Recently, the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477, which aims to provide guidance and clarity to lawyers as they consider what level of security to give communications with clients. (I was recently interviewed by Massachusetts Lawyers Weekly on this topic, and you can read the full article here; please note that the article is behind a paywall.)
The bottom line? There is no bright-line rule other than, be careful! The Opinion spends a good deal of time reminding lawyers what obligations attach in the era of email and technology — for example, lawyers must be knowledgeable about current technology, since it is the stock-and-trade of communication between lawyers and clients, opposing counsel, and lawyers and the court. But the Opinion does not demand that lawyers encrypt all of their communications; doing so would not only be practically unworkable, but would also be unnecessarily time consuming and, for some, expensive.
Strikingly, the Opinion gives lawyers much of the same advice that lawyers would give to their clients concerning best practices with regard to securing personal confidential information:
- Understand the nature of the threat.
- Understand how client confidential information is transmitted and where that information is stored.
- Understand and use reasonable electronic security measures.
- Determine how electronic communications about client matters should be protected.
- Label client confidential information.
- Train lawyers and nonlawyer assistants in technology and information security.
- Conduct due diligence on vendors providing communication technology.
While the ABA’s Opinion delves into principles that are specific to an attorney’s fiduciary obligations to her client, nevertheless much of this guidance — know what your data is and where it is located, train your employees — is no different than the best practices of any organization that receives, sends, and maintains personal confidential information.
Depending on the evolution of the threat environment, it is possible that ethics rules could change to impose greater obligations on attorneys; but the Opinion provides well-conceived guidance in allowing lawyers to determine, on a case-by-case basis, what level of security any particular communication should have. The balance seems an appropriate one. Nevertheless, a lawyer’s judgment must be guided by her duties to maintain client confidentiality and to understand the technological tools at her disposal. In this sense, the Opinion should function as a useful reminder of best practices, consistent with advice lawyers in this space are already providing to their clients.