The specter of attorney-client privilege has a long and well-respected history in litigation… but means nothing at all to a hacker. “Delete this email if you are not the intended recipient” or similar language theoretically sounds imposing, but essentially does nothing to protect firm or client data from any nefarious actors who view it (though they may get a good chuckle before reading the “forbidden” email).
In May 2014, LexisNexis published a study pertaining to law firm security awareness versus actual practices with respect to communications and file sharing with clients. Almost 90% of those surveyed used email to communicate with clients and privileged third parties. The vast majority of attorneys surveyed also acknowledged the increasingly important role of various file sharing services and the inherent risk of someone other than a client or privileged third party gaining access to shared documents. Yet only 22% used encrypted email and 13% use secure file sharing sites, while 77% of firms relied upon the effectively worthless “confidentiality statements” within the body of emails to secure them.
Relevant Ethical Standards
The effect of changes to the Model Rules: The ABA Model Rules of Professional Conduct were updated in 2012 specifically to address the effect of technology upon the legal profession and a number of those changes directly pertain to the need for confidential communications.
The language in Comment 8 to Rule 1.1 (Competence) was amended to emphasize a duty for attorneys to stay up-to-date on technical matters pertaining to the practice if law, generally speaking: “[A] lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology…”
Paragraph (c) of Rule 1.6 (Confidentiality of Information) states:
Model Rules of Professional Conduct rule 1.6 (2014).
Comment 18 to Rule 1.6 relates to the need for a lawyer to “act competently” to prevent the disclosure of “information relating to the representation of a client.” It offers a safe harbor provision and factors to determine the reasonableness of an attorney’s conduct in protecting the information at issue:
Model Rules of Professional Conduct rule 1.6, cmt. 18 (2014).
In addition, Comment 19 to Rule 1.6 specifically relates to electronic communications with clients, stating, “When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.” It also offers a safe harbor provision: “This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy.”
Therein lies the rub. What is reasonable, given the state of modern snooping technology? Moreover, from whom do the communications need to be kept private? Commercial competitors? Cyber criminals? Government actors? Other interested parties? Comment 19 specifically notes a pair of factors to consider when determining the reasonableness of the expectation of privacy. They are: 1) the sensitivity of the data itself and 2) the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may also give informed consent to a method not otherwise permitted, though that approach may be asking for trouble if a client changes his or her mind later or disputes whether he or she was properly apprised of the relevant risks.
In addition to the Model Rules, failure to reasonably secure communications with clients can run afoul of state privacy laws (See, e.g., Mass. Gen. Laws, ch. 93H, § 2(a) (regulations at 201 CMR 17.00 et. seq.) (2014); Nev. Rev. Stat. 603A.215 (2014).) and potentially provide an effective basis for a colorable legal malpractice claim.
Pertinent Technology Basics
How does email actually work? By its nature, email is not a terribly secure way to share information. When you send out an email, it goes through a more powerful, centralized computer called a server on its way to a corresponding email server associated with the recipient’s computer or mobile device. It passes through any number of servers along the way from sender to recipient, like a flat stone skipping along the top of a pond. And if that email isn’t encrypted, anyone with access to any one of those servers can read it.
What is encryption? Encryption is the use of an algorithm to scramble normal data into an indecipherable mishmash of letters, numbers and symbols (referred to as “ciphertext”). An encryption key (essentially a long string of characters) is used to scramble the text, pictures, videos, etc. into the ciphertext. Depending on how the encryption is set up, either the same key (symmetrical encryption) or a different key (asymmetrical encryption) is used to decrypt the data back into its original state (called “plaintext”). Under most privacy and data breach notification laws, encrypted data is considered secure and typically doesn’t have to be reported as a data breach if it’s lost or stolen (so long as the decryption key isn’t taken, as well).
A Few Methods to Secure Email
1) Encrypted email. Properly encrypted email messages should be converted to ciphertext before leaving the sender’s computer or mobile device and stay encrypted until they are delivered to the recipient (remaining indecipherable as they pass through each server along the way). This referred to as end-to-end encryption.
Until fairly recently, email encryption has been a somewhat technical and cumbersome process often requiring both sender and recipient to use matching encryption programs and carefully manage their own encryption keys. Now there are plenty of encrypted email offerings from larger commercial companies, as well as a number of new and interesting email encryption services that have become available in the wake of disclosures made by Edward Snowden.
When choosing one, be mindful of where the service you use is located (including where the servers handling the emails on the system actually are). Mr. Snowden used a well-regarded U.S.-based encrypted email provider called Lavabit. Not long after Mr. Snowden’s revelations came to light, Federal law enforcement forced Lavabit to secretly turn over the encryption keys safeguarding its users’ private communications. Lavabit’s founder tried to resist, but was overwhelmed in Federal court. As a result, he shut down the service. Another well-regarded service called Silent Mail followed suit shortly thereafter as it felt it could no longer ensure its customers’ privacy. Both have since relocated to Switzerland and are planning to introduce a new encrypted email service called Dark Mail.
Larger companies offering encrypted email services typically control the encryption keys and will decrypt data before turning it over in response to a warrant or subpoena (including one coupled with a gag order). In addition, email service providers can legally read any email using their systems under Title II of the Electronic Communications Privacy Act, referred to as the Stored Communications Act (18 U.S.C. § 2701(c)(1)). Moreover, emails remaining on a third party server for over 180 days are considered abandoned (18 U.S.C. §§ 2701(c)(3), 2703). Any American law enforcement agency can gain access to them with a simple subpoena (18 U.S.C. § 2703(b)).
Accordingly, if you choose to use a service based in the United States or another jurisdiction with similar privacy protections, be mindful of who controls the encryption keys.
2) Secure cloud storage. Another way to securely communicate or share files with a client or privileged third party is to place the communication and/or files in encrypted cloud storage and allow the client or third party to have password-protected access to them. Rather than a direct email with possible attachments, the client or third party would receive a link to the securely stored data. The cloud service you select should be designed for security. Before you ask, DropBox and Google Drive would not be suitable options. There are a number of services offering well protected cloud storage and it’s important to do your due diligence before selecting one. If it all seems a bit much to figure out, two services I would recommend looking into are Cubby and Porticor.
3) Secure Web portal. A third approach is to place the communications and/or files in a secure portion of your firm’s network that selected clients and/or privileged third parties can access. As with the secure cloud storage option noted above, the email sent to the client or third party would have a link back the secure Web portal’s log in page. An advantage to this approach is that the communications and files do not actually leave your computer network and should be easier to protect.
An additional consideration. A government snoop or competent hacker doesn’t necessarily have to target a message while it’s encrypted. A message that is protected by strong encryption when it’s sent or held in secure cloud storage can still be intercepted and read once it has been opened or accessed using a mobile device or computer that has been compromised. The same holds true for intercepting a message before it’s encrypted initially. What steps can you take to protect them? The software on any computer or other device that can potentially access confidential data should be kept as up-to-date as possible, they should be protected against possible data loss if they are lost or stolen and all firm personnel should have regular security awareness training with respect to social engineering and other threats.
At the end of the day, there is no single silver bullet to provide “perfect security.” But there are genuinely helpful steps (including those noted above) that you can take to comply with pertinent ethical standards and better protect your electronic communications with clients and privileged third parties.
This article originally appeared in Law360 as Lawyers And Email: Ethical And Security Considerations.