Welcome to Module 4-K.
Lawyer’s Duty of Confidentiality.
This module focuses on a lawyer’s ethical duty of confidentiality. It consists of a video by Ralph Losey in two parts lecturing on this important subject, followed by an essay on ABA Formal Opinion 477. This new Opinion is covered in detail after the videos.
Rule 1.6 – Confidentiality of Information
This class is based on the ABA Model Ethics Rule 1.6 – Confidentiality of Information:
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
See eg: NY Bar Opinion 749, 2/21/17 (“Duty to protect a client’s confidential information from cybersecurity risk and handling e-discovery when representing clients in a litigation or government investigation.”)
See: ABA Formal Op. 99-413 (Mar. 10, 1999):
A lawyer may transmit information relating to the representation of a client by unencrypted e-mail… because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint.
Also see: Cal. Op. 2010-179
Encrypting email may be a reasonable step for an attorney to take … when the circumstance calls for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.
May 11th 2017 ABA Opinion: Securing Communication of Protected Client Information
After we created the above video the ABA published a new opinion on lawyer confidentiality, Formal Opinion 477 (May 11, 2017) (hereinafter “Opinion“). It was published by the American Bar Association Standing Committee on Ethics and Professional Responsibility and is entitled Securing Communication of Protected Client Information.
The Opinion addresses the reasonable efforts that lawyers and law firms must take to ensure that communications with clients are secure and not subject to inadvertent or unauthorized security breaches. It updates Formal Opinion 99-413 quoted above and discussed in the video. This update was sorely needed and very well done. Here is the ABA introductory synopsis:
Securing Communication of Protected Client Information
The Standing Committee on Ethics and Professional Responsibility goes on to explain in the Opinion how much things have changed since the 1999 opinion on the use of unencrypted email.
[T]he term “cybersecurity” has come into existence to encompass the broad range of issues relating to preserving individual privacy from intrusion by nefarious actors throughout the Internet. Cybersecurity recognizes a post-Opinion 99-413 world where law enforcement discusses hacking and data loss in terms of “when,” and not “if.”4 Law firms are targets for two general reasons: (1) they obtain, store and use highly sensitive information about their clients while at times utilizing safeguards to shield that information that may be inferior to those deployed by the client, and (2) the information in their possession is more likely to be of interest to a hacker and likely less voluminous than that held by the client.5
Opinion pg. 2.
The Standing Committee again “rejects requirements for specific security measures (such as firewalls, passwords, and the like)” and stays with the “reasonable efforts” standard. This somewhat controversial position is made in reliance of the ABA Cybersecurity Handbook (ABA 2013) which, instead of mandating specific security measures such as encryption:
… adopts a fact-specific approach to business security obligations that requires a “process” to assess risks, identify and implement 101 appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.12
Opinion quoting Cybersecurity Handbook at pg. 4. You see the Committee is moving slowly and cautiously. That is prudent here because so much training is required to bring the Bar up to speed on the many arcane technicalities involved in cybersecurity and encryption. This is fast becoming The Hot Specialty in the legal profession. Electronic Discovery is so yesterday. If I were not so involved in the AI aspects of searching for evidence in near-infinite haystacks of information, I would try to include this specialty too. But for now at least it is too challenging to try to do both at once.
The Opinion points out that a fact-based analysis means that strong protective measures, like encryption, are necessary in some circumstances. Encryption software and use-procedures are becoming easier. Now any intelligent person can understand the processes and use them effectively, not just cryptologists. All lawyers should either learn this or associate with an attorney who does. We all need more training in this area, myself included, to stay competent in the fast moving information explosion era. All of the illegal hacking going on today is outrageous.
In other circumstances involving certain highly sensitive information (such as, in my opinion, classified military information, or certain trade secrets sought by Chinese corporations, as well as certain personal and corporate divorce investigations or political) it may be reasonable to avoid electronic communications altogether. Opinion at pgs. 4-5.
But in most circumstances,
… for matters of normal or low sensitivity, standard security methods with low to reasonable costs to implement, may be sufficient to meet the reasonable efforts standard to protect client information from inadvertent and unauthorized disclosure.
Opinion at pg. 5.
The Committee does not specify the reasonable efforts required in such matters, but does say that “unencrypted routine email generally remains an acceptable method of lawyer-client communication.” Opinion pg. 5. The Opinion at pgs. 5-10 then provides a list of considerations as guidance:
Well done by the Committee. An update on this topic was sorely needed. Now a wide-spread education program to explain the seven guidance points is in order. Time will tell how long this complex technical guidance will suffice. How long will it be before encryption of some level becomes a per se rule. How long before encryption is required in all attorney communications. It will be required some day, of that I am sure. Just not today. Still, if I were the Committee I would be working on a draft. My prediction is we have five years to prepare, at the most.
Analysis and Projections
Confidentiality is a critical problem facing all lawyers today. We all need to stay proficient in this area, including especially concerning the power and importance of encryption. The smooth operation of our system of justice depends on the confidentiality of the attorney client relationship. Lawyers must be able to maintain the secrecy of their clients’ ESI. They must also protect their own work-product, including investigations, strategies, mental impressions and communications. The ABA Formal Opinion 477 (May 11, 2017) is a helpful addition to this literature.
The Opinion is the last word for now, but we predict that sometime within the next five years the American Bar Association Standing Committee on Ethics and Professional Responsibility will agree on a new Formal Ethics Opinion. The next opinion will require encryption in all electronic communications and all Electronic Information, whether in transit or in storage. The “it depends” exceptions in the current Opinion will be eliminated.
This will be a very difficult, disruptive change to the profession. But we predict the Bar will have no choice because of accelerating advances in technology. These advances will further empower criminal and state hacking. See eg.: Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool (NYT, 5/12/17); Keren Elazari, We must act now to prevent future malware epidemics (Financial Times, 5/14/17). We are unsure what will happen when quantum computing develops further, but some think it could defeat encryption. The development of Bitcoin and other anonymous currencies adds to our problem because they facilitate untraceable extortion payments. Unprotected email will be an invitation to blackmail. Nothing will be safe without encryption, including attorney client communications. Even mundane communications may have metadata value. As a result we will be required to use encryption and other confidentiality tools in all communications, include the mundane. It will be automatic. There will be no if and or buts.,
In view of what seems to be an inevitable requirement of full encryption, all lawyers and law firms should start preparing now. Your CISOs and attorneys should start working together on this requirement as soon as possible. It never hurts to stay ahead of the curve. You will succeed if you work together as a team for the common good. Neither technologists nor lawyers should dominate. Natural leader(s) of the team can emerge from both sides and change over time.
SUPPLEMENTAL READING: You must carefully read the 2o17 Opinion in full. You should also become familiar with these information resources.
EXERCISE: Learn about encryption by doing. Encrypt your hard drive, if you have not already done so. Research and take the steps necessary to send an encrypted email, an encrypted text. The more you know about encryption, the better. There are many articles on the subject, but start by looking at the blogs and other information on GoldenFrog.com, ProtonMail.com and elsewhere.
Also study the state of cybersecurity today and consider what facts and circumstances might occur to force the Standing Committee on Ethics and Professional Responsibility to amend the ethics code as predicted within five years. What might happen to delay the implementation of full encryption?
Students are invited to leave a public comment below. Insights that might help other students are especially welcome. Let’s collaborate!
Copyright Ralph Losey 2017