In sum, the Standing Committee on Ethics and Professional Responsibility advised as follows:

“A lawyer generally may transmit information relating to the representation of a client over the internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.”

Recounting recent Rule changes and other Advisory Opinions, the Committee observes that:

“At the intersection of a lawyer’s competence obligation to keep “abreast of knowledge of the benefits and risks associated with relevant technology,” and confidentiality obligation to make “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client,” lawyers must exercise reasonable efforts when using technology in communicating about client matters. What constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors. In turn, those factors depend on the multitude of possible types of information being communicated (ranging along a spectrum from highly sensitive information to insignificant), the methods of electronic communications employed, and the types of available security measures for each method.”

The Committee notes that, in the technological landscape that existed when Formal Opinion No. 99-413 was issued in March of 1999, and “due to the reasonable expectations of privacy available to email communications at the time, unencrypted email posed no greater risk of interception or disclosure than other non-electronic forms of communication. This basic premise remains true today for routine communication with clients, presuming the lawyer has implemented basic and reasonably available methods of common electronic security measures.  Thus, the use of unencrypted routine email generally remains an acceptable method of lawyer-client communication. However, cyber-threats and the proliferation of electronic communications devices have changed the landscape and it is not always reasonable to rely on the use of unencrypted email. For example, electronic communication through certain mobile applications or on message boards or via unsecured networks may lack the basic expectation of privacy afforded to email communications. Therefore, lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters.”

The Committee then provides seven steps and/or considerations to be employed as guidance for determining what particular precautions might be warranted under specific facts and circumstances:

1. Understand the Nature of the Threat

2. Understand How Client Confidential Information is Transmitted and Where It Is Stored

3. Understand and Use Reasonable Electronic Security Measures

4. Determine How Electronic Communications About Clients Matters Should Be Protected

5. Label Client Confidential Information

6. Train Lawyers and Nonlawyer Assistants in Technology and Information Security

7. Conduct Due Diligence on Vendors Providing Communication Technology

Finally, the Committee notes, regarding the general duty to communicate and consult with clients under Rule 1.4, that where “the lawyer reasonably believes that highly sensitive confidential client information is being transmitted so that extra measures to protect the email transmission are warranted, the lawyer should inform the client about the risks involved.23 The lawyer and client then should decide whether another mode of transmission, such as high level encryption or personal delivery is warranted. Similarly, a lawyer should consult with the client as to how to appropriately and safely use technology in their communication, in compliance with other laws that might be applicable to the client.”
ABA Formal Opinion No. 477  (May 11, 2017).