A Parable

In a small Indiana town, up until a few years ago, the residents felt safe. They trusted one another.  They left their homes unlocked, when they were gone; often, even when they were away on vacation.  One day people began to discover that things were missing from their homes.  At first it was small things.  Maybe they hadn’t even recognized that things had been taken.  It soon became too obvious to ignore.  People who had things stolen started locking their doors.  As word got around the town, most people began locking their doors even if they hadn’t had anything stolen.  Not Harry Harkin.  He was troubled about losing a way of life built on trust.  Plus, it was inconvenient to be always locking and unlocking his  house.  Sure enough, one day Harry came home and his television set was gone.  He went town to the police station to complain.  He made his complaint directly to Chief Merit.  “Chief, someone stole my TV.”  Chief Merit told Harry that they recommended that people lock their houses when they weren’t home and wanted to know if Harry’s house had been locked at the time.  “No,” said Harry.  “It’s not illegal for me to leave my house unlocked, but it is illegal for someone to come in and steal my things.”  Chief Merit stroked his chin for a bit and said, “You’re right, of course, Mr. Harkin, we’ll try to catch the culprit.  But your TV’s still missing, isn’t it?”

Of course, it was Harry’s right to choose trust over security. The TV was his to lose as the price to be paid for his willingness to trust others. Lawyers aren’t like that when it comes to client information.  Client information isn’t theirs to lose.  It belongs to the client.

Introduction

This is a column about protecting client confidences in a world of high tech communications. I want to welcome my guest co-columnist, Jeff Goens.  Jeff is an Indiana lawyer and the founding executive director of the International Legal Technical Standards Organization (ILTSO), a non-profit organization whose mission is to develop and promote secure and ethically-conscious technology standards within the legal profession.  My contribution to this column will be the legal ethics discussion, and Jeff’s will be the technology part.  With that general guidance, we will not further distinguish between our respective contributions.

Risks of Unauthorized Third-Party Access to Electronic Communications

Email as a means of communication between lawyers and clients has become ubiquitous. Like most things that are so efficient, we tend to take it for granted.  But let’s pause to think about it.  Part of our discussion is framed by a recent ABA ethics opinion: Formal Op. 11-459 (2011).  The context for that opinion is the risks presented when clients communicate with their lawyers using electronic communications resources the clients either don’t own or exclusively control.  The particular example featured in the opinion is when a lawyer represents a client in an employment dispute and the client uses employer technology resources to communicate with the employee’s lawyer.

In the recent opinion, the ABA Ethics Committee urged lawyers to be mindful of the fact that most employers consider their technology resources to belong to the employer, not the employee. Substantive law on employers’ rights to access data about their employees’ private communications varies from state-to-state and is an issue that is very much in flux.  Even in states that are protective of the privacy of employee personal communications, when an employee uses those resources to communicate with his lawyer in a personal matter, in particular a matter in which the employee and employer are at odds, normal expectations about the privacy of email communications no longer hold up.  The opinion went on to urge lawyers (especially, but not only, when a client is adverse to his employer) to “instruct the employee-client to avoid using a workplace device or system for sensitive or substantive communications, and perhaps for any attorney-client communications….”  Keep in mind that just because the client gives you a non-employer email address does not mean the client will not access a Gmail, Hotmail or other Internet email account from work.  That act alone will place those communications on the employer’s technology resources where they can be accessed later.

Digital Data As Client Property

Even lawyer-client email communications that have nothing to do with client-employer adversity are still client confidences that lawyers must protected and should not be exposed to non-clients without informed client consent. See Rule of Professional Conduct 1.6, Comments [16] and [17].  Email communications are more than just client “information” that lawyers must protect under Rule 1.6.  Those communications have been reduced to series of binary digits that are as “real” as a letter from a client that comes in the U.S. mail.  They are, if you will, a species of client property.  Even if you have a hard time thinking of a communication from a client as the client’s property, you should have no difficulty thinking of the client’s PDF file attachment of company or personal records as client property.  Under Rule 1.15(a), lawyers are charged with appropriately safeguarding all client property, even property that not in the form of client funds that must be kept in trust.

The Ethics Committee’s concluding advice was:

A lawyer sending or receiving substantive electronic communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, to which a third party may gain access. The risk may vary.  Whenever a lawyer communicates with a client by e-mail, the lawyer must first consider whether, given the client’s situation, there is a signficant risk that third parties will have access to the communications.  If so, the lawyer must take reasonable care to protect the confidentiality of the communications by giving appropriately tailored advice to the client.

Assessing Risk

The real rub is identifying what is a significant risk. Lawyers are … well, lawyers.  Most of us aren’t tech geeks, nor should we have to be.  On the other hand, technology moves fast—faster than all but the most tech savvy can comprehend.  If technological change creates significant risks to the security of our client communications, we have to know about it and adapt.  We don’t have the choice, like Harry in our parable, to pine for the good old days at the cost of jeopardizing our client’s confidences.   The evolution of electronic communications technology brings both opportunities (efficiency, speed) and risks.  Let’s examine some of the risks that are present here and now in this brave new world.

In an earlier opinion, now twelve years old, the ABA Ethics Committee stated that in all but highly sensitive cases, email communications are sufficiently secure as to not require routine encryption of email between lawyers and clients. In the case of communications about very sensitive matters, lawyers were urged, at a minimum, to consult with their clients about the risks associated with using unencrypted email.  ABA Formal Op. 99-413 (1999).

A lot has changed in twelve years. You rarely check the news without finding at least one scary story featuring the breach of a large corporation’s computer network, a Western government’s intelligence service, or the operating system of a major smartphone manufacturer.  Even more frightening is the realization that law firms provide easy targets for the most sensitive data entrusted to them by their individual and corporate clients, as indicated by the FBI’s direct warning to American attorneys almost two years ago.  To be certain, digital security is an arms race, and as practitioners focused on the day-to-day operations of our law practices, it may seem difficult (if not impossible) to stay abreast of the changes occurring in the world of technology.

Nevertheless, as advisors to our clients with ethical obligations to maintain representation at or above competent levels, it is important for us to meet certain minimum thresholds for the protection of client data. Just as we wouldn’t leave our clients’ bank routing numbers or trade secrets on a piece of paper laying around in a shared office space, we should take the proper safeguards to protect important data from third parties who would use it to our clients’ detriment.  There are few vehicles for losing client data that are as ubiquitous or potentially harmful as email, due in part to common user errors—such as when senders attach the wrong files or include the wrong recipients—and the flaws inherent in the technology behind traditional email (the latter of which we will explore further).

Communicating with Clients via Postcard

At first blush, email may seem like the digital equivalent mailing a letter: you simply place everything inside an envelope, address it, and drop it in the mailbox—and everything arrives as intended. But sending an email is more analogous to sending a postcard, where third parties may easily access the content displayed in fairly plain view.  Encryption, or digital obfuscation of the data, is the security envelope that shields the contents of the communication from easy access by those who are merely handling the information as it travels along to its destination.

Hitting “send” is a fairly innocuous part of just about every modern attorney’s professional life; however, many of us have been conditioned to check (and recheck) the “to” line, for fear of misdirecting important information to a newspaper or opposing counsel, when we simply meant to send it to our client. But when you hit “send” on your computer or smartphone an important series of events occurs that typically involves many more parties than is commonly understood.  With unencrypted (plain text) email, all the data—including the body text and any attachments in the message—leaves your device and heads through your internet service provider (“ISP”) toward an outbound email gateway.  This gateway may be operated by your ISP or another third party.

This process may seem secure enough at first glance, especially where protected by Secure Socket Layer technology, or “SSL,” which is a kind of encryption designed to protect data while in transit on the Internet. However, encryption is only as valuable as the weakest link in the chain.  This means that even if the data is protected all the way through to the outbound gateway, it is not useful if unprotected from that point forward—when the intended recipient of an email is, as is often the case, on a different server or mail delivery service.  The process of handing off the data from the outbound gateway to other “handlers” across the Internet is usually unpredictable and insecure, because the information is broken into smaller packets of information and then passed through several intermediate handlers typically in unencrypted (or “raw”) form.  While the risk of interception of the entire message by a third party at most of these intermediaries is relatively low since these handlers do not obtain copies of the entire message, important digit sequences, sentence fragments, and other small yet important raw data strings may be available to the operators who serve as partial email handlers.

Passing Through Unfriendly Hands

The more troubling intermediaries are not the partial message handlers previously discussed, but rather the email aggregators that usually lie beyond the control of the outbound gateway. At these points, the entire message contents are re-aggregated before being passed along to the next point.  This facilitates rapid distribution of data across the highly redundant network we know as the Internet, but also invites an obvious question: who has access to all of these different computers, or “nodes,” though which our unencrypted data passes whenever we send a traditional email?  The answer is quite simple: we usually don’t know before we send the message.  Worse yet, at any point through which data is transmitted without SSL (or its cousin, “TLS”), additional third parties may be able to view the data while it is in transit on the Web.

If we could rest assured that only trusted parties operated these nodes and thereby basically controlled the Internet, we might feel a bit more comfortable with the notion that several third party intermediaries have access to our data. But as attorneys, the question has never been whether we feel comfortable with the delivery process, but whether our clients have given us approval to work with their data—their property—in this manner. To that end, a short email footer (or even a quick sentence in an engagement letter) may prove to be inadequate to properly inform the client that email will be considered appropriate to serve as the preferred method of communication during the course of the representation.

There are a few things many of these email nodes have in common: (1) they often are outside of the United States; (2) they usually are operated by third parties with whom we have no privity of contract; and (3) as the data moves from node to node, it often is stored and transmitted without encryption without our knowledge or consent. Therefore, if we have no contractual control or certainty about how and where the data may be used by downstream third-party intermediaries (either in compliance with lawful requests or otherwise), can we presume it is reasonable to transmit or store client data in or through these locations?

Here’s a chilling illustration: Don and Jeff were recently having meeting at a downtown Indianapolis coffee shop. Jeff sent an email to Don who was sitting three feet away.  Neither of us had any idea how it would get from Jeff to Don.  After the fact, using some nifty software, Jeff was able to trace the path of that message.  It turns out that the message literally traveled all over the world, including through a server located somewhere in or near Sierra Leone, before Don’s Blackberry buzzed a few seconds later. How many hands did that message pass through in its multi-thousand mile trip to travel three feet?  It is impossible to say, just as it is impossible to know how many of those hands were malicious or how many had set up software filters to detect information potentially harmful to the sender or receiver.  One suspects that typical lawyer-client email communications will be far more sensitive than, “Hi, Don.  Just testing.  Jeff.”

To Encrypt or Not Encrypt, That Is the Question

One way to approach reasonableness would be to only send and receive encrypted email communications with clients to prevent third party access at the intermediate nodes. However, this requires both the sender and the receiver to exchange digital “keys” for the purpose of locking and unlocking contents, or for the sender to provide the receiver with a password to unlock the email contents separately.  It is often a cumbersome process that detracts from the efficiency of email communications.  Other less cumbersome solutions are available to help facilitate this process (or provide alternative means of transmission and storage).  However it is accomplished, the need to shield client data from unintended third parties should be taken seriously.

What is the significance of this? Does it call for a wholesale re-examination of Opinion 99-413’s view that there are reasonably adequate expectations of privacy in unencrypted email communications such that encryption is not routinely required?  Perhaps not, but it certainly reinforces the importance of lawyers candidly discussing the implications of email communications with their clients and even shifts the line between when encryption or similarly robust security in email communications is required toward the need for greater security.

Other Forms of Regulation

While an attorney’s ethical obligation to safeguard client data from loss or disclosure as if it were any other kind of client property is enshrined in Indiana Rules of Professional Conduct 1.6 and 1.15, we must also be mindful of the numerous applicable statutory obligations (e.g., most state breach notification laws) many of which, unlike the federal Fair and Accurate Credit Transactions Act (as recently interpreted), do not necessarily exempt attorneys. With nearly every state now maintaining such data breach notification laws, and with over a dozen federal laws related to data privacy currently pending in Congress, further regulation of attorneys’ data practices is inevitable.

As we alluded to earlier, this can be a daunting task for the typical lawyer who may not have the skills or time to stay current with technological change—including ever-changing threats to the security of electronic communications. One solution is to rely on standards established by trustworthy experts as a point of reference.

Getting Help

Fortunately, several resources are available to help practitioners navigate the data protection quagmire today, including the ILTSO Standards issued by the International Legal Technical Standards Organization, which are updated annually to help attorneys and clients understand many of the latest developments in computing security as they apply to the practice to law in the United States and abroad. The Standards are available at www.iltso.org, and are freely available. Many bar associations also provide vendor contact lists and other guidelines.  In any event, appropriate professional assistance should be obtained to help provide preventative solutions, rather than focusing on loss mitigation strategies after an avoidable breach has occurred.  Attorneys and clients both will be better served in the process.

As to our duty to protect client confidences, ignorance is not bliss. If we were to walk along a crowded sidewalk engaged in a loud and highly sensitive conversation with a client, it would come as no surprise to any of us to be accused of violating that client’s confidences.  That is obvious.  But there are many other forms of far less obvious risk to client confidentiality that are very much under our control if we are sensitive to them.  Where we draw the line between needing to protect against risks that we should know about and risks that are so remote as to escape our responsibility is ever changing—especially when they are linked to technological change.  We cannot afford to be oblivious to emerging risks.  Our clients will rightfully demand our attention.