Today the ABA Standing Committee on Ethics and Professional Responsibility issued ABA Formal Ethics Opinion 477 - Securing Communication of Protected Client Information (May 11, 2017), which revisits ABA Formal Opinion 99-413 in which the Committee addressed a lawyer’s confidentiality obligations for e-mail communications with clients. The Committee deemed it appropriate to update the 1999 Opinion, given that while the basic obligations of confidentiality remain applicable today, the role and risks of technology have substantially evolved.
The Formal Opinion synopsis provides as follows: “A lawyer generally may transmit information relating to the representation of a client over the internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.”
ABA Formal Ethics Opinion 477 explains “technology amendments” adopted by the ABA to the Model Rules in 2012, notes the inception of the term “cybersecurity” and describes “a post-Opinion 99-413 world where law enforcement discusses hacking and data loss in terms of ‘when,’ and not ‘if’”.
In 1999, the ABA formal opinion authorized the transmission of information relating to representation of a client by unencrypted e-mail sent over the Internet. The Committee indicated that such use is not in violation of the Model Rules “because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint.” However, before transmitting highly sensitive information, the lawyer should consult with the client and follow his or her instructions.
Today’s opinion reaffirms the past analysis for routine client communications, “presuming the lawyer has implemented basic and reasonably available methods of common electronic security measures”. But Formal Ethics Opinion 477 goes on to state that it may not always be reasonable to rely on unencrypted email given the cyber-threats and proliferation of electronic communications devices. Thus a fact-specific analysis is called for to determine what is reasonable. While the Opinion does not enumerate the steps of this analysis, it outlines the following considerations as guidance: understand the nature of the threat; understand how client confidential information is transmitted and where it is stored; understand and use reasonable electronic security measures; determine how electronic communications about clients matters should be protected; label client confidential information; train lawyers and nonlawyer assistants in technology and information security; conduct due diligence on vendors providing communications technology.
From my point of view, practicing law in today's society, the new ABA Opinion is a reaffirmation that we should embrace the opportunities afforded by technology to serve our clients better but cannot afford to ignore the risks posed.