Rapid digital progress making email encryption a must

Listen to this article

By Sylvia Hsieh
Dolan Media Newswires

A recent cyber attack against a Virginia law firm has renewed questions over whether firms should be encrypting their emails and other electronic communication with clients.

Puckett & Faraj, an Alexandria firm that defended a U.S. Marine in his court martial for civilian massacres in Haditha, was hacked by the group Anonymous, exposing the firm’s emails and client information about the case.

P&F has since shut down its website completely.

Should the average small-firm lawyer be worried?

Some lawyers are adamant that nothing in the rules of professional conduct requires attorneys to encrypt emails.

“Encryption is not required for emails, period,” says Eric Cooperstein, an ethics attorney and sole practitioner in Minneapolis.

Unless a lawyer is handling a high-profile, highly sensitive case such as a matter involving intellectual property litigation, he says, the likelihood of a security breach is so low that small-firm lawyers do not need to spend time or money protecting against it.

“I liken it to people who are afraid to fly. No matter how many times you tell them it’s safer than driving, they’re afraid. Then don’t fly. But don’t tell me not to fly,” he says.

On the other side of the debate, Stephanie Kimbro, a solo and virtual law office pioneer in Wilmington, N.C., believes lawyers should encrypt email as part of their duty to use reasonable care in keeping information confidential under Model Rule of Professional Conduct 1.6(a).

While she admits that no state ethics opinion on the topic imposes an encryption requirement, she says those opinions have not kept up with the rapidly changing standards in digital security.

“The language is very similar in all state ethics opinions that unencrypted email is OK, because at the time that was the standard. But ethics opinions are not updated frequently, and now the standard is higher,” Kimbro says.

She also points to American Bar Association Ethics Opinion 11-459, which in August 2011 discussed a lawyer’s duty in communicating via email with a client who uses a work computer, and the risk of disclosure to a third party.

“The opinion says if you’re a lawyer and you know there’s a risk of third-party access to emails, you should not be using unencrypted email. A lot of lawyers are reading that and saying to themselves, ‘That’s pretty much anytime,’” Kimbro says.

She reports there are many low-cost ways to encrypt email that make it entirely reasonable for small-firm and solo lawyers to do so.

For example, for about $30 to $40 a month, companies such as Dialawg offer email encryption that allows lawyers to communicate with clients through email on a secure site.

To read emails, the client must log in.

For encryption of more than emails, several types of otherwise free software offer a professional version that lawyers can pay for by the month. For example, the professional version of Google Docs is $20 to $30 a month, Kimbro says.

She predicts it won’t be long before lawyers have a duty to encrypt all digital communications.

“With all the communication we do that’s digital, it extends not just to email. A lot of our clients are moving toward online social media. Are they using the Facebook-encrypted https? If a lawyer has real-time chat that pops up [on his website], are those encrypted?” Kimbro asks.