Article

Did that email breach legal ethics? 

Why the ABA issued formal opinion 477 and how to respond
Legal Insights from Thomson Reuters

If you communicate with clients electronically - including email, file-exchange services like Dropbox or Google Drive, and text messaging - you need to exercise reasonable effort to make sure this information isn't hacked. If you don't, you're breaching legal ethics.

That's the new mandate in Formal Opinion 477 issued this May by the American Bar Association's Committee on Ethics and Legal Responsibility. It states that “cyber-threats and the proliferation of electronic communication devices have changed the landscape and it is not always reliable to rely on the use of unencrypted email...Therefore, lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters...”

Statistics Show Small Law Firms are at Risk

Reasonable effort is far more than merely a stern disclaimer added to the footer of an electronic communication. But that may be the extent to which too many firms are protecting themselves and their clients. This is because, according to the ABA 2016 Legal Technology Study Report, most small law firms aren't using any email or file encryption:

  • On average, only 23% of law firms encrypt emails and 37.2% encrypt files
  • Only 19.7% of solo firms encrypt emails and only 32.1% encrypt files
  • 20.9% of firms with two to nine attorneys encrypt emails and 32.2% encrypt files

These findings are underscored by a report earlier this year by Logicforce, an IT consulting company. They compiled findings from a survey of more than 200 law firms, anonymous system monitoring data, and results from their on-site assessments. These revealed:

  • Small firms have the same risk of being hacked as large firms
  • 95% were not compliant with their own data security policies and none were compliant with those of their client
  • 40% of firms were breached without knowing it in 2016
  • An average of 10,000 intrusions happen daily

“Many (law firms) aren't doing enough when it comes to protecting themselves,” the report said. “It is truly not a question of if, but when, an incident will occur.”

Encryption Mitigates Risk

If it's only a matter of time until your firm is breached, no matter what your size, it would be wise to make sure hackers walk away empty handed. Encryption is the solution.

Unencrypted information is readable to anyone who accesses the communication and, in the wrong hands, this can prove disastrous. Encryption protects you, your firm and your clients because it makes data unreadable. This is accomplished through a cipher - an algorithm which makes it impossible to understand data without a decryption key. In essence, using a cipher is like locking a door. Only someone with a key just like yours can unlock it. Encryption provides one secure key to “lock” and “unlock” your information.

Adhering to Formal Opinion 477

While the ABA doesn't specifically say you should encrypt every communication, it does advise making a reasonable effort to secure client communication and analyzing communication on a case-by-case basis. Instead of offering hard-and-fast rules, they say reasonable effort is based upon the:

  • Sensitivity of the information
  • Likelihood of disclosure if additional safeguards are not employed
  • Cost of employing additional safeguards
  • Difficulty of implementing the safeguards
  • Extent to which the safeguards adversely affect the lawyer's ability to represent clients (e.g. by making a device or important piece of software excessively difficult to use)

The opinion, did, however, outline the steps firms should take to execute a reasonable effort:

  1. Understand the nature of the threat
  2. Understand how client confidential information is transmitted and where it is stored
  3. Understand and use reasonable electronic security measures
  4. Determine how electronic communications about client matters should be protected
  5. Label client confidential information
  6. Train lawyers and non-lawyer assistants in technology and information security
  7. Conduct due diligence on vendors providing communication technology

The Easiest Way to Respond

Of course, no one has the time to take these steps with each and every communication. That's why savvy small law firms aren't; they're just making sure all of their communications have the same stringent security as global financial institutions.

They’re cost effectively achieving this with a secure client portal provided by cloud-based legal practice management software. Instead of sending a document or update to a client’s Gmail account, for instance, lawyers use a secure client portal to communicate. Clients and attorneys can review, upload and complete documents or forms, and communicate with the highest level of protection.

The cost of this protection is miniscule compared to how much you would pay a dedicated cyber security expert to monitor and protect your electronic communications.

However, it's critical to keep in mind that not all practice management providers are created equal – especially when it comes to cyber security. Make sure you adhere to Formal Opinion 477 by thoughtfully vetting cloud-based legal practice management software providers.