As we all know, attorneys have a duty to maintain client confidentiality (MRPC 1.6), a fundamental aspect of the client-lawyer relationship. ABA’s Model Rule 1.6 similarly addresses client confidentiality but requires a lawyer to use “reasonable efforts” to protect client information, while MRPC 1.6 requires that a lawyer “not knowingly reveal” confidences or secrets.
There's been a lot of talk about keeping client data safe and secure in the cloud. Most people (and state ethics opinions) suggest that encryption of client files before storing them in the cloud is necessary to protect client confidentiality. ICLE contributor Claudia Rast puts it this way: “Simply stated, a lawyer has an ethical obligation to implement reasonable precautions to protect client data residing in computers and information systems (from network servers to smartphones).” But what is reasonable?
According to Claudia, Comment [18] to ABA Model Rule 1.6 provides good guidance by identifying a number of factors to consider, including the sensitivity of the information, likelihood of disclosure if additional safeguards are not used, cost and difficulty of additional safeguards, and the extent to which the safeguards adversely affect the ability to represent the client. She points out that Comment 18 also provides that a client may give “informed consent” to forgo security measures that would otherwise be required.
Let's say that you are a brand-new attorney just starting out on a shoestring budget, and you want to use Gmail as your e-mail provider. You can install an encryption app that will allow you to send encrypted e-mails. This requires a couple of steps (and use of the Google Chrome browser), but it is eminently doable. On your end.
But what about your clients’ e-mails to you? Is it reasonable (or even required) to expect your clients to send you encrypted documents and e-mail? Sure, you can give your clients instructions on installing and using an encryption program, but there's no guarantee that they will do it or do it correctly.
And what if you want to communicate with your client through text messages or instant messaging? Again, encryption tools are available. Is it too onerous to ask or require your client to install them? If your client is comfortable with sending and receiving unencrypted information, could you be on the hook for an ethical violation if your client's unencrypted information gets out? What does “informed consent” look like in this situation?
Given the current technological environment, there needs to be a balance between a lawyer's ethical obligations with meeting client needs and expectations. While I am not sure what the appropriate balance ultimately is, it certainly seems that it would be helpful if the MRPC provided more guidance.
[Claudia Rast is presenting on this topic on Friday, November 15, 2013, at the upcoming Family Law Institute.]