unprotected email, websites and other ESI repositories are an invitation to blackmail. Illegal hacking tools are already easily available to any criminal or script kiddie with rudimentary computer skills. It is no longer the exclusive area of the hacker elite. Nothing is safe without back-ups, encryption and other protections, including attorney client communications and law firm ESI. Even mundane communications have metadata value that may help hackers. The situation grows worse every year. As a result, lawyers will, in five years or so, likely be required to use encryption and other confidentiality tools in all communications, include the mundane. It will be automatic. There will be no if and or buts.
In view of what seems to be an inevitable requirement of full encryption, all lawyers and law firms should start preparing now. Your CISOs and attorneys should start working together on this requirement as soon as possible. See eg., Lazzarotti, et al, Ransomware Attacks: Prevention and Preparedness (Jackson Lewis, 5/14/17). It never hurts to stay ahead of the curve. You will succeed if you work together as a team for the common good. Neither technologists nor lawyers should dominate. Natural leader(s) of the team can emerge from both sides and change over time. The use of outside specialists is, as always, a key ingredient for success, not only for the expertise, but also for the objective perspective.
Confidentiality is a critical problem facing all lawyers today. We all need to stay proficient in this area, including especially the uses of encryption. The smooth operation of our system of justice depends on the confidentiality of the attorney client relationship. Lawyers must be able to maintain the secrecy of their clients’ ESI. They must also protect their own work-product, including investigations, strategies, mental impressions and communications. The ABA Formal Opinion 477 (May 11, 2017) is a helpful addition to this literature. But it is, I think, just a harbinger of even more stringent ethical requirements to come. The increasing cyber dangers and failures of security will force the ABA to go much further than this. We all need to spend more time increasing our knowledge in this important area.
For further reading I suggest the following articles and information resources.
R. Losey, eDiscoverySecurity – Addresses cybersecurity issues from an e-discovery perspective.
- Joseph J. Lazzarotti, Damon W. Silver (Jackson Lewis), Data Privacy Primer for Law Firms (April, 2017). Excellent resource of all lawyers.
- Lazzarotti and Silver, Cybersecurity Risk Management for Law Firms (April 5, 2017) (requires registration, but is free). Jackson Lewis CLE Webinar.
- Jackson Lewis blog, Workplace Privacy, Data Management & Security Report.
- Lazzarotti, Law Firms: Updated Cybersecurity Primer and Other Resources (Jackson Lewis, 5/15/17).
- Lazzarotti, et al, Ransomware Attacks: Prevention and Preparedness (5/14/17).
- Ethics Opinions Related To Technology (Calif. Bar).
- ABA Legal Technology Resource Center.
- ProtonMail.com – Free Encrypted Email.
- GoldenFrog.com – Internet Security, Encryption.
- Confide – Confidential Text Messages, Encryption Plus.