Vermont Bar Journal, Vol. 40, No. 2 - Page 16

by Michael Kennedy , Esq ., Vermont Bar Counsel

TECH TIPS To Encrypt or Not to Encrypt

What follows is an excerpt from our Vermont Bar Counsel ’ s Blog , Ethical Grounds , on the subject of email encryption . Recently our real property list-serve members shared some tips on email encryption , including usage of providers like sharefile and virtru ( which is free ). There are many other options available like Zixcorp and Mimecast . Members are encouraged to use the VBA list-serves ( soon to be searchable , archiveable and more user-friendly “ on-line communities ”) to share their recommendations and warnings about available providers .
The Vermont lawyers ’ collective conscience drives the bar to do the right thing .
Lately , lawyers seem particularly driven to learn how to protect client information that is stored and transmitted electronically , in particular whether there is a duty to encrypt email . This proves timely and coincides with my ongoing discussion of Model Rule of Professional Conduct 1.6 and information relating to the representation . This post could easily include a discussion of cloud storage , but it ’ s already too long , so I ’ ll try to stick to email and electronic communications .
The beginning is a good place to start . If you haven ’ t read Rule 1.6 recently , you might want to start there . With respect to encrypting email , let ’ s move to Comment 16 of the Rule . It says :
• “ A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer ’ supervision .” ( emphasis added ).
So , that ’ s step 1 – Rules 1.1 and 1.6 work together to require lawyers to act competently to safeguard client information .
Next , Comment 17 informs us that :
• “[ w ] hen transmitting a communication that includes information relating to the representation , the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients .”
I ’ d add this suggestion : be as cognizant of the eyes and ears of unintended recipients as you are of their hands .
Moving on , here ’ s where encryption starts to come into play . Comment 17 continues :
• “ This duty , however , does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy .”
Of course , no self-respecting lawyer would draft a statute , rule , or comment without hedging , so remember that :
• “ Special circumstances , however , may warrant special precautions . Factors to be consider determining the reasonableness of the lawyer ’ s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement .” V . R . Pr . C . 1.6 , Comment [ 17 ].
One might conclude that encryption is a “ special security measure ” and , therefore , is not required . Maybe , but that ’ s not the standard . The Comment 17 makes it clear that special security measures are not required “ if the method of communication affords a reasonable expectation of privacy .”
Does communicating via email afford a reasonable expectation of privacy ?
In Advisory Opinion 97-05 , the Vermont Bar Association ’ s Professional Responsibility Committee concluded that an attorney does not violate the ethics rules by communicating with clients via unencrypted email because :
1 . there is no less of an expectation of privacy in e-mail than with an ordinary phone call ; and ,
2 . Intercepting an email is against the law .
The ABA and many other State bars agreed .
Does the VBA opinion ’ s rationale still hold up today ?
I ’ m not going to get into an academic , legal discussion of whether there ’ s a reasonable expectation of privacy in e-mail . If such a discussion interests you , you can find plenty of articles online . I ’ ll say this , though , if you ’ re a family practitioner , do you e-mail your clients ? If so , and before you hit “ send ”, do you ask a client whether her spouse has access to her email account ?
To wit : I don ’ t practice family law but I have a family . My dad and his wife share an email account . So , when I need birthday advice , I don ’ t e-mail my dad ’ s wife for her take on the things I ’ m thinking about getting my dad for his birthday . I call her .
I submit that if spouses share an email account , there ’ s a significant risk that one will gain access to a substantive communication intended for the other .
Or , what about clients who email you from work ? Have you reviewed their employee handbooks and discussed the pros and cons of communicating via email from an employer provided computer , tablet , or mobile devices ?
These questions are fleshed out in ABA Formal Advisory Opinion 11-459 . Here ’ s an excerpt from the summary :
• “ A lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device , or e-mail account , where there is a significant risk that a third party may gain access .”
Recognizing a growing awareness that email is inherently unsecure , the ABA opinion stated that :
• “ Whenever a lawyer communicates with a client by e-mail , the lawyer must first consider whether , given the client ’ s situation , there is a significant risk that third parties will have access to the communications . If so , the lawyer must take reasonable care to protect the confidentiality of the communications by giving appropriately tai-
16 THE VERMONT BAR JOURNAL • SUMMER 2016 www . vtbar . org
by Michael Kennedy, Esq., Vermont Bar Counsel TECH TIPS To Encrypt or Not to Encrypt What follows is an excerpt from our Vermont Bar Counsel’s Blog, Ethical Grounds, on the subject of email encryption. Recently our real property list-serve members shared some tips on email encryption, including usage of providers like sharefile and virtru (which is free). There are many other options available like Zixcorp and Mimecast. Members are encouraged to use the VBA list-serves (soon to be searchable, archiveable and more user-friendly “on-line communities”) to share their recommendations and warnings about available providers. The Vermont lawyers’ collective conscience drives the bar to do the right thing. Lately, lawyers seem particularly driven to learn how to protect client information that is stored and transmitted electronically, in particular whether there is a duty to encrypt email. This proves timely and coincides with my ongoing discussion of Model Rule of Professional Conduct 1.6 and information relating to the representation. This post could easily include a discussion of cloud storage, but it’s already too long, so I’ll try to stick to email and electronic communications. The beginning is a good place to start. If you haven’t read Rule 1.6 recently, you might want to start there. With respect to encrypting email, let’s move to Comment 16 of the Rule. It says: • “A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’ supervision.” (emphasis added). So, that’s step 1 – Rules 1.1 and 1.6 work together to require lawyers to act competently to safeguard client information. Next, Comment 17 informs us that: • “[w]hen transmitting a communication that includes information relating to the representation, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.” I’d add this suggestion: be as cognizant of the eyes and ears of unintended recipients as you are of their hands. Moving on, here’s where encryption starts to come into play. Comment 17 continues: • “This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy.” Of course, no self-respecting lawyer would draft a statute, rule, or comment 16 without hedging, so remember that: • “Special circumstances, however, may warrant special precautions. Factors to be consider determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.” V.R.Pr.C. 1.6, Comment [17]. One might conclude that encryption is a “special security measure” and, therefore, is not required. Maybe, but that’s not the standard. The Comment 17 makes it clear that special security measures are not required “if the method of communication affords a reasonable expectation of privacy.” Does communicating via email afford a reasonable expectation of privacy? In Advisory Opinion 97-05, the Vermont Bar Association’s Professional Responsibility Committee concluded that an attorney does not violate the ethics rules by communicating with clients via unencrypted email because: 1. there is no less of an expectation of privacy in e-mail than with an ordinary phone call; and, 2. Intercepting an email is against the law. The ABA and many other State bars agreed. Does the VBA opinion’s rationale [\^O’x&[H[][[XY[ZXY[\\[ۈو]\\x&\HX\ۘXH^X][ۈو]XH[K[XZ[ YXH\\[ۈ[\\[K[B[[[Hو\X\ۛ[Kx&[^B\Y Y[x&\HH[Z[HX][ۙ\[HK[XZ[[\Y[Y[HTSӕTTS8(SSQT MYܙH[H]8'[8'K[H\HY[]\\\H\X\\[XZ[X[•]H۸&]XXH[Z[H]]B]HH[Z[K^HY[\YH\B[[XZ[X[ [HYY\^HYXKH۸&]K[XZ[^HY8&\YH܂\ZHۈH[x&[H[[X]][^HY܈\\^KH[\HXZ]]Y\\\H[[XZ[X[ \x&\HYۚYX[\]ۙB[Z[X\HX[]H[][X][ۈ[[Y܈H\܋]X]Y[[XZ[[BHܚ]H[H]Y]YZ\[\YYH[[\\YH˜[ۜو[][X][XH[XZ[B[[\Y\ݚYY\]\X] ܂[ؚ[H]X\•\H]Y\[ۜ\H\Y][PBܛX[Y\ܞH[[ۈ LKM NK\x&\˜[^\HH[[X\N(8'H]Y\[[܈XZ][X[]H[][X][ۜ]HY[XHK[XZ[܈\[XۚXYX[›ܙ[\[H]\\HY[X]H\و[[܈XZ][[XۚX[][X][ۜ\[H\]\܈\]XK܈K[XZ[X[ \H\H\HYۚYX[\]H\\HX^HZ[X\˸'BXۚ^[Hܛ[]\[\][XZ[\[\[H[X\KHPH[[ۈ]Y](8'[]\H]Y\[][X]\]HY[HK[XZ[ H]Y\]\\ۜY\]\][BY[8&\]X][ۋ\H\HYۚYX[\]\\Y\[]HX\H[][X][ۜˈYH]Y\]\ZHX\ۘXH\HXHۙY[X[]HوH[][X][ۜH][\X][HZKB˝\ܙ‚