This blog previously looked at both the ethical implications of cloud computing and state-level initiatives addressing cloud privacy concerns. Another area of concern is the lax ethical requirements of attorneys to encrypt electronic communication (i.e., e-mail) that contains confidential client information.
Even lawyers, who have historically lagged when it comes to emerging technologies, now rely almost exclusively on e-mail when communicating with clients. While there are obvious benefits of e-mail: it’s inexpensive, quick, and efficient, there are also inherent risks associated with sending unencrypted electronic communication. These risks can include the potential for unauthorized third-party access to unencrypted e-mails sent by attorneys containing confidential client information.
To address these threats, the ABA requires that attorneys take “reasonable precautions” to safeguard confidential client information communicated electronically. However, this duty does not extend to using special security measures, such as encryption, if the communication method affords a “reasonable expectation of privacy”. Alarmingly, many attorneys believe that unencrypted internet e-mail is a communication method that affords a “reasonably expectation of privacy”, thus not requiring additional encryption. This is due in part to the antiquated belief that sending an e-mail is analogous to sending a sealed envelop in the mail: it is closed to the public while in transit. On the contrary, security experts liken sending an unencrypted email to sending a post card in the mail: easily intercepted and read by an unintended recipient.
Does the ABA standard, which largely leaves the decision of whether to encrypt e-mail with confidential client information up to the attorney, do enough to protect client’s personally identifiable information? Some state ethics opinions, such as those issued from New Jersey and California, have gone further than the ABA by recommending that attorneys should: (1) password protect all confidential client documents sent electronically, and (2) encrypt e-mails with confidential client information, particularly if the information is highly sensitive.
Other professions tasked with protecting confidential client information, such as healthcare, already universally require e-mail encryption. Given that using encryption is increasingly considered the “bare-minimum” to satisfy privacy concerns, the legal profession should not lag in adopting this technology.