Ethics Opinion 281
Transmission of Confidential Information by Electronic Mail
In most circumstances, transmission of confidential information by unencrypted electronic mail does not per se violate the confidentiality rules of the legal profession. However, individual circumstances may require greater means of security.
- Rule 1.6 (Confidentiality)
We take this opportunity to consider whether Rule 1.6 of the District of Columbia Rules of Professional Conduct would be violated by a lawyer who communicates concerning confidential matters with clients, and/or other lawyers jointly representing clients, via unencrypted electronic mail transmitted over commercial services or directly across the Internet. We conclude that the use of unencrypted electronic mail is not, by itself, a violation of Rule 1.6.
Rule 1.6 provides, in relevant part, as follows:
. . . a lawyer shall not knowingly… reveal a confidence or secret of the lawyer’s client. . . .Furthermore, Rule 1.6(e) requires lawyers to ensure that persons working for the lawyer use reasonable means to ensure the confidentiality of protected client information.
The recent explosion in the use of electronic mail as a method of communicating between lawyer and client 1 has raised a question whether a lawyer is acting responsibly to protect his client’s confidences when he transmits them electronically.
A number of the early ethics opinions that considered this subject reached the conclusion that unencrypted electronic transmission violated Rule 1.6. See, e.g., Iowa Supreme Court Bd. of Professional Ethics Op. 96-1 (8/29/96); South Carolina Bar Ethics Advisory Comm. Op. No. 94-27 (1/95); and Colorado Ethics Op. No. 90 (11/14/92). A number of those opinions were based on the notion that electronic communications are impermissibly susceptible to interception and access by third parties, making transmission of client confidences by such means inappropriate in the absence of specific client consent. E.g., North Carolina State Bar Ethics Op. No. RPC 215 (7/95).2
However, as the technology involved in electronic transmission has become better understood and as the law concerning telecommunications has developed, the prevalent view, which this Committee adopts, is that electronic transmission is in most instances an acceptable form of conveying client confidences even where the lawyer does not obtain specific client consent. See, e.g., State Bar Ass’n of North Dakota Ethics Comm. Op. No. 97-09 (9/4/97); Illinois State Bar Ass’n Advisory Op. on Professional Conduct No. 96-10 (5/16/97); Arizona State Bar Ass’n Formal Op. No. 97-04 (4/4/97); South Carolina Bar Ethics Advisory Comm. Op. No. 97-08 (6/97) (overruling South Carolina Bar Ethics Advisory Comm. Op. 94-27, supra); and Vermont Advisory Ethics Op. No. 97-5.
In discussing these issues, it is useful to define a number of terms. We set forth three definitions from Vermont Advisory Ethics Op. No. 97-5:
“Electronic mail” or “e-mail” is a message sent from one user’s computer to another user’s computer via a host computer on a network, or via a private or local area network (which we defined to mean a network wholly owned by one company or person which is available only to those persons employed by the owners or to whom the owner has granted legal access) or via an electronic mail service such as America Online (a public network), via the Internet, or by a combination of these methods.
“Encrypted e-mail” is e-mail that has been electronically locked to prevent anyone but the intended recipient from reading it using a “lock and key” technology.
The “Internet” is a world-wide super network of computers consisting of individual computers and private and public networks owned by various persons and entities including business, schools, governments, and non-secure military computers. Individual users connect to the Internet through a local “host” computer. The local host computer communicates with other computers throughout the world over the phone lines or privately owned high-speed fiber optic lines using a collection of well-defined common protocols.
Finally, it is important to understand how e-mail travels over the Internet. Here, we quote from State Bar Ass’n of North Dakota Ethics Comm. Op. No. 97-09 (9/4/97):
E-mail sent over the Internet does not go directly from the sender’s computer over a land-based line to a password-protected “mailbox.” The message is broken into two or more “packets” of information by the sending computer or host computer, which are then sent individually over the lines and ultimately reassembled back into the complete message at the recipient’s “mailbox.” The mailboxes may exist on the recipient’s computer or may exist on the host computer that the recipient uses to connect to the Internet. These information packets must pass through and be temporarily stored in other computers called “routers” operated by different firms known as “Internet Service Providers” which assist in distributing e-mail over the Internet.
It seems to us that the pre-1997 opinions holding that electronic transmission did not adequately protect client confidences overlooked three key factors. First, all methods of transmission of information are, to one degree or another, subject to interception. A conference room could be subject to electronic eavesdropping; a telephone line may be tapped; or a fax may be intercepted in the fax room of its intended recipient. These risks do not mean that these methods of communication may not be used to transmit confidential information. Indeed, when one considers the possibility of conference room bugs, mail tampering, wire taps, and fax interception, it seems to us that the question under Rule 1.6 is whether the method of transmission is such that one might reasonably expect the message sent to remain confidential. The rule does not require absolute security in protecting confidentiality; it requires reasonable effort to maintain confidentiality.
Second, a number of the pre-1997 opinions on this subject overlooked the fact that while a message is actually traveling over the Internet, having been disassembled into a number of packets which may not travel in parallel routes, it is extremely difficult to trap all of the relevant information packets and to reassemble them in a readable form. We do not ignore the fact that e-mail transmissions are at certain points along the way more vulnerable to interception. Particularly at the point of transmission and at the point of reassembling in the recipient’s mailbox, hackers or careless and dishonest employees of Internet service providers can access this information. But it seems to us that this risk is not appreciably greater than the risk that careless or dishonest employees of the phone company will have access to telephone messages, and yet we know of no authority holding that discussing client confidential information by telephone, at least over land-based lines, is a violation of Rule 1.6.
Third, as the law concerning telecommunications has developed, it has been made clear that interception of electronic transmissions over the Internet (like telephone conversations) is illegal under the Electronic Communications Privacy Act of 1986 as amended in 1994. See 18 U.S.C. § 2511. Furthermore, Congress specifically provided in 18 U.S.C. § 2517(4) that:
No otherwise privileged wire, oral, or electronic communication intercepted in accordance with, or in violation of, the provisions of this chapter shall lose its privileged character.
This legal background has given rise to several opinions in which, for purposes of search and seizure law under the Fourth Amendment, persons transmitting electronic messages are held to have a reasonable expectation of privacy. See United States v. Keystone Sanitation Company, 903 F. Supp. 803 (M.D. Pa. 1995); United States v. Maxwell, 43 Fed. R. Serv. 24 (U.S.A.F. Ct. Crim. App. 1995).
Thus, we hold that the mere use of electronic communication is not a violation of Rule 1.6 absent special factors. We recognize that as to any confidential communication, the sensitivity of the contents of the communication and/or the circumstances of the transmission may, in specific instances, dictate higher levels of security. Thus, it may be necessary in certain circumstances to use extraordinary means to protect client confidences. To give an obvious example, a lawyer representing an associate in a dispute with the associate’s law firm could very easily violate Rule 1.6 by sending a fax concerning the dispute to the law firm’s mail room if that message contained client confidential information. It is reasonable to suppose that employees of the firm, other lawyer employed at the firm, indeed firm management, could very well inadvertently see such a fax and learn of its contents concerning the associate’s dispute with the law firm. Thus, what may ordinarily be permissible—the transmission of confidential information by facsimile—may not be permissible in a particularly factual context.
By the same analysis, what may ordinarily be permissible—the use of unencrypted electronic transmission—may not be acceptable in the context of a particularly heightened degree of concern or in a particular set of facts. But with that exception, we find that a lawyer takes reasonable steps to protect his client’s confidence when he uses unencrypted electronically transmitted messages.
1. This opinion does not consider the security aspects of communications with opposing or adverse parties or counsel because those communications are, almost without exception, not subject to the lawyer confidentiality rules.
2. See Laipidus, Using Modern Technology to Communicate with Clients: Proceed with Caution and Common Sense, 34 Houston Lawyer 39 (Sept.-Oct. 1996).