Protecting client confidences used to be so much easier. Lawyers could place sensitive documents in a locked file cabinet behind a locked office door, and that pretty much did the trick.
Today, the protection of confidential information is considerably more difficult. Lawyers store a range of information in the "cloud" as well as on smart phones, laptops, flash drives, and law firm networks. Information that should remain confidential can easily be lost or stolen, hacked, inadvertently sent, intercepted while in transit, and even accessed without permission by foreign governments or the National Security Agency (NSA). Put simply, the duty of confidentiality is now a lot more complicated than knowing how to use a lock and key.
Until recently, the American Bar Association's (ABA) Model Rules of Professional Conduct offered little advice to lawyers who wanted to understand their confidentiality obligations in a digital age. In fact, the word "technology" did not even appear in the Rules. Part of the problem was that the relevant rule on confidentiality—Rule 1.6—was drafted in the "locked file cabinet" era, when the necessary precautions were far more obvious.
New Guidance for Lawyers
Fortunately, the Model Rules have been updated to give lawyers more direction. In August 2012, the ABA Commission on Ethics 20/20 proposed, and the ABA House of Delegates adopted, amendments to Rule 1.6. These amendments state explicitly what had long been implied: a lawyer must "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."
The instruction to make "reasonable efforts" is necessarily vague, so new language was added to the official comment to Rule 1.6—specifically comments 18 and 19—to help lawyers determine whether their efforts are "reasonable." One of the comments suggests that lawyers should consider a range of factors, including, but not limited to: the sensitivity of the information; the likelihood of disclosure if additional safeguards are not employed; the cost of employing additional safeguards; the difficulty of implementing the safeguards; and the extent to which the safeguards adversely affect the lawyer's ability to represent clients—e.g., by making a device or important piece of software excessively difficult to use. These factors are intended to be specific enough to give lawyers some direction, but flexible enough in a world of rapidly evolving technologies to address new threats to client confidences.
An Example: NSA Surveillance of Foreign Clients
The New York Times recently reported that the NSA collaborated with its counterpart in Australia to intercept communications between a US law firm and its foreign client—the government of Indonesia—in order to learn more about trade issues in the region. One striking feature of the story is that the NSA knew the targeted lawyer-client communications concerned perfectly lawful conduct, not some terrorist plot.
Until this news broke, lawyers had suspected that the NSA might be monitoring privileged communications, but there was little proof. In fact, just last year the Supreme Court held that the surveillance of privileged communications was so speculative that lawyers had no standing to challenge it.
The Times story suggests that lawyers' concerns are not speculative. Existing litigation may now be on much stronger ground, and the ABA has asked [PDF] the NSA for more information about its handling of privileged communications.
In the meantime, what should lawyers do when communicating with clients abroad? How can lawyers satisfy their ethical duty of confidentiality?
The language of the newly adopted comment offers some guidance. For example, one important factor is the extent to which the lawyer's communications with a foreign client are "sensitive." The reality is that some legal matters are unlikely to be of interest to the US government. Moreover, other matters may be of interest to the NSA or a foreign government, but a particular communication may not be especially sensitive. In these situations, the use of email would seem to be appropriate and ethical, despite the risk of interception. It is important to keep in mind that the touchstone here is "reasonableness," so the mere possibility that a particular type of communication—e.g., email—could be intercepted does not by itself mean that the communication is ethically impermissible.
But what about sensitive communications with clients that may be of interest to the NSA or foreign governments, such as the communications described in the New York Times article? In such cases, lawyers appear to have several options. One would be to jump on a plane and meet with the client in person. The obvious problem with this approach is that it is an awfully expensive and time-consuming way to represent a foreign client, and the new comment language states that cost is a relevant consideration when determining a lawyer's ethical duties. So an in-person meeting may be desirable in some situations, but it is probably not ethically required.
A much less expensive option—though arguably less reliable—is for lawyers and clients to encrypt their email communications. A recent NBC News report illustrates that encryption is not foolproof and the NSA's ability to crack or find ways around encrypted communications appears to be more robust than people had previously thought. With that said, new solutions are emerging all the time, such as one recently created by two former NSA security experts. In short, encrypting email is not a perfect solution, but it is better than nothing.
Another option might be best described as the "Walter White" solution, where you and your client purchase prepaid phones that are used only for lawyer-client conversations. These so-called "burner" phones are not a guarantee of confidentiality, but they can help to reduce the likelihood that the government will listen to the privileged conversations.
Regardless of the option used, it is increasingly important for lawyers to be aware of the risks different methods of communication impose and to inform clients of the same. Of course it is difficult to quantify the likelihood that particular communications will be intercepted, especially given how little we know about existing surveillance methods, but clients need to be told that most kinds of communications are not risk-free. If a client consents to the use of a particular form of communication despite the reasonably knowable risks, lawyers should feel comfortable that they have complied with their ethical duty of confidentiality.
The unfortunate reality is that lawyers are finding it increasingly difficult to protect a client's confidences without resorting to extreme or unduly expensive measures. Such measures may be advisable in certain kinds of legal matters, but they are probably not ethically required. A lawyer's ethical duty is to make reasonable efforts, and we may have to accept that those efforts do not provide the same kind of comfort the trusty lock and key once afforded.
Andrew Perlman is a Professor of Law at Suffolk University Law School, where he teaches civil procedure and professional responsibility and directs the Institute on Law Practice Technology and Innovation. Professor Perlman served as Chief Reporter for the ABA Commission on Ethics 20/20 and is a member of the Massachusetts Supreme Judicial Court's Standing Advisory Committee on the Rules of Professional Conduct. Professor Perlman has written a number of articles about professional responsibility, co-authored a civil procedure casebook (with Professors Joseph Glannon and Peter Raven-Hansen), and (since 2008) co-authored the annually updated book, Regulation of Lawyers: Statutes and Standards (with Stephen Gillers and Roy D. Simon).
Suggested Citation: Andrew Perlman, Protecting Client Confidences in a Digital Age: The Case of the NSA, JURIST - Forum, Mar. 04, 2014, http://jurist.org/forum/2014/03/andrew-perlman-client-confidences.php
This article was prepared for publication by Kenneth Hall, assistant editor for JURIST's Academic Commentary service. Please direct any questions or comments to him at firstname.lastname@example.org