October 2015 • Volume 103 • Number 10 • Page 46
Thank you for viewing this Illinois Bar Journal article. Please join the ISBA to access all of our IBJ articles and archives.
Rethinking Email Encryption
Evolving ethics standards make it more important than ever for lawyers to know when and how to encrypt email with clients.
I admit it - I've avoided reading articles on encryption. It's a big word, a big concept, and likely a big time commitment to figure out how to do it.
But it seems email encryption just won't go away. In fact, it may be more important than ever. A shift is taking place in a lawyer's ethical duty when it comes to encryption. Today's lawyer must know what it is, how to use it, and when to use it. We can't afford to avoid it any longer.
Simply put, encryption protects email from bad guys (insert whatever "bad guys" you fear most - hackers, the government, agents of unscrupulous opposing counsel) when it is in transit between you and your client.
You can encrypt your email in many ways. You can use a cloud-based service (see "Feeling Secure in the Cloud" in the January 2015 Illinois Bar Journal). There are numerous encryption products on the market that require you to share an encryption key with your client.
Many basic software programs such as Outlook have encryption capabilities. There is a learning curve for these programs, but take it from an encryption neophyte, it can be done. (By all means practice on yourself. Encrypt messages from your office email to your personal email just to get the hang of it.) See this month's Biz&Tek column for more about the available tools.
The core ethical requirement behind email encryption is client confidentiality. Illinois Rule of Professional Conduct 1.6(a) provides that a "lawyer shall not reveal information relating to the representation of a client…." All lawyer communications are covered by this Rule, whether email, text, telephone, or just being loud with a client in a public space.
ISBA Advisory Opinion 96-10 (reaffirmed in 2010) concluded, as have many other authorities, that sending unencrypted emails is acceptable unless unusual circumstances require enhanced security measures. That conclusion was based on two assumptions: 1) lawyers and clients have a reasonable expectation of privacy in email communications, and 2) intercepting those private communications was illegal.
Today, the ethics standards are tightening. A lawyer cannot rely on an expectation of privacy or the illegality of a hack to justify inattention to electronic communication security. The ethical obligation is now being defined by affirmative conduct: what reasonable steps did the lawyer take to protect the information?
Revisions to ABA Model Rule 1.6, currently being considered by the Illinois Supreme Court (and widely supported by the bar) provide that "[a] lawyer shall make reasonable efforts to prevent the…unauthorized access to…" client information. Efforts are required. The old presumption that electronic communication is secure enough is being rebutted by reality. A lawyer can no longer simply assume that his or her electronic communications are safe from unauthorized access.
What you need to do now about encryption
Learn how to use it. First, the sky is not falling. In most instances and for most clients in most law practices, email encryption is probably not necessary. But you must understand encryption options and how to use them. Not only is understanding encryption necessary to meet your obligations under RPC 1.6, it is required as a measure of competence under ABA revisions to Model RPC 1.1 (under review by the Illinois Supreme Court) that require lawyers to keep current with relevant technology.
Talk to your client. An older ABA Ethics Opinion (11-459), and also more recent ones from Texas (Professional Ethics Committee, State Bar of Texas No. 648) and Iowa (Iowa Ethics Op. 15-01), conclude that you must "advise and caution" or "warn" your client about the risks of unencrypted email.
Have that important discussion about encryption with your client. Even if the risks are minor and you conclude no encryption is necessary, a sentence or two in your engagement letter to that effect is a good idea. It's also good client relations. It shows you understand and respect the confidentiality of the client's matter, and you might actually learn something new and useful about your client or the case.
Learn when to use it. Finally, know when it's especially important to use encryption. Ethics authorities have noted a few areas. They include sending emails to an account the client shares with others, sending to a client's work email (because the employer probably has authority to access it), sending when a third party may know the client's passwords (such as a spouse in a divorce case), and sending from public (e.g., hotel) computers.
In addition, the ABA Model Rules, specifically Comment  (again, currently under consideration by the Illinois Supreme Court), identify several factors to help you determine whether you meet the electronic-communications "reasonable efforts" test. For example, how sensitive is the information? How likely is it to be disclosed if safeguards are not employed? How costly and difficult are the safeguards to implement? Would implementing them make it harder to represent the client?
In short, don't avoid those articles about protecting your electronic communications with clients. If your client's information is disclosed, particularly sensitive information, claiming you didn't know about encryption options is not an argument you'll want to make.
Charles J. Northrup is the ISBA general counsel.