Most of the headlines surrounding new ABA Formal Opinion
477R (19 May 2017) will focus on the Standing Committee on Ethics and
Professional Responsibility’s conclusion that, in some instances, an attorney
may be required to use encrypted e-mail,
a conclusion it resisted making in its 1999 opinion: Formal Opinion
99-413.
I’m not interested in summarizing the new ABA opinion –
other blogs,
including the ABA Journal, have already done that, and
more are sure to follow. (You can read revised
Opinion 477R here. It’s short and
time well spent.) Instead, I would
rather use the issuance of ABA 477R as an excuse opportunity riff on the
central theme embodied in it.
First, a little review:
A Trip Down Memory Lane
It’s mid-1990. Few lawyers were eager and early adapters of e-mail. The Bar only “warmed” to electronic communications only because clients demanded it:
 |
| Microsoft Founder Bill Gates |
It’s mid-1990. Few lawyers were eager and early adapters of e-mail. The Bar only “warmed” to electronic communications only because clients demanded it:
In Microsoft’s case, we insist that all of our lawyers have electronic mail. We won’t deal with them unless we have that kind of access.
Christie and Aarons, Bill Gates Tells Law Firms: No
E-mail, No Deal, Colorado Journal,
May 23, 1997, p. 2.
Almost immediately the question arose whether there was an
ethical duty to encrypt confidential Internet communications. Public and private key encryption then was
kludgy; clients hated it, and so did lawyers.
The thought that lawyers might have to encrypt e-mail was a bummer.
Fortunately, throughout the 1990s, and with surprisingly few
exceptions, one bar after another reached the conclusion that Internet e-mail
is reasonably safe, even without encryption.
See Delaware State Bar Ass’n Committee on Professional Ethics Op.
2001-2 (communications by e-mail and cell phones do not violate Delaware Rule
1.6 absent exceptional circumstances, such as where an attorney should
reasonably anticipate the possibility of disclosure or interception); Supreme
Court of Ohio Board of Commissioners on Grievances and Disputes Opinion 99-2
(April 9, 1999) (encryption of e-mail not required). Accord N.Y. State Bar Ass’n Committee
on Professional Ethics, Opinion 709 (Sept. 16, 1998); D.C. Bar Opinion No. 281
(Feb. 18, 1998); Alaska Bar Ass’n Opinion 98-2 (Jan. 8, 1998);
Pennsylvania Bar Ass’n Committee on Legal Ethics and Professional
Responsibility Informal Opinion 97-130 (Sept. 26, 1997); Vermont Bar Ass’n
Committee on Professional Responsibility Opinion 97-5; Illinois State Bar Ass’n
Committee on Professional Ethics Opinion 96-10 (May 16, 1997); South Carolina
Bar Ethics Advisory Opinion 97-08 (June 1997); Arizona State Bar Committee on
Rules of Professional Conduct Opinion 97-04 (April 7, 1997).
Near the end of this long line, on 10 March 1999, the ABA issued
Formal Opinion 99-413. Coming so late,
Opinion 99-413 was not significant for its conclusion, but rather for its
weight as the opinion of the author of the Model Rules. The opinion, however, did a nice job of
synthesizing the work that went before it, and in focusing on the overriding
issue of the reasonableness of the expectation of confidentiality, instead of
Internet as the technology de jour:
The risk of unauthorized interception and disclosure exists in every medium of communication, including e-mail. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of the law.
ABA Opinion 99-413 concluded that Internet e-mail was no
less secure than “U.S. and commercial mail, land-line telephonic transmissions,
and facsimiles,” and should not be singled out for separate treatment.
Earlier ethics opinions had suggested that the same general
precautions and guidelines regarding client communications over cellular
telephones and fax machines should apply to Internet e-mail. See, e.g., Alaska Bar Ass’n Opinion
98-2; Iowa Ethics Opinion 96-1 (1996); North Carolina Ethics Opinion 215 (1995);
Colorado
Bar Ass’n Opinion 90.
Surely, consideration of the sensitivity of the
communication, and providing cautionary warnings to clients who may not
appreciate the potential vulnerability of interception, is good practice in all
transmissions over evolving technologies.
However, a pronouncement that the failure to encrypt could subject an
attorney to professional discipline in the event of interception – at least absent
a clear and convincing showing that the communication was so sensitive that any
risk of possible interception is was too great – would have imposed an
unacceptable burden on then-burgeoning e-commerce.
ABA 99-413’s ultimate conclusion that, e-mail encryption was
generally not required, was correct for its time. However, as I wrote in 2003:
[T]he only constant in technology is change. While the law currently concludes that encryption is not required to protect the confidentiality of routine attorney-client communications sent via e-mail, should SMTP become more vulnerable to interception and/or encryption become easier for clients and lawyers to use, this conclusion should change. Lawyers everywhere are well advised to . . . focus not on the medium of the communication, but rather on the exercise of reasonable care.
Charles F. Luce, Jr., Legal Ethics on the Internet, 7 J.
of Internet Law 1 (Oct. 2003). This admonition
is also one of the principle precepts of new ABA 477R.
Back the Future: Communication,
Confidentiality, & Competence
 |
| The First iPhone - 2007 |
Rule
1.4 requires lawyers that communicate regularly with clients to keep them
informed, so they are able to make informed decisions regarding their legal
matters. These days those communications
occur primarily or exclusively by e-mail.
Cobwebs gather on lawyer’s in-boxes, which now serve mainly as compost
collection centers for interoffice and other junk mail.
Rule
1.6(c) prescribes that client communications must be, and remain,
confidential. Specifically lawyers must “make
reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or
unauthorized access to, information relating to the representation of a client.”
Combined, Rules 1.4 and 1.6 compel that attorneys be
competent in the technology they use. If
some lawyers were unable to connect these dots themselves, revisions to the ABA
Model Rules since 1999 have made the duty of technological competence explicit. Comment [6] to Model Rule of Professional
Conduct 1.1 states:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
(Emphasis added.) Comment
[8] to Colo. RPC 1.1 is substantially identical:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, and changes in communications and other relevant technologies, engage in continuing study and education, and comply with all continuing legal education requirements to which the lawyer is subject.
(Emphasis added.) See
also Comments
[18] and [19] to Colo. RPC 1.6 (discussing at length the duty to “make
reasonable efforts to safeguard information relating to the representation of a
client against unauthorized access by third parties and against inadvertent or
unauthorized disclosure”)
No kidding. Last June
I recorded a webinar for National Business Institute called Legal
Ethics: Smart Phones and Tablets in Legal Practice. To prepare for this program I immersed myself
in the latest means of intercepting communications and protecting
communications against unauthorized access.
Moving faster than Moore’s Law, just
twelve months later the state of the Spy vs. Spy has already moved on, and will
continue to do so.
As just one example, in June 2016 WhatsApp was considered
state-of-the-art for end-to-end encrypted technology. By March 2017, fresh revelations regarding
CIA hacking tools made by WikiLeaks had cast
some doubt on that assumption, though encrypted chat apps remain a solidly
secure communications link provided
the proper protocols are observed
by users.
Guiberson’s Law
At one of the first ABA TECHSHOWs
I attended I was fortunate enough to take in a presentation by Houston attorney
Sam Guiberson. PowerPoint presentations were all the rage that year – the more glittering
graphics and animations the better. But
not Sam’s. Other than having his notes
on a laptop discretely shielded by the lectern there was not a slide.
Sam is not merely a pioneer in the use of technology in law,
but also a spell-binding orator. His
deliberate eschewal of technology underscored his presentation’s central
theme: The only skill worth cultivating is adaptability.
The ABA made audio tapes of every presentation at this TECHSHOW
available for $5. I bought Sam’s and
gave it to our firm’s management committee, telling it, “You need to listen to
this.” I wish I had kept the tape
myself, but the lesson of Sam’s sermon has stuck with me without the need for
auditory reinforcement.
This understanding is what led the authors of Opinion 477R
to prudently adopt the philosophy of the ABA
Cybersecurity Handbook, which:
rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a “process” to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.
 |
| Don't Fly, or Wi-Fi, Without Proper Training |
Some Wisdom Endures
For several months the Colorado Bar Association has been
working to update its Opinion
90, originally published in 1992 – the year after the World Wide Web was
launched by CERN and Pretty Good Privacy (PGP) encryption was released by Philip
Zimmerman – and long before most lawyers were online. Today, Opinion 90’s reference to cordless
phones and modems is downright quaint.
However, the subcommittee revising the opinion wisely decided to keep
its conclusion:
It is impossible to predict how technological advances will alter the means by which communications can be conveyed or intercepted. However, regardless of technological developments, the attorney must exercise reasonable care to guard against the risk that the medium of the communication may somehow compromise the confidential nature of the information being communicated.
Nothing written before or since so succinctly summarizes the
guiding principal for at the dawn of the third millennium.
