ABA Model Rule Supports Email Encryption

ABA Model Rule Supports Email Encryption

May 09, 2016 / in General / by Zafar Khan, RPost CEO

Lawyers have always had a duty to be competent in technology, but the ABA Model Rule put this duty in writing, impacting cybersecurity practices. Twenty states have followed the ABA’s lead and adopted a duty of technological competence, all but requiring encryption.

In 2012, the American Bar Association approved a number of changes to the Model Rules of Professional Conduct. Of particular interest is the comment to Model Rule 1.1:

To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.

Of course, the Model Rules are merely a model. But many states do take guidance from them. Twenty states have now adopted a duty of technological competence (see list of states at the end of this article).

In conjunction with the change to Rule 1.1 is the change to Rule 1.6 regarding confidentiality of client information. Rule 1.6 states that a lawyer must make “reasonable efforts” to prevent access or disclosure of client information. It lists five factors in its determination of reasonableness:

    1. the sensitivity of the information;
    2. the likelihood of disclosure if additional safeguards are not employed;
    3. the cost of employing additional safeguards;
    4. the difficulty of implementing the safeguards; and
    5. the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).

In an era in which almost all client information is traveling across the Internet and into computers and smartphones, maintaining client confidentiality means encryption.

Learn More:

Email Encryption

Attorney-Client Privilege

Lawyers are of course familiar with the concept of duty, especially towards clients. Lawyers have a fiduciary duty. They must be zealous advocates. They need to have an informed opinion of legal rights.

But perhaps the most important duty or obligation, is to strictly maintain the sanctity of information shared under the protection of attorney-client privilege. Attorney-client privilege is what enables the attorney-client relationships to even exist. Without it, clients could not rely on their lawyers for accurate advice for fear of incriminating or disadvantaging themselves in some way.

All lawyers learn of this privilege in their first year of law school. Just as they learn that if any attorney-client communication is disclosed to a third party, then privilege is lost. Yet, most lawyers continue to essentially send postcards back and forth from their firm to their clients, potentially letting dozens of people access their “privileged” communications. It’s called email.

Ignorantia juris non excusat

Lawyers are either completely ignorant of the postcard nature of email, or they’re pretending that they don’t need to bother with secure communications. Either way, they are potentially exposing their communication with clients to third parties, negating privilege.

And lawyers increasingly cannot rely on the technological ignorance for this lack of oversight. 20 states have now adopted a duty of technological competence in their rules of professional conduct. If you’re in one of these states and sending “plain text” (unencrypted) emails back and forth with a client, it’s likely that you are in violation of one of your basic duties as a lawyer.

Encryption has become accessible and easy to use for even the most technology-averse people (see: lawyers). With barely a small change to your workflow, and a few communications with clients, you can be sending secure, encrypted email messages with ease. If you’re a lawyer, you need to be using encryption to communicate with your clients.

These twenty states have adopted a duty of technological competence: Arizona, Arkansas, Connecticut, Delaware, Idaho, Illinois, Iowa, Kansas, Massachusetts, Minnesota, New Hampshire, New Mexico, New York, North Carolina, Ohio, Pennsylvania, Utah, Virginia, West Virginia and Wyoming.

  • Contributed by Keith Lee. Lee writes about professional development, the law, the universe, and everything at Associate’s Mind. You can reach him at lee@hamerlawgroup.com. He practices Law in Birmingham, AL.