Vermont Bar Journal, Vol. 40, No. 2 | Page 16

by Michael Kennedy , Esq ., Vermont Bar Counsel

TECH TIPS To Encrypt or Not to Encrypt

What follows is an excerpt from our Vermont Bar Counsel ’ s Blog , Ethical Grounds , on the subject of email encryption . Recently our real property list-serve members shared some tips on email encryption , including usage of providers like sharefile and virtru ( which is free ). There are many other options available like Zixcorp and Mimecast . Members are encouraged to use the VBA list-serves ( soon to be searchable , archiveable and more user-friendly “ on-line communities ”) to share their recommendations and warnings about available providers .
The Vermont lawyers ’ collective conscience drives the bar to do the right thing .
Lately , lawyers seem particularly driven to learn how to protect client information that is stored and transmitted electronically , in particular whether there is a duty to encrypt email . This proves timely and coincides with my ongoing discussion of Model Rule of Professional Conduct 1.6 and information relating to the representation . This post could easily include a discussion of cloud storage , but it ’ s already too long , so I ’ ll try to stick to email and electronic communications .
The beginning is a good place to start . If you haven ’ t read Rule 1.6 recently , you might want to start there . With respect to encrypting email , let ’ s move to Comment 16 of the Rule . It says :
• “ A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer ’ supervision .” ( emphasis added ).
So , that ’ s step 1 – Rules 1.1 and 1.6 work together to require lawyers to act competently to safeguard client information .
Next , Comment 17 informs us that :
• “[ w ] hen transmitting a communication that includes information relating to the representation , the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients .”
I ’ d add this suggestion : be as cognizant of the eyes and ears of unintended recipients as you are of their hands .
Moving on , here ’ s where encryption starts to come into play . Comment 17 continues :
• “ This duty , however , does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy .”
Of course , no self-respecting lawyer would draft a statute , rule , or comment without hedging , so remember that :
• “ Special circumstances , however , may warrant special precautions . Factors to be consider determining the reasonableness of the lawyer ’ s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement .” V . R . Pr . C . 1.6 , Comment [ 17 ].
One might conclude that encryption is a “ special security measure ” and , therefore , is not required . Maybe , but that ’ s not the standard . The Comment 17 makes it clear that special security measures are not required “ if the method of communication affords a reasonable expectation of privacy .”
Does communicating via email afford a reasonable expectation of privacy ?
In Advisory Opinion 97-05 , the Vermont Bar Association ’ s Professional Responsibility Committee concluded that an attorney does not violate the ethics rules by communicating with clients via unencrypted email because :
1 . there is no less of an expectation of privacy in e-mail than with an ordinary phone call ; and ,
2 . Intercepting an email is against the law .
The ABA and many other State bars agreed .
Does the VBA opinion ’ s rationale still hold up today ?
I ’ m not going to get into an academic , legal discussion of whether there ’ s a reasonable expectation of privacy in e-mail . If such a discussion interests you , you can find plenty of articles online . I ’ ll say this , though , if you ’ re a family practitioner , do you e-mail your clients ? If so , and before you hit “ send ”, do you ask a client whether her spouse has access to her email account ?
To wit : I don ’ t practice family law but I have a family . My dad and his wife share an email account . So , when I need birthday advice , I don ’ t e-mail my dad ’ s wife for her take on the things I ’ m thinking about getting my dad for his birthday . I call her .
I submit that if spouses share an email account , there ’ s a significant risk that one will gain access to a substantive communication intended for the other .
Or , what about clients who email you from work ? Have you reviewed their employee handbooks and discussed the pros and cons of communicating via email from an employer provided computer , tablet , or mobile devices ?
These questions are fleshed out in ABA Formal Advisory Opinion 11-459 . Here ’ s an excerpt from the summary :
• “ A lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device , or e-mail account , where there is a significant risk that a third party may gain access .”
Recognizing a growing awareness that email is inherently unsecure , the ABA opinion stated that :
• “ Whenever a lawyer communicates with a client by e-mail , the lawyer must first consider whether , given the client ’ s situation , there is a significant risk that third parties will have access to the communications . If so , the lawyer must take reasonable care to protect the confidentiality of the communications by giving appropriately tai-
16 THE VERMONT BAR JOURNAL • SUMMER 2016 www . vtbar . org