Sunday, June 25, 2017

ABA Issues Updated E-mail Guidance

I’ve been writing and lecturing about Internet and e-mail ethics issues since 1998 – there is no shortage of ethics opinions or scholarship on the subject.  This did not dissuade the American Bar Association from issuing its own updated guidance, entitled Securing Communication of Protected Client Information on 11 May, or from revising it eight days later.  And because it’s an ABA opinion, it’s newsworthy.

Most of the headlines surrounding new ABA Formal Opinion 477R (19 May 2017) will focus on the Standing Committee on Ethics and Professional Responsibility’s conclusion that, in some instances, an attorney may be required to use encrypted e-mail, a conclusion it resisted making in its 1999 opinion: Formal Opinion 99-413. 

I’m not interested in summarizing the new ABA opinion – other blogs, including the ABA Journal, have already done that, and more are sure to follow.  (You can read revised Opinion 477R here.  It’s short and time well spent.)  Instead, I would rather use the issuance of ABA 477R as an excuse opportunity riff on the central theme embodied in it. 

First, a little review:

 A Trip Down Memory Lane
Microsoft Founder Bill Gates

It’s mid-1990.  Few lawyers were eager and early adapters of e-mail.  The Bar only “warmed” to electronic communications only because clients demanded it:
In Microsoft’s case, we insist that all of our lawyers have electronic mail.  We won’t deal with them unless we have that kind of access.
Christie and Aarons, Bill Gates Tells Law Firms: No E-mail, No Deal, Colorado Journal, May 23, 1997, p. 2. 

Almost immediately the question arose whether there was an ethical duty to encrypt confidential Internet communications.  Public and private key encryption then was kludgy; clients hated it, and so did lawyers.  The thought that lawyers might have to encrypt e-mail was a bummer.

Fortunately, throughout the 1990s, and with surprisingly few exceptions, one bar after another reached the conclusion that Internet e-mail is reasonably safe, even without encryption.  See Delaware State Bar Ass’n Committee on Professional Ethics Op. 2001-2 (communications by e-mail and cell phones do not violate Delaware Rule 1.6 absent exceptional circumstances, such as where an attorney should reasonably anticipate the possibility of disclosure or interception); Supreme Court of Ohio Board of Commissioners on Grievances and Disputes Opinion 99-2 (April 9, 1999) (encryption of e-mail not required).  Accord N.Y. State Bar Ass’n Committee on Professional Ethics, Opinion 709 (Sept. 16, 1998); D.C. Bar Opinion No. 281 (Feb. 18, 1998); Alaska Bar Ass’n Opinion 98-2 (Jan. 8, 1998); Pennsylvania Bar Ass’n Committee on Legal Ethics and Professional Responsibility Informal Opinion 97-130 (Sept. 26, 1997); Vermont Bar Ass’n Committee on Professional Responsibility Opinion 97-5; Illinois State Bar Ass’n Committee on Professional Ethics Opinion 96-10 (May 16, 1997); South Carolina Bar Ethics Advisory Opinion 97-08 (June 1997); Arizona State Bar Committee on Rules of Professional Conduct Opinion 97-04 (April 7, 1997).

Near the end of this long line, on 10 March 1999, the ABA issued Formal Opinion 99-413.  Coming so late, Opinion 99-413 was not significant for its conclusion, but rather for its weight as the opinion of the author of the Model Rules.  The opinion, however, did a nice job of synthesizing the work that went before it, and in focusing on the overriding issue of the reasonableness of the expectation of confidentiality, instead of Internet as the technology de jour:
The risk of unauthorized interception and disclosure exists in every medium of communication, including e-mail.  It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of the law.
ABA Opinion 99-413 concluded that Internet e-mail was no less secure than “U.S. and commercial mail, land-line telephonic transmissions, and facsimiles,” and should not be singled out for separate treatment.

Earlier ethics opinions had suggested that the same general precautions and guidelines regarding client communications over cellular telephones and fax machines should apply to Internet e-mail.  See, e.g., Alaska Bar Ass’n Opinion 98-2; Iowa Ethics Opinion 96-1 (1996); North Carolina Ethics Opinion 215 (1995); Colorado Bar Ass’n Opinion 90. 

Surely, consideration of the sensitivity of the communication, and providing cautionary warnings to clients who may not appreciate the potential vulnerability of interception, is good practice in all transmissions over evolving technologies.  However, a pronouncement that the failure to encrypt could subject an attorney to professional discipline in the event of interception – at least absent a clear and convincing showing that the communication was so sensitive that any risk of possible interception is was too great – would have imposed an unacceptable burden on then-burgeoning e-commerce. 

ABA 99-413’s ultimate conclusion that, e-mail encryption was generally not required, was correct for its time.  However, as I wrote in 2003:
[T]he only constant in technology is change.  While the law currently concludes that encryption is not required to protect the confidentiality of routine attorney-client communications sent via e-mail, should SMTP become more vulnerable to interception and/or encryption become easier for clients and lawyers to use, this conclusion should change.  Lawyers everywhere are well advised to . . .  focus not on the medium of the communication, but rather on the exercise of reasonable care.
Charles F. Luce, Jr., Legal Ethics on the Internet, 7 J. of Internet Law 1 (Oct. 2003).  This admonition is also one of the principle precepts of new ABA 477R.

Back the Future: Communication, Confidentiality, & Competence

The First iPhone - 2007
Much has happened since 1999.  This year the iPhone celebrates its tenth anniversary.  The iPad is only three years younger.  We’ve moved from slow dial-up and slightly faster DSL, to blistering broadband and mobile data speeds that match it.  Our work now follows us everywhere – on our commute, to our homes, on vacation, even into the loo.  So do the bad guys, in increasing numbers and with greater ability to hack and intercept our communications. 

Rule 1.4 requires lawyers that communicate regularly with clients to keep them informed, so they are able to make informed decisions regarding their legal matters.  These days those communications occur primarily or exclusively by e-mail.  Cobwebs gather on lawyer’s in-boxes, which now serve mainly as compost collection centers for interoffice and other junk mail.  

Rule 1.6(c) prescribes that client communications must be, and remain, confidential.  Specifically lawyers must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” 

Combined, Rules 1.4 and 1.6 compel that attorneys be competent in the technology they use.  If some lawyers were unable to connect these dots themselves, revisions to the ABA Model Rules since 1999 have made the duty of technological competence explicit.  Comment [6] to Model Rule of Professional Conduct 1.1 states:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
(Emphasis added.)  Comment [8] to Colo. RPC 1.1 is substantially identical:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, and changes in communications and other relevant technologies, engage in continuing study and education, and comply with all continuing legal education requirements to which the lawyer is subject.
(Emphasis added.)    See also Comments [18] and [19] to Colo. RPC 1.6 (discussing at length the duty to “make reasonable efforts to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure”)

ABA 477R recognizes the evolution of “the role and risks of technology” since 1999, and that “today, many lawyers primarily use electronic means to communicate and exchange documents with clients.”  These communications “now regularly use a variety of devises to create, transmit and store confidential communications” which “offer an opportunity for the inadvertent or unauthorized disclosure of information relating to the representation . . . .”

No kidding.  Last June I recorded a webinar for National Business Institute called Legal Ethics: Smart Phones and Tablets in Legal Practice.  To prepare for this program I immersed myself in the latest means of intercepting communications and protecting communications against unauthorized access.  Moving faster than Moore’s Law, just twelve months later the state of the Spy vs. Spy has already moved on, and will continue to do so. 

As just one example, in June 2016 WhatsApp was considered state-of-the-art for end-to-end encrypted technology.  By March 2017, fresh revelations regarding CIA hacking tools made by WikiLeaks had cast some doubt on that assumption, though encrypted chat apps remain a solidly secure communications link provided the proper protocols are observed by users.

Guiberson’s Law

At one of the first ABA TECHSHOWs I attended I was fortunate enough to take in a presentation by Houston attorney Sam Guiberson. PowerPoint presentations were all the rage that year – the more glittering graphics and animations the better.  But not Sam’s.  Other than having his notes on a laptop discretely shielded by the lectern there was not a slide. 

Sam is not merely a pioneer in the use of technology in law, but also a spell-binding orator.  His deliberate eschewal of technology underscored his presentation’s central theme:  The only skill worth cultivating is adaptability. 

The ABA made audio tapes of every presentation at this TECHSHOW available for $5.  I bought Sam’s and gave it to our firm’s management committee, telling it, “You need to listen to this.”  I wish I had kept the tape myself, but the lesson of Sam’s sermon has stuck with me without the need for auditory reinforcement.

Do you remember MousePerfect? (Heck, do you remember WordPerfect?).  How about QEMM for managing computer memory?  Discovery ZX for DOS?  386 chips?  None of these survive.  My collection of computer antiquities is truly impressive.  They illustrate Guiberson’s Law that the only skill worth cultivating is adaptability – together with the mindset that one must always be alert to change and adapt to it.
This understanding is what led the authors of Opinion 477R to prudently adopt the philosophy of the ABA Cybersecurity Handbook, which:
rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a “process” to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.
How does a busy lawyer find time to keep abreast of the latest developments in communications technology?  She makes time.  She attends technology CLEs, or she hires the expertise to make reasonably certain that client confidential information is appropriately protected.  There is no “pass,” no excuse, for an attorney who uses modern technology to fail to learn how it works, what its vulnerabilities are, and to actively safeguard against the risk of inadvertent or unauthorized disclosure.  It is no more acceptable for an attorney who is not a multiengine turbo rated pilot to offer to fly a client to a business meeting in a Beechcraft King Air, than it is for the same attorney to send the client’s confidential information over unsecured public Wi-Fi without encryption. 

Don't Fly, or Wi-Fi, Without Proper Training
Thus, Revised Opinion 477R spends the bulk of its text focusing not on the technology de jour, but rather on the enduring human factors and suggesting a process by which attorneys can identify and assess communications risks, and “implement appropriate security measures responsive to those risks.” 

Some Wisdom Endures

For several months the Colorado Bar Association has been working to update its Opinion 90, originally published in 1992 – the year after the World Wide Web was launched by CERN and Pretty Good Privacy (PGP) encryption was released by Philip Zimmerman – and long before most lawyers were online.  Today, Opinion 90’s reference to cordless phones and modems is downright quaint.  However, the subcommittee revising the opinion wisely decided to keep its conclusion:
It is impossible to predict how technological advances will alter the means by which communications can be conveyed or intercepted.  However, regardless of technological developments, the attorney must exercise reasonable care to guard against the risk that the medium of the communication may somehow compromise the confidential nature of the information being communicated.
Nothing written before or since so succinctly summarizes the guiding principal for at the dawn of the third millennium.