On Aug 4, 2011, the ABA published Formal Opinion 11-459 with the topic heading “Duty to Protect the Confidentiality of E-mail Communications with One’s Client.” This new Ethics Opinion is one that all attorneys should read and be aware of due to its potential future implications. In summary:
“A lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, where there is a significant risk that a third party may gain access. In the context of representing an employee, this obligation arises, at the very least, when the lawyer knows or reasonably should know that the client is likely to send or receive substantive client-lawyer communications via e-mail or other electronic means, using a business device o system under circumstances where there is a significant risk that the communications will be read by the employer or another third party.”
Pursuant to many internal policies of private companies, employers may be able to obtain an employee’s communications from the employer’s e-mail server if the employee uses a business e-mail address, or from a workplace computer or other employer owned telecommunications device that stores email information. Employers may institute their internal policy and access the information if there is an employee dispute, when monitoring an employee’s compliance responsibilities or when they conduct an internal investigation relating to client’s work.
External third parties might be able to obtain access to an employee’s electronic communications by issuing a subpoena to the employer. The risk that third parties may obtain access to a lawyer’s email communications with a client raises the question of what, if any, steps a lawyer should consider to prevent third party access.
The fairly limited circumstances described in the hypothetical circumstances and the broadly worded opinion focus on the limited issue when a client’s employer has keystroke logging on their system or some other way of monitoring an employee’s activities where there is a risk that the employer could access the information. So while the hypothetical is fairly narrow in scope, there is reason for everyone to consider other circumstances in which information may be compromised. The last paragraph of the opinion reads:
“As noted at the outset, the employment scenario is not the only one in which attorney-client electronic communications may be accessed by third parties. A lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, to which a third party may gain access. The risk may vary. Whenever a lawyer communicates with a client by e-mail, the lawyer must first consider whether, given the client’s situation, there is a significant risk that third parties will have access to the communications. If so, the lawyer must take reasonable care to protect the confidentiality of the communications by giving appropriately tailored advice to the client.”
This leads us to believe that this opinion is likely to extend beyond the limited risk of keystroke logging or employers reading of emails. The phrase “third party” is virtually limitless in its potential definition and may result in very broad interpretation. Additionally, the opinion includes a footnote that states that if an attorney finds out that a client is receiving personal email on a work computer that the attorney should first caution the client to halt that activity and if that the client persists in using that system, the lawyer should than cease sending messages to that personal account.
What is the Take Away?
My reading of this opinion posits a number of possible scenarios for lawyers to consider. At one end would be the implementation of a complicated process whereby a lawyer needs to investigate and verify each client’s technology communications system before sending the first email. The opposite end of the spectrum is to stop using all forms of electronic communication with clients to avoid encountering the problems. Neither of these options is practical. The first because lawyers generally don’t have the time to conduct full scale client audits to consider all possible communication options. The latter because commerce would grind to a halt if the option of electronic communications was removed from the marketplace.
As usual, there are a couple of reasonable steps between the two ends of the spectrum that should not overtax any lawyer’s abilities. Additionally, these steps should help satisfy the definition of “reasonable”, which has become the de facto standard that most courts employ when making a ruling or determination.
• Institute a policy of demanding that encrypted email systems be used when communicating both ways with a client and insist that clients use it. The cost to add encrypted options to a firm’s communications system is very inexpensive and shows the court that steps have been taken to protect client data.
• You can remind your clients that any information might be at risk of third party access regardless of all safeguards employed, and therefore caution should always be used when writing down information and digitally transmitting it.
• Educating both the members of your firm and your clients can easily be achieved through the use of an internal firm communication and a statement that becomes part of your engagement letter to each client. Don’t just add the language (its called legalese for a reason, most clients don’t read it or understand it when they do) Be proactive and discuss your email policy with your client so that they understand the potential implications and why it is needed.
Comments