lored advice to the client .” Well , Mike , that ’ s great , but what about encryption ?
I don ’ t know . At the turn of the century , few considered encryption to be a requirement . It was burdensome , expensive , and there was a reasonable expectation of privacy in unencrypted email . Encryption is no longer burdensome or expensive , and there is significant debate as to the reasonableness of an expectation of privacy in email .
Here ’ s an excerpt from the California
State Bar ’ s Formal Opinion 2010-179 :
• “ encrypting email may be a reasonable step for an attorney to take in an effort to ensure the confidentiality of such communications remain so when the circumstances call for it , particularly if the information at issue is highly sensitive and the use of encryption is not onerous .”
As an article in the Wisconsin Lawyer publication points out :
• “ Encryption is increasingly required in areas like banking and health care and by state data-protection laws . As these requirements continue to increase , it will become more and more difficult for attorneys to justify not using encryption .” 101 : Encryption Made Simple for Lawyers , WISCON- SIN LAWYER , Vol . 86 , NO . 10 ( 2013 ).
So , let me turn the question back to you : what ’ s your answer going to be when someone , perhaps a disciplinary prosecutor , asks “ why didn ’ t you think that encrypting that email would be a reasonable precaution ?” If you have clients in the banking and health care industries , are you able to give them competent advice on encrypting data ?
Indeed , some commentators are suggesting that lawyers move away from email and towards systems in which clients use portals to access information relating to the representation . One of the most helpful posts that I ’ ve seen on email vs . client portals was in Law Technology Today , a publication of the ABA Legal Technology Resource Center . Client Portals : The Solution to the Email Security Problem , LAW TECH- NOLOGY TODAY , December 23 , 2014 .
I ’ m not trying to keep you up at night . I want you to be able to sleep and even , perchance , dream . But , as I mentioned above , Rule 1.6 requires lawyers to act competently to safeguard client information , including information that is transmitted electronically . Rule 1.1 ’ s duty of competence includes a duty to stay “ abreast of changes in the law and its practice , including the benefits and risks associated with relevant technology .” ABA Model Rule 1.1 , Comment 8 . At least one bar association has put the onus of assessing the risks of communicating via electronic means squarely on the lawyer .
In the opinion that I referenced above , the Cal State Bar concluded that the question of whether an attorney violates duty of confidentiality will depend on the particular circumstances , including the lawyer ’ s ability to assess and advise upon the “ level of security attendant to ” the particular device or technology . The opinion went on to state that the attorney should be able to understand :
• how each technology differs from others ;
• what precautions can , or cannot , be taken with each technology ;
• the likelihood of third parties accessing information stored or transmitted using a particular technology .
This suggests to me that “ but how I was supposed to know it wasn ’ t safe to communicate this way ” might not be a defense to an allegation that you violated Rule 1.6 . Again , competence includes tech competence .
So there you have it . My sense is that we will soon reach , if we haven ’ t already reached , a day upon which it will not be considered reasonable to transmit client information via unencrypted email . Encryption is not as difficult or expensive as it used to be and more secure alternatives are readily available .
At the very least , lawyers have a duty to warn clients about the risks associated with unencrypted email . But let ’ s end on this – the final sentence of Comment 17 , heretofore not revealed in this article :
• “ A client may require the lawyer to implement special security measures not required by this rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this rule .” ( emphasis added ).
Maybe that ’ s your hook – if you ’ re not going to encrypt email , get informed consent from the client . If you go that route , remember that “ informed consent ” is defined as “ an agreement by a person to a proposed course of conduct after the lawyer has communicated adequate information and explanation about the material risks of and reasonably available alternatives to the proposed course of conduct .” V . R . Pr . C 1.0 ( e ).
So , even if informed consent to unencrypted email is your answer , and I ’ m not certain that it is , it still requires you to provide an adequate explanation about the risks of unencrypted email and the reasonable alternatives thereto . Again , it always comes back to the fact that the duty of competence includes a duty to understand technology .
Tech Tips : To Encrypt or Not to Encrypt www . vtbar . org THE VERMONT BAR JOURNAL • SUMMER 2016 17