Vermont Bar Journal, Vol. 40, No. 2 - Page 17

lored advice to the client .” Well , Mike , that ’ s great , but what about encryption ?
I don ’ t know . At the turn of the century , few considered encryption to be a requirement . It was burdensome , expensive , and there was a reasonable expectation of privacy in unencrypted email . Encryption is no longer burdensome or expensive , and there is significant debate as to the reasonableness of an expectation of privacy in email .
Here ’ s an excerpt from the California
State Bar ’ s Formal Opinion 2010-179 :
• “ encrypting email may be a reasonable step for an attorney to take in an effort to ensure the confidentiality of such communications remain so when the circumstances call for it , particularly if the information at issue is highly sensitive and the use of encryption is not onerous .”
As an article in the Wisconsin Lawyer publication points out :
• “ Encryption is increasingly required in areas like banking and health care and by state data-protection laws . As these requirements continue to increase , it will become more and more difficult for attorneys to justify not using encryption .” 101 : Encryption Made Simple for Lawyers , WISCON- SIN LAWYER , Vol . 86 , NO . 10 ( 2013 ).
So , let me turn the question back to you : what ’ s your answer going to be when someone , perhaps a disciplinary prosecutor , asks “ why didn ’ t you think that encrypting that email would be a reasonable precaution ?” If you have clients in the banking and health care industries , are you able to give them competent advice on encrypting data ?
Indeed , some commentators are suggesting that lawyers move away from email and towards systems in which clients use portals to access information relating to the representation . One of the most helpful posts that I ’ ve seen on email vs . client portals was in Law Technology Today , a publication of the ABA Legal Technology Resource Center . Client Portals : The Solution to the Email Security Problem , LAW TECH- NOLOGY TODAY , December 23 , 2014 .
I ’ m not trying to keep you up at night . I want you to be able to sleep and even , perchance , dream . But , as I mentioned above , Rule 1.6 requires lawyers to act competently to safeguard client information , including information that is transmitted electronically . Rule 1.1 ’ s duty of competence includes a duty to stay “ abreast of changes in the law and its practice , including the benefits and risks associated with relevant technology .” ABA Model Rule 1.1 , Comment 8 . At least one bar association has put the onus of assessing the risks of communicating via electronic means squarely on the lawyer .
In the opinion that I referenced above , the Cal State Bar concluded that the question of whether an attorney violates duty of confidentiality will depend on the particular circumstances , including the lawyer ’ s ability to assess and advise upon the “ level of security attendant to ” the particular device or technology . The opinion went on to state that the attorney should be able to understand :
• how each technology differs from others ;
• what precautions can , or cannot , be taken with each technology ;
• the likelihood of third parties accessing information stored or transmitted using a particular technology .
This suggests to me that “ but how I was supposed to know it wasn ’ t safe to communicate this way ” might not be a defense to an allegation that you violated Rule 1.6 . Again , competence includes tech competence .
So there you have it . My sense is that we will soon reach , if we haven ’ t already reached , a day upon which it will not be considered reasonable to transmit client information via unencrypted email . Encryption is not as difficult or expensive as it used to be and more secure alternatives are readily available .
At the very least , lawyers have a duty to warn clients about the risks associated with unencrypted email . But let ’ s end on this – the final sentence of Comment 17 , heretofore not revealed in this article :
• “ A client may require the lawyer to implement special security measures not required by this rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this rule .” ( emphasis added ).
Maybe that ’ s your hook – if you ’ re not going to encrypt email , get informed consent from the client . If you go that route , remember that “ informed consent ” is defined as “ an agreement by a person to a proposed course of conduct after the lawyer has communicated adequate information and explanation about the material risks of and reasonably available alternatives to the proposed course of conduct .” V . R . Pr . C 1.0 ( e ).
So , even if informed consent to unencrypted email is your answer , and I ’ m not certain that it is , it still requires you to provide an adequate explanation about the risks of unencrypted email and the reasonable alternatives thereto . Again , it always comes back to the fact that the duty of competence includes a duty to understand technology .
Tech Tips : To Encrypt or Not to Encrypt www . vtbar . org THE VERMONT BAR JOURNAL • SUMMER 2016 17
www.vtbar.org on the lawyer. In the opinion that I referenced above, the Cal State Bar concluded that the question of whether an attorney violates duty of confidentiality will depend on the particular circumstances, including the lawyer’s ability to assess and advise upon the “level of security attendant to” the particular device or technology. The opinion went on to state that the attorney should be able to understand: • how each technology differs from others; • what precautions can, or cannot, be taken with each technology; • the likelihood of third parties accessing information stored or transmitted using a particular technology. This suggests to me that “but how I was supposed to know it wasn’t safe to communicate this way” might not be a defense to an allegation that you violated Rule 1.6. Again, competence includes tech competence. So there you have it. My sense is that we will soon reach, if we haven’t already reached, a day upon which it will not be considered reasonable to transmit client information via unencrypted email. Encryption is not as difficult or expensive as it used to be and more secure alternatives are readily available. At the very least, lawyers have a duty to warn clients about the risks associated with unencrypted email. But let’s end on this – the final sentence of Comment 17, heretofore not revealed in this article: • “A client may require the lawyer to implement special security measures not required by this rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this rule.” (emphasis added). Maybe that’s your hook – if you’re not going to encrypt email, get informed consent from the client. If you go that route, remember that “informed consent” is defined as “an agreement by a person to a proposed course of conduct after the lawyer has communicated adequate information and explanation about the material risks of and reasonably available alternatives to the proposed course of conduct.” V.R.Pr.C 1.0(e). So, even if informed consent to unencrypted email is your answer, and I’m not certain that it is, it still requires you to provide an adequate explanation about the risks of unencrypted email and the reasonable alternatives thereto. Again, it always comes back to the fact that the duty of competence includes a duty to understand technology. THE VERMONT BAR JOURNAL • SUMMER 2016 Tech Tips: To Encrypt or Not to Encrypt lored advice to the client.” Well, Mike, that’s great, but what about encryption? I don’t know. At the turn of the century, few considered encryption to be a requirement. It was burdensome, expensive, and there was a reasonable expectation of privacy in unencrypted email. Encryption is no longer burdensome or expensive, and there is significant debate as to the reasonableness of an expectation of privacy in email. Here’s an excerpt from the California State Bar’s Formal Opinion 2010-179: • “encrypting email may be a reasonable step for an attorney to take in an effort to ensure the confidentiality of such communications remain so when the circumstances call for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.” As an article in the Wisconsin Lawyer publication points out: • “Encryption is increasingly required in areas like banking and health care and by state data-protection laws. As these requirements continue to increase, it will become more and more difficult for attorneys to justify not using encryption.” 101: Encryption Made Simple for Lawyers, WISCONSIN LAWYER, Vol. 86, NO. 10 (2013). So, let me turn the question back to you: what’s your answer going to be when someone, perhaps a disciplinary prosecutor, asks “why didn’t you think that encrypting that email would be a reasonable precaution?” If you have clients in the banking and health c \H[\Y\\H[HXH™]H[H\][YXHۈ[ܞ\[™]O’[YY YH[Y[]ܜ\HY\[]]Y\[ݙH]^HH[XZ[[\\[\[XY[\Bܝ[X\[ܛX][ۈ[][B\\[][ۋۙHوH[[[]x&]HY[ۈ[XZ[ˈY[ܝ[\[]XH^KHXX][ۈوHPHY[XH\\H[\Y[ܝ[ΈH][ۂH[XZ[X\]H؛[KUPHVKX[X\  M x&[HZ[Y\[H\]Y B[[HHXHY\[][\[KX[K] \HY[[ۙYXݙK[H K\]Z\\]Y\X\][HYYX\Y[[ܛX][ۋ[Y[[ܛX][ۈ]\[Z]Y[XۚX[K[H Kx&\]Hو\][B[Y\H]H^H8'XX\و[\[H][]XXK[Y[B[Y][\\X]Y][][XK'HPH[[[H KK[Y[ ]X\ۙH\\X][ۈ\œ]H۝\و\\[H\و[][X][XH[XۚXYX[]X\[BM‚