ABA issues new opinion on secure online communication with clients

In 1999, the American Bar Association issued Formal Opinion 99-413, which permitted lawyers to use email to communicate with clients. In that opinion, the ABA Committee on Ethics and Professional Responsibility concluded: "Lawyers have a reasonable expectation of privacy in communications made by all forms of e-mail, including unencrypted e-mail sent on the Internet, despite some risk of interception and disclosure. It therefore follows that its use is consistent with the duty under Rule 1.6 to use reasonable means to maintain the confidentiality of information relating to a client's representation." Times have most certainly changed since 1999. So, too, has technology. While email used to be the best method available for electronic communication with legal clients, technology has advanced such that the security issues inherent in email make it a less desirable way to communicate with clients compared to alternative and far more secure online communication tools. That's why the ABA issued Formal Opinion 477 on May 11 (www.americanbar.org/content/dam/aba/images/abanews/FormalOpinion477.pdf). In this opinion, the committee concluded that because there are more secure electronic communication methods available in 2017, lawyers may want to consider avoiding email for many client communications and use other, more secure electronic methods instead. At the outset, the committee acknowledged that today most lawyers "primarily use electronic means to communicate and exchange documents with clients, other lawyers, and even with other persons who are assisting a lawyer in delivering legal services to clients" including "desktop, laptop and notebook computers, tablet devices, smartphones, and cloud resource and storage locations." Next, the committee noted that pursuant to an amendment to the Model Rules adopted by the ABA in 2012, lawyers now have a continuing duty to stay abreast of changes in technology. As part of that duty, lawyers must take reasonable efforts to protect confidential client information from disclosure and in doing so must assess "the methods of electronic communications employed, and the types of available security measures for each method." Furthermore, when dealing with highly sensitive confidential client information, lawyers must "inform the client of the risks involved" and advise that either extra measures should be taken to protect email transmissions or that email should be avoided altogether. Factors to be considered when determining the appropriate way to communicate with clients in each case include: -the sensitivity of the information, -the likelihood of disclosure if additional safeguards are not employed, -the cost of employing additional safeguards, -the difficulty of implementing the safeguards, and -the extent to which the safeguards adversely affect the lawyer's ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). The obligation to evaluate and choose appropriate technology to protect client data may be outsourced "through association with another lawyer or expert, or by education." Importantly, the committee emphasized that "(a) fact-based analysis means that particularly strong protective measures, like encryption, are warranted in some circumstances." The committee explained that as long as lawyers have implemented basic and reasonably available methods of common electronic security measures, using unencrypted email may be appropriate for routine or low-sensitivity communications, but that due to "cyber-threats and (the fact that) the proliferation of electronic communications devices have changed the landscape . it is not always reasonable to rely on the use of unencrypted email." As such, lawyers must assess how to communicate about client matters on a case-by case basis. The committee recommended that lawyers take certain steps when making this assessment for each case: 1) understand the nature of the threat, 2) understand how client confidential information is transmitted and where it is stored, 3) understand and use reasonable electronic security measures, 4) determine how electronic communications about client matters should be protected, 5) label client confidential information, 6) train lawyers and non-lawyer assistants in technology and information security, and 7) conduct due diligence on vendors providing communication technology. The committee concluded that the duty to vet the security measures taken by each third-party provider that stores a law firm's confidential client data is a continuing one and lawyers must "periodically reassess these factors to confirm that the lawyer's actions continue to comply with the ethical obligations and have not been rendered inadequate by changes in circumstances or technology." Of note, the committee explained that client matters involving proprietary information such as "industrial designs, mergers and acquisitions or trade secrets, and industries like healthcare, banking, defense or education, may present a higher risk of data theft" and as such reasonable efforts in those in higher-risk scenarios generally requires that greater effort be taken to protect client data than simply using unsecure email to communicate. The committee suggested a number of more secure alternatives including using secure Wi-Fi, a Virtual Private Network, and a secure Internet portal such as those routinely included with law practice management software. The committee clarified that cloud-based online collaboration portals are a viable option to ensure secure communication: "(I)f client information is of sufficient sensitivity, a lawyer should encrypt the transmission and determine how to do so to sufficiently protect it, and consider the use of password protection for any attachments. Alternatively, lawyers can consider the use of a well vetted and secure third-party cloud based file storage system to exchange documents normally attached to emails." ----- Nicole Black is a director at MyCase.com, a cloud-based law practice management platform. She is also of counsel to Fiandach & Fiandach in Rochester and is a GigaOM Pro analyst. She is the author of the ABA book "Cloud Computing for Lawyers," coauthors the ABA book "Social Media for Lawyers: the Next Frontier," and co-authors "Criminal Law in New York," a West-Thomson treatise. She speaks regularly at conferences regarding the intersection of law and technology. She publishes three legal blogs and can be reached at niki@ mycase.com. Published: Fri, May 19, 2017