Are E-Mail’s Days Numbered?

E-mail’s days as a communication medium that offers a “reasonable expectation of privacy” may be numbered.

The ABA’s newly issued Formal Opinion 11-459 revisits the topic of e-mail security, and offers the following concluding paragraph:

A lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, to which a third party may gain access. The risk may vary. Whenever a lawyer communicates with a client by e-mail, the lawyer must first consider whether, given the client’s situation, there is a significant risk that third parties will have access to the communications. If so, the lawyer must take reasonable care to protect the confidentiality of the communications by giving appropriately tailored advice to the client.

While Formal Opinion 11-459 correctly identifies the wide variety of security- and privacy-related issues with e-mail, this most recent opinion represents a major departure from the ABA’s previous position on e-mail security as outlined in Formal Opinion 99-143, which states:

The Committee believes that e-mail communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy

For years lawyers have felt e-mail offered a “reasonable expectation of privacy” due to Formal Opinion 99-143, but Formal Opinion 11-459 seems to indicate the ABA is advocating a shift away from e-mail as a communication method.

This shift in thinking is a pragmatic one: in the last decade there has been an explosion in tools available for secure attorney-client messaging. Cloud-based collaboration and communication services offer a much higher degree of security and, in light of more secure alternatives being available, why should lawyers and their clients accept the additional risk of using unencrypted e-mail?

Read more perspectives on Formal Opinion 11-459 from Niki Black and Steph Kimbro.

Comments

  1. As I recently blogged on this topic (except from 3 part blog):

    What constitutes “reasonable measures to protect a client’s confidential information” depends on the circumstances – and the circumstances are constantly evolving. Email-related technology is changing, how clients use the technology is changing, the ethical rules are changing and the risk of interception of email or access to stored email is changing. Lawyers should not assume they can keep sending unencrypted email as they’ve done for decades.

    One key change is that today’s encrypted email can be simple to install, maintain and use.
    Email encryption is inexpensive “insurance” for a privacy data breach or a malpractice claim arising from disclosure of unencrypted client data. A monthly expense of $12 or less per user for email encryption does not present an unreasonable cost barrier to adoption, regardless of the sensitivity of the data or likelihood of its disclosure. In fact, at that price, it would be difficult for attorneys to justify not implementing automated email encryption for all substantive client communication.

    Automated encrypted email is becoming a benchmark best practice. Canada’s Office of the Privacy Commissioner recently issued A Privacy Handbook for Lawyers, which recommends that attorneys adopt technological protection measures such as encryption in order to comply with PIPEDA.

    See my blog posts for more information.

  2. Whenever a lawyer communicates with a client by e-mail, the lawyer must first consider whether, given the client’s situation, there is a significant risk that third parties will have access to the communications.

    This might be better stated more simply: “Whenever a lawyer communicates with a client, the lawyer must first consider whether, given the client’s situation, there is a significant risk that third parties will have access to the communications.”

    There’s nothing essentially-email-specific about the guidance.

    Most, perhaps all, of the substantive limitations of unencrypted electronic communications (email, telephone, fax, web-based) apply just as well to communications by other means (postal mail, courier). Many of the same issues arise in direct person-to-person interactions too, of course.

    People rarely (if ever) encrypt routine paper-based correspondence, but we could—and presumably should—where appropriate, to mitigate the same sorts of risks as arise with electronic communications.

  3. See this New York Bar Ethics Opinion which permits lawyers to use hosted email services that scan emails (unless there are specific concerns over confidentiality). It goes as far as saying automated reviews for advertising purposes are fine, but it is not OK if people are reading the content. It also provides that the confidentiality of email communications should be addressed with the client and that the lawyer needs understand the issue and ask questions of the service provider.