This week's Daily Record column is entitled "Emails between lawyer and client and the risk of third party access."
My past Daily Record articles can be accessed here.
Emails between lawyer and client and the risk of third party access
Do lawyers have an ethical obligation to warn clients of the risk of third party access to all types of electronic communication between attorney and client? This question was addressed last month in an ethics decision, Formal Opinion No. 11-459, issued by the American Bar Association’s Standing Committee on Ethics and Professional Responsibility.
It’s an interesting question given that lawyers have been sending confidential client documents and data via unencrypted email for over a decade and yet this specific question is just now being raised. That this issue is suddenly coming to light in 2011 is particularly surprising given that ethics committees in multiple jurisdictions concluded many years ago that, in most cases, attorneys may use unencrypted e-mail to communicate with clients without violating their ethical obligations to maintain client confidentiality. See, for example, American Bar Association Formal Opinion No. 99-413, N.Y. State 709 (1998), State of Maine Ethics Opinion #195 (2008), Ohio Ethics Opinion No. 99-2 (April 9, 1999), Hawaii Ethics Opinion No. 40 (April 26, 2001), Utah Ethics Opinion No. 00-01 (March 9, 2000), Florida Ethics Opinion No. 00-4 (July 15, 2000), Delaware Ethics Opinion No. 2001-2 (2001), and Virginia Ethics Opinion No. 1791 (December 22, 2003).
In last month’s decision, the Committee analyzed the issue of third party access to email within the context of a hypothetical employment claim wherein the employer accessed an employee’s arguably privileged emails with counsel, which were sent using either a work email account or company-owned devices.
After reaching the narrow conclusion that, in employment cases, lawyers have an obligation to warn clients of the risk of discussing the case using employer-owned devices or accounts, the Committee then offered the following very broadly-worded proposition, applicable to all type of cases, not just employment matters: “A lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, to which a third party may gain access. The risk may vary. Whenever a lawyer communicates with a client by e-mail, the lawyer must first consider whether, given the client’s situation, there is a significant risk that third parties will have access to the communications. If so, the lawyer must take reasonable care to protect the confidentiality of the communications by giving appropriately tailored advice to the client.”
After re-reading this language and the entire decision multiple times, I still can’t decide if this is a step forward or a step back. Is the Committee implicitly supporting cloud computing platforms that offer encrypted communication, as some of my colleagues have suggested, or is it actually suggesting that any time an attorney uses a form of electronic communication to converse with a client, the client must be warned of the risk of third party interception? If the latter interpretation is correct, then I find this decision to be particularly problematic since the Committee appears to be treating electronic communications differently than other types of communication, even though, regardless of the form of communication, there is always a risk of third party interception. No form of communication is 100% secure.
In fact, in 1999, in ABA Formal Opinion No. 99-413, cited above and referenced in last month’s decision, the Committee acknowledged as much, concluding that client consent regarding the use of email was unnecessary: “Although earlier state bar ethics opinions on the use of Internet e-mail tended to find a violation of the state analogues of Rule 1.6 because of the susceptibility to interception by unauthorized persons and, therefore, required express client consent to the use of e-mail, more recent opinions reflecting lawyers' greater understanding of the technology involved approve the use of unencrypted Internet e-mail without express client consent.”
However, in Op. 99-413, lawyers were cautioned to exercise extreme care and consider taking extra precautions when transmitting highly sensitive information: “The same privacy accorded U.S. and commercial mail, land-line telephonic transmissions, and facsimiles applies to Internet e-mail. A lawyer should consult with the client and follow her instructions, however, as to the mode of transmitting highly sensitive information relating to the client's representation.” In other words, an attorney’s obligation centered around the type of information being discussed, not the mode of transmission. The more sensitive the content of the discussion, the more care needed to be taken to reduce unintended disclosure to third parties.
Returning to last month’s decision, it makes sense when limited the hypothetical employment litigation scenario and the risks posed when attorney-client discussions occur via employer accounts or devices. But I am alarmed by the (perhaps unintended) consequences of the Committee’s broadly worded conclusion and its implication--that any type of electronic communication poses a risk simply by virtue of the method of dissemination of information. The shift of focus from the type of information being discussed to the method of communication is troubling and will arguably discourage attorneys from utilizing emerging technologies such as cloud computing.
Whether that was the Committee’s intent remains to be seen, but, in my opinion, that seems to be the natural, and troubling, consequence of its secondary holding.