The convenience of email comes with ethical dilemmas and security vulnerabilities. How to navigate client communication while protecting confidentiality and sensitive information.
Table of contents
QUESTION: I’ve been practicing law long enough to remember the era before email when fax machines were an office staple for efficient communication. Of course, today email is essential to share quick updates or important documents with clients. What precautions should I take when communicating with clients or sending sensitive information? Should everything work-related be encrypted these days?
ANSWER: Email has become an indispensable tool for lawyers seeking convenience and efficiency in client communication. However, this convenience comes hand-in-hand with ethical dilemmas and security vulnerabilities. Not to mention that there may be a better way (we’ll get to that).
Your question raises several important issues about how and when to better control the security of information, particularly when sent by email or other means of electronic communication.
For example, what crucial discussions should lawyers have with their clients regarding the sharing of information and documents? Also, are there alternatives to email that might offer enhanced privacy and security, surpassing the limitations of traditional email exchanges?
The below explores these issues to assist lawyers in navigating client communication while upholding confidentiality and safeguarding sensitive information.
Background on Email Communications Rules
I’ve previously detailed the long history of ethics opinions focused on email communication by lawyers. It started in 1999 with ABA Formal Opinion 99-413 allowing email use as affording “a reasonable expectation of privacy from a technological and legal standpoint.”
Nearly 20 years later, ABA Formal Opinion 477R reiterated the general acceptance of email communications with clients. According to this opinion, lawyers must be diligent in analyzing (on a case-by-case basis) the sensitivity of the transmitted information and other factors to determine what security efforts are reasonable.
Most recently, the Pennsylvania Bar Association’s Formal Opinion 2022-400 comes short of mandating that lawyers use encrypted email but provides guidance on what lawyers may and must do when transmitting client information, discusses the applicable Rules of Professional Conduct, and offers various practice tips on the topic. Also, it includes a helpful appendix of related opinions from other states.
The current posture in the legal profession on email security, consistent with the ethical rules discussed below, can be generally viewed in two parts:
- An analysis of the sensitivity of the information transmitted.
- An expectation-setting discussion with the client about the benefits and risks of unencrypted communication.
Relevant Ethical Rules
Several of the ABA Model Rules of Professional Conduct are relevant to email encryption for lawyers as they can be applied to safeguarding client information, including Competence (Rule 1.1, Comment 8), Communications (Rule 1.4), Confidentiality of Information (Rule 1.6) and Supervision (Rules 5.1 and 5.3).
The duty of competency (Rule 1.1, Comment 8)
Forty states (as of publication) have adopted Comment 8 to Model Rule 1.1 stating that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks of technology.”
The comment emphasizes that lawyers should make reasonable efforts to understand technology’s impact on the legal profession and utilize appropriate technology to provide quality legal services.
Services and tools for storing and sharing client information can advance rapidly, demanding lawyers and related legal professionals stay informed and trained.
The duty to communicate (Rule 1.4)
Lawyers have a duty to keep their clients reasonably informed about the status of their matters, as stated in Rule 1.4.
Lawyers must communicate with their clients in a timely, clear, and courteous manner, and respond promptly to client inquiries and requests.
Lawyers should have an expectation-setting discussion with clients as to their preferred method of communication and the degree of sensitivity of the information related to their representation, including the use of email and text messages.
The duty of confidentiality (Rule 1.6)
Lawyers must protect the confidentiality of information relating to the representation of a client, as stated in Rule 1.6. This duty applies to email and other forms of communication.
Lawyers must make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, client information. This may require using encryption, passwords, or other security measures when sending or storing email messages or attachments.
Lawyers must also be aware of the risks of sending emails to or from public or shared computers, networks, or devices, and take appropriate precautions to avoid unauthorized access or interception.
The duty to supervise (Rules 5.1 and 5.3)
Lawyers must supervise the work of their subordinates, associates, staff, and others, as stated in Rules 5.1 and 5.3.
Lawyers must ensure that the people under their supervision comply with the ethical rules and standards when using email as a means of communication.
Lawyers should establish and enforce policies and procedures for the proper use of email and other tools for transmitting information related to client matters.
Best Practices for Securing Attorney Emails Through Encryption
Encrypted email works by using cryptographic algorithms to scramble the content of the email, making it unreadable to anyone without the corresponding decryption key.
Encryption tools may be included in the software you already use, like Google G Suite and Microsoft Office 365. These tools can automatically ensure that an encrypted email remains secure and confidential, even if it is intercepted or accessed by unauthorized individuals.
While some assistance may be needed in selecting and setting up encryption, it is generally easy to use thereafter.
The Pennsylvania Bar’s Formal Opinion 2022-400 also recommends the following practices for email security:
- Before using email, consider whether it is the best method for the particular communication, including attachments.
- Avoid transmitting files containing information relating to the representation of a client as email attachments when possible. Also, consider whether to enable the “Encrypt & Prevent Forwarding” feature when available.
- Advise clients not to forward your email or memos to third parties.
- When possible, encrypt communications or use passwords for attachments containing information relating to the representation of a client rather than attaching unprotected information to unencrypted communications.
- Use a central file-sharing portal, cloud storage provider, or similar service to eliminate the need to attach files to an email and eliminate or reduce the likelihood of unauthorized access to confidential or sensitive information. Examples include Citrix ShareFile, Microsoft Encrypt, Microsoft Message Encryption, Dropbox Business, Google Workspace Drive, OneDrive for Business, Box Business Box, and G Suite.
However, the easiest way to protect confidential client information when communicating electronically is through a secure client portal, like the ones built into law practice management software.
By doing so, you avoid the hassle of assessing security risks on a case-by-case basis and can maintain your emails, documents and even text messages under the same secure protection.
You might already use a secure portal to send messages and share documents with your medical provider or financial advisor. Likewise, secure client portals provide an encrypted dashboard for lawyers and clients to communicate and access materials in a central location.
As I have written before, client portals have benefits beyond improved security such as better communication and convenient billing. And all messages and documents are connected to the appropriate case file, creating a win-win for information management and security for lawyers and clients.
Elevating Customer Service While Managing Liability Risks
Law firms have gained a reputation for being highly vulnerable to breaches of sensitive information, which is hardly surprising. As custodians of client data, lawyers bear the responsibility of safeguarding this information, and the continuous flow of emails poses one of the most significant threats to unauthorized disclosures.
To address this issue, lawyers must be cognizant of the ethical implications of communicating with clients via email. They should carefully adhere to best practices and guidelines governing email use, including the implementation of encryption protocols designed specifically for legal professionals.
By taking these proactive measures, you can enhance the quality of your client service, uphold the utmost confidentiality of clients’ information, and effectively steer clear of potential pitfalls and liabilities.
Related Posts:
- “Can Lawyers Ethically Store and Transmit Client Info in the Cloud?“
- “Ethics Reminders for Lawyers Texting Clients“
- “Can Client Portals Reshape the Practice of Law? An Ethical Perspective“
- “10 Habits for Successful Email Communication“
- “How to Avoid Getting Hooked by Phishing Scams“
- “Does Email Tracking Violate the Rules of Professional Conduct?“
About the Illinois Supreme Court Commission on Professionalism
The Illinois Supreme Court Commission on Professionalism was established by the Illinois Supreme Court in 2005 under Supreme Court Rule 799(c) to foster increased civility, professionalism, and inclusiveness among lawyers and judges in Illinois. By advancing the highest standards of conduct among lawyers and judges, the Commission works to better serve clients and society alike. For more information, please visit 2Civility.org and follow us on Twitter @2CivilityOrg.
Image © iStockPhoto.com.
Don’t miss out on our daily practice management tips. Subscribe to Attorney at Work’s free newsletter here >
