Originally published in the Oklahoma Bar Journal — September 10, 2016 — Vol. 87, No. 24
Syndicated with permission from www.okbar.org
Jim Calloway also blogs at Jim Calloway’s Law Practice Tips Blog
Let me start by noting this particular column is focused on tools to use in a law practice.
As the title suggests, this month I am going to discuss the differences between providing clients documents by sending them as email attachments versus providing the documents through a client portal. Some readers may be surprised at how easy and affordable providing a client portal is today. You may have already used similar portals for your HIPAA-protected medical information provided by a health care provider.
This will not be a detailed treatment of the ethical requirements under the Oklahoma Rules of Professional Conduct for a lawyer using email. I’ll leave a detailed analysis of that subject for another day and perhaps another author. However, one cannot really discuss email for lawyers today without briefly discussing encryption and a lawyer’s ethical duty to safeguard client confidentiality.
Generally, advisory ethics opinions from other jurisdictions still provide a lawyer may communicate with a client via unencrypted email based on the theory that a person who uses email has a reasonable expectation of privacy. That nonbinding ethics opinion and others, also state that encryption and other methods of securing client communications could be preferred depending on the circumstances.
As we have seen more email-related security breaches and other incursions, commentators have noted “a pendulum-swinging trend among ethics committees that are revisiting the question of whether lawyers should be required to use encryption when emailing clients.” ABA Formal Opinion 11-459 (2011) cautioned that a lawyer must “ordinarily” warn the client about the risk of sending or receiving electronic communication where there is a significant risk of compromise.
In particular, this applied to communicating with a client using an email account or device owned by the client’s employer.
In 2011, Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility issued Formal Opinion 2011-200, a frequently cited opinion that discusses (and approves) lawyers using cloud computing for client information, but also discusses concerns with email, particularly web-based email. The opinion I most encourage lawyers to read today is Opinion 648, a 2015 opinion from the Texas Center for Legal Ethics, which discusses several situations where encryption of client email should be considered.
The truth is that email was not intended to be, nor is it currently, a secure method to transmit confidential information. Even so, it is used to send confidential or private information many times a day. If all of the email dumps from data stolen by hackers and all of the recent disclosures of embarrassing emails now in the public’s hands haven’t made the reader appreciate the nature of email by now, I’m not sure I have words that will do so. I will repeat a witticism that has been circling the internet recently: “Dance like no one is watching, email like you’ll be reading it in a deposition someday.”
Encryption of email is not widely used by the public today. I do not really foresee a day when it will be believed that every electronic attorney-client communication should be encrypted. An unencrypted text or email is the best choice when the message is “Court is starting in three minutes. Where are you?” An unencrypted email to a client asking “Can we change tomorrow’s appointment from 3:30 p.m. to 4 p.m.?” doesn’t trouble me, although some lawyer somewhere might disagree. If that client you are texting about the appointment time change also wants to discuss all aspects of their pending criminal charges or the possible merger of their publicly traded company with you via text message, you might want to read (or reread) my prior column “You Are Not Paranoid If They Really Are Watching You: Attorney-Client Privilege, Confidentiality and Cybersecurity in the 21st Century” to see if you both need a more secure texting app (of course texting is more secure than unencrypted email.)
My thought is that today at a minimum you need to be able to encrypt an electronic message or email attachment when needed and you should make sure every client understands what things should not be discussed via unsecured email. An email and electronic communication discussion should be a part of every initial client engagement.
One tool that provides email “encryption when you need it, but not when you don’t” is OBA member benefit Citrix ShareFile. The Outlook plug-in provided is simple and easy. There is another method for other types of email clients, such as Gmail. Instead of an attachment to the email, the file is encrypted and stored in ShareFile, and a link is provided for the email recipient. Different levels of security can be set for the recipient to unlock the message. If a client needs to send a lawyer confidential information, ShareFile can be used by the lawyer to generate an upload link the client can use to encrypt files before they are uploaded and sent to the lawyer. It has similar tools that other cloud services like Dropbox and Box have to share files or folders with a client, but without the security concerns that some associate with Dropbox.
Our 2016 OBA Solo & Small Firm Conference, as I have previously noted in this space, had 10 sponsors featuring practice management solutions. Many of these provided, as a part of their basic services, secure messaging to clients and online client document repositories or portals. You can find these vendors, as well as our other great conference vendors, online at www.okbar.net/solo/#sponsors, including links to their company pages.
Having your client portal automatically provided through your practice management solution is a simple and easy way to provide better and more secure document sharing with your clients. Suppose you need to discuss an important matter with a client or client representative who is traveling. You will both appreciate the convenience of the client being able to login to their portal to look at documents in their file via a laptop or other mobile device. Some of these tools even notify the lawyer when a client has opened and reviewed a particular document.
Day-to-day emails which are not secure could then be relegated to communications advising that another document has been uploaded to the portal which should be reviewed by the client and perhaps that “Where are you?” email from the courthouse.
The great thing about attorney-client portals is the providers are coming up with other great innovative ideas. One portal provides the client’s balance of fees currently owed while another might provide real-time information on the ongoing tasks on the client’s matter. One major practice management solution has recently added document storage capability. One thing that is certain about all of the practice management solutions is that the company’s founders understood from the beginning that these had to be secure methods that were built to protect the confidences of the law firm’s clients. The majority of these providers, at least in the small to medium-sized law firm market, are cloud-based, which makes developing the secure client portals relatively simple and gives the lawyer working from home or a hotel room the same interface and information they would have while working in the office.
We are all likely emailing too much sensitive personal information these days. Another state bar association once needed some tax information from me. Their email said to fill out the attached blank form and email it back to them. I did, but used an encryption method. Later I asked the person responsible for receiving the information if lawyers actually emailed back this information to her as a plain attachment without encryption. She said a lot of lawyers do, but then she smiled and added “but none of our technology speakers do.” That’s probably all you need to know about the security of email, isn’t it?
One of the tips I frequently give to groups of lawyers is if you don’t have an encryption tool yet and need to encrypt a document, you can password protect a PDF file or Microsoft Word document. Then email it and call the recipient via telephone to give them the password to unlock the document. That works well if you only need to encrypt an attachment a few times a year. But if it is a daily task, you probably need a more practical solution. Today the way business is done continues to change, and the legal profession must also change to keep up with this changing environment. The OBA Management Assistance Program urges lawyers in private practice to use practice management software tools to keep all client documents in secure digital client files.