Encrypted E-Mails Can Protect Your Firm

Source: Law Technology News

Today, e-mail is almost universally part of legal practice. With the growth of mobile devices, messages are sent and received 24/7 throughout the world. Included within many of these messages, of course, is information that attorneys are ethically obligated to keep confidential, where disclosure might have serious negative consequences for the client.

Because the vast majority of messages are not encrypted by senders before being transmitted, this raises the critical question of whether the attorney-client privilege covers unencrypted e-mail. Since 1999, the answer has been a fairly clear yes. In its Formal Opinion 99-413, dated March 10, 1999, the American Bar Association's Standing Committee on Ethics and Professional Responsibility stated:

"A lawyer may transmit information relating to the representation of a client by unencrypted e-mail sent over the Internet without violating the Model Rules of Professional Conduct (1998) because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint. The same privacy accorded U.S. and commercial mail, land-line telephonic transmissions, and facsimiles applies to Internet e-mail.

"A lawyer should consult with the client and follow her instructions, however, as to the mode of transmitting highly sensitive information relating to the client's representation."

Lately, however, this conclusion has come into question. In one case, Scott v. Beth Israel Medical Center Inc., 17 Misc.3d 934 (N.Y.Sup., 2007), a New York County trial court rejected the plaintiff's claim that his e-mail correspondence with his attorney was privileged. Because the plaintiff used the hospital's e-mail system, and the hospital maintained a policy that said it could access communications on its system at any time without notice, the plaintiff would not have a reasonable expectation of privacy in the messages, the court wrote.

More recently, two major law firms ( Skadden, Arps, Slate, Meagher & Flom, and Pepper Hamilton) made news in February 2008 when their attorneys accidentally sent e-mail containing confidential and damaging information to reporters rather than to their clients. With cases and incidents like these (and especially how easily laptops and hiptops can be stolen with data intact), attorneys should consider encrypting client-related e-mail content -- not just transmissions, which is fairly standard -- to protect against ethical violations.

The most common and reliable method of encryption, Public Key Infrastructure, requires each user to maintain a software-based private key. With this private key, the user generates a public key that can be shared or posted to online public key repositories, and that does not give away the private key. A sender uses that public key to encrypt the contents of the e-mail, and only the holder of the private key can decrypt and read the message. For anyone else, the message remains gibberish. The strength of this encryption is measured by how large the keys are, in bits; a 128-bit key can be one of 2 ¹²⁸ possibilities, or 3.4 followed by 38 zeroes.

Had encryption been utilized in the Scott case, it is likely that the result would have been different, because even if the hospital had the ability to access the messages sent between Scott and his attorney, it could not have read them, preserving the reasonable expectation of privacy needed for privilege. Similarly, even if the reporters had received the mis-sent messages from the attorneys, had they been encrypted with the intended recipient's public key, the reporters could not have read or published the contents.

Given these types of situations, it is certainly possible that states may ultimately require attorneys to use encryption when sending client information via e-mail. Unfortunately, implementing encryption is by no means consumer-friendly. While there are tools to add it into common e-mail programs such as Microsoft Corp.'s Outlook and even handheld devices like BlackBerrys, using PKI requires all recipients to create private keys and to distribute their public keys to anyone wishing to send an encrypted message. Otherwise, at least one recipient may end up with an unscrambled version that can then be read by the wrong person. There is also the concern that, should the recipient's private key be lost or corrupted, the message may be permanently scrambled unless the sender can re-transmit it in the clear. This could itself generate an ethical violation, because attorneys must retain client records in accessible form.

Nevertheless, given both the reliance by attorneys and clients on e-mail, and the increasing possibility of problems arising out of that reliance, firms and in-house departments need to begin investigating and, where possible, establishing e-mail encryption as part of their overall IT strategy.

The move toward encryption should be coupled with other security-focused efforts (e.g., mandating passwords and remote erasure software on portable devices to protect information if the devices are lost or stolen), all of which will reduce risks to clients and attorneys alike.

Jonathan Ezor is a law professor, and director of the Institute for Business, Law and Technology, at the Touro Law Center, in Central Islip, N.Y. He also is special counsel to Olshan, and a member of Law Technology News's Editorial Advisory Board.

RELATED LINKS

Can RPost Registered E-Mail Save You From Disaster in the Courtroom?