January 29, 2015

Doing Deals: Be Careful How You Send Confidential Information

I recently asked my good friend Jim Brashear of Zix Corporation this question: “are lawyers are still sending confidential deal documents via unencrypted email?” I asked Jim since he’s an expert in that area (Zix is an email encryption service provider). Here is Jim’s response:

Do I think deal lawyers are still sending confidential docs via email? Yes. It happens all the time. State bar opinions from the 1990’s that allow the use of email are misinterpreted by lawyers who think they allowed carte blanche use of unencrypted email. The law firms try to strike the appropriate balance between data security when transmitting files and personal convenience. However, convenience – for the lawyer – almost universally wins (most lawyers don’t even bother to ask the client). Cost is a factor. There are other considerations too, such as what happens if multiple clients insist the lawyer use client-specified secure communications methods.

A related topic is the indefensible distinction that the state bar opinions make about the use of Cloud services versus email. I’ve blogged about this on our company website: “Lawyer Use of Cloud Services Versus Email – An Ethical Distinction Without a Practical Difference.” Recent ethics opinions ask lawyers to jump through diligence hoops before using Cloud services. No similar mandates exist for email, even though email is a Cloud service and provides essentially the same functionality as file transfer services (internet transmission, remote file storage). Moreover, remember that email is insecure.

Some lawyers misidentify the issue as whether attorney-client privilege is maintained if data security is breached. They justify lax data security by noting that inadvertent disclosure is not necessarily a waiver of privilege. That is, however, a separate issue from the ethical obligation to maintain client confidentiality. The privilege question is essentially limited to a litigation context. A judge can decide, as a matter of evidentiary law, whether or not the privilege is preserved in a particular case where data security was compromised. Confidentiality, on the other hand, is lost once client data is disclosed; and a judge cannot unring that bell.

The ethics opinions actually require lawyers making data security decisions to examine the circumstances and assess the risks. The ethics guidance is that lawyers must take data security measures that are reasonable in the circumstances. Below is a checklist of some relevant factors:

– Client’s instructions
– Degree of sensitivity of the information
– Possible client impact from disclosure
– Data breach laws
– Likelihood of disclosure
– Inherent level of security
– Reasonable steps to increase security
– Cost of additional safeguards
– Urgency of the situation
– Legal ramifications of unauthorized interception, access or use

Nobody (including data security vendors) is saying that every email (or every file shared via Box, Dropbox, etc.) that contains information relating to the representation of a client must be encrypted. And certainly nobody is saying that lawyers must have a separate encryption key for each client or “circumstances” (much less, one committed only to one attorney’s memory). The issue is whether the lawyer’s reliance on a third-party’s data security is reasonable.

On the flip side, however, there is no authority that every email with client information can be sent unencrypted. The ethics opinions are also quite clear that using unencrypted email is not appropriate in some situations. I often recommend that law firms insert into their engagement agreements a paragraph that states something like the following:

“We will typically use email to communicate with you. Unencrypted email is subject to risks of interception by third parties. If you are concerned about those risks in particular circumstances (for example, because of the sensitivity of the information involved or because of an enhanced risk that a third party may gain access to the information), please advise us of those concerns so that we can discuss with you more secure means of communicating.”