New: American Bar Association Formal Opinion 477

This is an extremely important opinion that every lawyer should stop and read today.
Bob Ambrogi,

On May 11, 2017, the American Bar Association issued Formal Opinion 477 regarding secure communication between lawyers and clients. This new recommendation, which weaves in the delicacies of internet and email security, replaces Formal Opinion 99-413 written in 1999 (obviously issued before a world that ran on email).

A lawyer generally may transmit information relating to the representation of a client over the internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.

What constitutes “reasonable efforts?”

  • Understanding the nature of the threat
  • Understand how client confidential information is transmitted and where it is stored
    • A lawyer should understand how their firm’s electronic communications are created, where client data resides, and what avenues exist to access that information
  • Understand and use reasonable electronic security measures
  • Determine how electronic communications about client matters should be protected
    • Different communications require different levels of protection, routine documents do not need protection, but with communications of sufficient sensitivity password protection and/or encryption may be required
    • Lawyer should analyze documents/communications to determine what degree of protection is warranted
    • Lawyers can consider the use of a well vetted and secure third-party cloud based file storage system to exchange documents
  • Label client confidential information
  • Train Lawyer and non-lawyer Assistants in technology and information security
  • Conduct due diligence on vendors providing communication technology
    • Choose a solution with a spotless security record and easy-to-understand Terms of Service

What this means for lawyers today

The amendment puts a great focus on technology in the legal field. While ABA findings are advisory (rather than controlling), they do represent current thoughts on a given subject and will likely influence state bar Ethics opinions on encryption. As Jeff Krause pointed out at both LegalTech and ABA TECHSHOW this year, lawyers have an ethical responsibility to protect client communication and data.

This opinion sends a clear signal that law firms have to pay attention to security of email and other client communication. Most law firms have already determined that is the correct policy. I still suggest lawyers also read Texas Legal Ethics Opinion 648 in addition to this opinion.
Jim Calloway,

Additional suggested reading

Client Portals: Meeting your ethical obligations by Jeff Krause

The high cost of free stuff: Document management edition by Craig Bayer

Cloud 101 for legal professionals

How Citrix ShareFile Helps Law Firms Deliver Encrypted Files in 3 Easy Steps