Ezel / Ethics Opinions / ABA
ABA 2017-05-22

Can a lawyer email clients without encryption, and when is stronger security required?

Short answer: Usually yes. The opinion concludes that unencrypted routine email generally remains acceptable if the lawyer makes reasonable efforts to prevent unauthorized access, but stronger measures such as encryption may be required when a client agreement or law demands it or when the information is highly sensitive.
Currency note: this opinion is from 2017
Subsequent statutory amendments, court decisions, or later opinions or rule amendments may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here.
Disclaimer: Advisory only. Not binding precedent.
About this page: The plain-English summary, reader guidance, and Q&A below were written by Ezel based on the official ethics opinion. The original opinion (linked at the bottom of this page, or PDF in the sidebar) is the authoritative source for any reliance.
View original ethics opinion (PDF)

ABA Formal Opinion 477R: Securing Communication of Protected Client Information

Short answer: The opinion concludes that a lawyer may generally transmit client information over the internet without violating the Model Rules if the lawyer makes reasonable efforts to prevent inadvertent or unauthorized access, while heightened security such as encryption may be required when a client agreement or law calls for it or when the nature of the information warrants it.

Disclaimer: This is an advisory ethics opinion. Advisory opinions are not binding; they interpret the American Bar Association's Model Rules of Professional Conduct and are persuasive authority. This summary is for research purposes only and is not legal advice. Verify current rules before acting on any specific guidance.

About this page: The plain-English summary and Q&A below were written by Ezel based on the official opinion. We do not reproduce the opinion text on this page; follow the linked source for the official text, which controls.

Plain-English summary

The opinion updates Formal Opinion 99-413, which held that lawyers have a reasonable expectation of privacy in unencrypted email. It explains that the role and risks of technology have changed since 1999, and that the ABA's 2012 technology amendments revised Comment [8] to Rule 1.1 (competence includes keeping abreast of the benefits and risks of relevant technology) and added Rule 1.6(c) (a duty to make reasonable efforts to prevent inadvertent or unauthorized disclosure of, or access to, client information). The opinion emphasizes that "the Model Rules do not impose greater or different duties of confidentiality based upon the method by which a lawyer communicates with a client."

On the central question, the opinion concludes that "the use of unencrypted routine email generally remains an acceptable method of lawyer-client communication." It pairs that with a caution: "cyber-threats and the proliferation of electronic communications devices have changed the landscape and it is not always reasonable to rely on the use of unencrypted email." The "reasonable efforts" standard is treated as fact-specific rather than a fixed checklist; the opinion states that "what constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors," guided by the nonexclusive Comment [18] factors (sensitivity, likelihood of disclosure, cost, difficulty, and effect on representation).

The opinion then offers seven non-binding considerations as guidance: understand the nature of the threat; understand how client information is transmitted and stored; use reasonable electronic security measures; determine how to protect particular communications; label confidential information; train lawyers and nonlawyer assistants; and conduct due diligence on vendors. It ties these to Rules 1.6(c), 4.4(b), 5.1, and 5.3. Under Rule 1.4, the opinion explains the lawyer should discuss security with the client when highly sensitive information is involved, and notes that "different communications require different levels of protection," so "particularly strong protective measures, like encryption, are warranted in some circumstances."

In practice

Under this opinion, a lawyer assessing how to transmit client information performs a fact-based analysis rather than applying one rule to every message, as framed under the Model Rules as amended through 2016. The opinion holds that unencrypted routine email is generally acceptable when basic, reasonably available security measures are in place, but that stronger measures may be required when a client agreement or law calls for them or when the information's sensitivity warrants it. It holds that the lawyer should communicate with the client about security for highly sensitive information under Rule 1.4 and must train staff and vet technology vendors under Rules 5.1 and 5.3.

Common questions

Q: Can I still email clients without encryption?

A: Per the opinion, generally yes. Unencrypted routine email remains an acceptable method of lawyer-client communication, assuming basic reasonable security measures are in place.

Q: When do I need to encrypt or use stronger protection?

A: The opinion says heightened measures may be required when a client agreement or law calls for them, or when the nature and sensitivity of the information warrants a higher degree of security.

Q: Does Rule 1.6(c) prescribe specific security steps?

A: No. The opinion treats "reasonable efforts" as a fact-specific standard guided by the Comment [18] factors, not a mandated set of measures.

Q: Do I have to talk to clients about communication security?

A: Per the opinion, when highly sensitive information is transmitted the lawyer should inform the client of the risks under Rule 1.4, and a client may require special measures or consent to otherwise-prohibited means.

Background and rules framework

The opinion interprets Model Rule 1.6 (confidentiality), particularly Rule 1.6(c) (reasonable efforts to prevent unauthorized access) and its Comments [18] and [19]. It applies Model Rule 1.1 (competence, including technology competence under Comment [8]), Model Rule 1.4 (communication), Model Rule 4.4(b) (inadvertently sent material), and Model Rules 5.1 and 5.3 (supervision of lawyers, nonlawyers, and vendors).

Citations and references

Rules of Professional Conduct:

  • ABA Model Rule 1.6 (confidentiality), including 1.6(c)
  • ABA Model Rule 1.1 (competence), 1.4 (communication)
  • ABA Model Rule 4.4(b), 5.1, 5.3

Other opinions cited:

  • ABA Formal Op. 99-413 (1999): confidentiality of email (updated by this opinion)
  • ABA Formal Op. 08-451 (2008): Rule 5.3 duties when outsourcing
  • ABA Formal Op. 11-459 (2011): protecting confidentiality of client email
  • California Formal Op. 2010-179; Texas Ethics Op. 648 (2015): when to consider encryption

See also

Source