Lawyers May Need to Encrypt E-Mail In Especially Risky or Sensitive Scenarios

By Samson Habte

May 6 — Attorneys who handle divorce, employment and criminal defense matters may in some circumstances have a duty “to consider whether it is prudent to use encrypted email” to communicate with clients, the Texas bar's ethics committee concluded in April.

The opinion addresses an issue that many experts have urged bar authorities to look at anew: whether technological changes and escalating concerns over computer hacking have made it necessary to revisit existing guidance on using e-mail to communicate with clients.

“Having read reports about email accounts being hacked and the National Security Agency obtaining email communications without a search warrant, [inquiring] lawyers are concerned about whether it is proper for them to continue using email to communicate confidential information,” the opinion states.

The panel said that although it “has not addressed the propriety of communicating confidential information by email, many other ethics committees have [concluded that] except in special circumstances, the use of email, including unencrypted email, is a proper method of communicating confidential information.”

The committee agreed with those authorities.

“[C]onsidering the present state of technology and email usage, a lawyer may generally communicate confidential information by email,” it said. “Some circumstances, may, however, cause a lawyer to have a duty to advise a client regarding risks incident to the sending or receiving of emails arising from those circumstances and to consider whether it is prudent to use encrypted email or another form of communication.”

As for what circumstances may justify a departure from the general rule, the committee said lawyers should consider using encryption when:

• communicating about “highly sensitive or confidential” matters;

• “sending an email to or from an account that the email sender or recipient shares with others”;

• “sending an email to a client when it is possible that a third person (such as a spouse in a divorce case) knows the password to the email account, or to an individual client at that client’s work email account, especially if the email relates to [an] employment dispute”;

• “sending an email from a public computer or a borrowed computer or where the lawyer knows that the emails the lawyer sends are being read on a public or borrowed computer or on an unsecure network”;

• “sending an email if the lawyer knows that the email recipient is accessing the email on devices that are potentially accessible to third persons or are not protected by a password”; or

• “sending an email if the lawyer is concerned that the NSA or other law enforcement agency may read the communication, with or without a warrant.”

Back to the Future

The ABA Legal Technology Resource Center noted in a November 2014 blog post that bar authorities “first addressed the issue of email security in the mid-1990s,” when the use of e-mail “was a fairly new phenomenon and was frowned upon by most bar associations.” 

That early wariness led a few ethics committees to conclude that lawyers could not use e-mail unless precautions were taken to prevent interception or client consent was obtained acknowledging the risks of e-mail.

“The tide turned in 1999,” the author wrote, when ABA Formal Ethics Op. 99-413, 15 Law. Man. Prof. Conduct 159 (1999), was issued. That opinion stated:

Although earlier state bar ethics opinions on the use of Internet e-mail tended to find a violation of the state analogues of [ABA Model] Rule 1.6 because of the susceptibility to interception by unauthorized persons and, therefore, required express client consent to the use of e-mail, more recent opinions reflecting lawyers’ greater understanding of the technology involved approve the use of unencrypted Internet e-mail without express client consent.

Many ethics panels subsequently revisited the issue, finding that—in some circumstances—it may be prudent for lawyers to either advise clients about the risks of e-mail or consider whether encryption might be necessary.

ABA Formal Ethics Op. 11-459, 27 Law. Man. Prof. Conduct 544 (2011), for example, concluded that lawyers “ordinarily must warn [clients] about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, where there is a significant risk that a third party may gain access.” The opinion focused largely on the risks of communicating with clients on employer-provided networks.

‘Ongoing' Assessment

The Texas committee said the 2011 ABA opinion was instructive. “A lawyer should … consider whether circumstances are present that would make it advisable to obtain the client’s informed consent to the use of email communication, including the use of unencrypted email,” it said.

“Additionally, a lawyer’s evaluation of the lawyer’s email technology and practices should be ongoing as there may be changes in the risk of interception of email communication over time that would indicate that certain or perhaps all communications should be sent by other means,” the committee stated.

Full text at

The ABA/BNA Lawyers’ Manual on Professional Conduct is a joint publication of the American Bar Association Center for Professional Responsibility and Bloomberg BNA.

Copyright 2015, the American Bar Association and The Bureau of National Affairs, Inc. All Rights Reserved.