The Ethics of Secure Communication During the Pandemic and Beyond
By Nicole Black
This article is republished with permission from Nicole Black and was originally posted on AboveTheLaw.com.
Like most lawyers, you’ve likely worked remotely on more than one occasion since March, when quarantines were put in place due to COVID-19. Since then, lawyers across the country continue to work remotely from different locations at least part-time, while others continue working remotely full-time. Of course, when lawyers work remotely, ethical and security issues relating to how confidential data is handled and shared may be triggered. This is especially so now that the ethical standards regarding electronic communication are changing.
It used to be that unencrypted email was sufficient when communicating with clients electronically, but in recent years the tide has begun to turn. Technology has improved significantly, and more secure electronic communication methods have emerged, rendering unencrypted email insufficient for certain types of client communication, as the ABA concluded 2017 in Formal Opinion 477R.
In this opinion, the Ethics Committee determined that unencrypted email may not always be sufficient for client communication. Instead the Committee advised that lawyers need to assess the sensitivity of the information that they’re sharing on a case-by-case basis, and in many cases, may want to consider using more secure, encrypted methods of communicating and collaborating with clients, including a “secure internet portal.”
In April of this year, the Pennsylvania Bar Association followed suit when it issued a much-needed opinion addressing the ethics of practicing law virtually. In Formal Opinion 2020-300, the Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility provided guidance on how lawyers and their staffs can ethically provide legal services while working remotely.
Notably, the committee adopted the ABA’s rationale regarding secure communication and concluded that because of improved technology, unencrypted email is insufficient for particularly sensitive information:
(L)awyers must exercise reasonable efforts when using technology in communicating about client matters … (and use) a fact-specific approach to business security obligations that requires a ‘process’ to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments…A fact-based analysis means that particularly strong protective measures, like encryption, are warranted in some circumstances.
I recently discovered that the Michigan State Bar Association joined the fray earlier this year when it issued Ethics Opinion RI-381. In this opinion, the committee adopted the analysis set forth in ABA Formal Opinion 477R and concluded that because of improved technology, unencrypted email is insufficient for discussing particularly sensitive information, and in those cases more secure communication methods such as encrypted email or secure online client portals will be required:
“What constitutes ‘reasonable measures’ in fulfilling the duty to exercise reasonable care regarding client (electronically stored information) depends on the circumstances, including the degree of sensitivity of the information to the client, potential threats, the risk of harm to the client in the event of unauthorized disclosure … and the availability of protective technology … . As noted in ABA Formal Opinion 477R … ‘the use of unencrypted routine email generally remains an acceptable method of lawyer-client communication,’ but ‘particularly strong protective measures, like encryption, are warranted in some circumstances.’”
For many lawyers, the idea of conducting a case-by-case analysis regarding the sensitivity of data and then choosing an appropriately secure communication method for each matter may seem to be an overly burdensome and time-consuming process. The good news is that there’s an easy way to avoid having to make an ad hoc determination regarding the type of law firm communication required for each case. Rather than using an array of communications methods in your firm that may vary from case to case, simply choose one form of encrypted communication for all matters and require that law firm employees use it routinely.
That’s where secure client portals come in. If your firm doesn’t already have a secure communication method set up, then the secure client portals built into most law practice management software programs are a great option to choose. For starters, they are easy to adopt. And the best part about client portals is that once you start using them for all law firm client communications, you’ll have effectively ensured that all communications are sufficiently protected.
The bottom line: In 2020 secure communication is a necessity, and encrypted communication may be required when sharing certain types of confidential information electronically. Is your firm ready? If not, what are you waiting for? There’s no better time than the present to invest in a more secure way to communicate with clients both during the pandemic and beyond.
Nicole Black is a Rochester, New York, attorney and Director of Business and Community Relations at MyCase, web-based law practice management software. She’s been blogging since 2005, has written a weekly column for the Daily Record since 2007, is the author of Cloud Computing for Lawyers, co-authors Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York. She’s easily distracted by the potential of bright and shiny tech gadgets, along with good food and wine. You can follow her on Twitter at @nikiblack and she can be reached at [email protected].