Risk Update

Email Risk & Data Security (Today and Tomorrow) — New Lawyer Commentary on Email Encryption

It’s Friday, so I’ll start with a personal anecdote and a bit of thought on the subject of lawyer email. (Don’t worry, we’ll have plenty on meat and potatoes conflicts news next week, I’m sure.)

Last year, out of the blue, a lawyer emailed me, at my personal address, draft trust documents meant for a client. I wrote back noting the error, and deleted the documents — which contained obviously sensitive client financial and family information. The lawyer didn’t respond…

A few weeks later, I received another round of documents, now ready for execution. I called the local Bar in his state to understand what I should do here about this lawyer. I ended up writing back to him, suggesting he acknowledge the error and promise to fix it, before creating further risk for his client and himself. (I might have mentioned that I asked the Bar what to do… That got his attention and quick response. Teachable moment accomplished.)

Questions of email diligence and issues like encryption often touch on inadvertent disclosure to someone like me (or in the case below opposing counsel). And the article linked below covers the basics, ABA rules, and latest thinking.

But one element I have yet seen really considered is the extent to which our email providers may be indexing data, storing information and building profiles — and how that might or should factor into this equation.

In my situation above, did Google scan the trust document in question? And does it now know that user X with social security and identifying information Y has net worth Z? Or even that a particular lawyer or firm is representing a particular client on a matter? (We all know it’s scanning and analyzing files, it tells you as much when you click that attachment download button.)

If a lawyer sends documents via Gmail or the like, do or will recipients start seeing more “relevant” ads based on the content — perhaps in this case more exacting detail on their net worth, assets and personal relationships? Or based on other factors we mortals don’t understand but the algorithms do?

In sending unencrypted email and attachments, did the lawyer just disclose/reveal confidential information to Google? I guess the rules don’t think so, at least not today. Will they one day? Or am I still reading too much sci-fi?

(Interestingly, it’s my layperson’s understanding that you can’t do this sort of thing with health information. Per HIPAA and related rules, if a medical provider sends an email that says: “Your test results show X” over Gmail, that’s a no-no. Providers set up encrypted portals with logins and whatnot for communication beyond generic scheduling and such. I’m sure no reader will be shocked to hear I have a similar story to share about an exchange with one provider’s lawyer in this regard. Perhaps for another day…)

Okay, back to the article. Here, Lawyer Irwin Kramer summarizes the rules and developments: “Encryption Ethics” —

  • “After emailing several documents to opposing counsel, she slammed me for failing to encrypt the message and exposing records on her client’s medical history. Must I encrypt these emails?”
  • “There are no rules which expressly require an attorney to encrypt email messages. But you must still make reasonable efforts to protect the privacy of sensitive data and communications.”
  • “Where attorney-client communications are concerned, the Rules of Professional Conduct provide that an ‘attorney shall not reveal information relating to representation of a client.’ In response to the increasing threat of data breaches among law firms, many states have begun to implement a rule requiring lawyer to ‘make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.’ Modifying its Model Rules to account for technological change, the American Bar Association has commented that ‘competent’ lawyers ‘should keep abreast of … the benefits and risks associated with relevant technology.'”
  • “But what about information pertaining to adversaries and other third parties? To date, most of the literature focuses on attorney-client communications. But the rules recognize an attorney’s duty to respect the rights of third persons. Just as Rule 4.4(b) requires a lawyer to notify the sender of ‘electronically stored information … relating to the representation of the attorney’s client’ that may have been ‘inadvertently sent,’ the same degree of professionalism should apply to sensitive information on these individuals.”