Technology Is Perhaps the Only Thing That Changes Faster Than Law

Maintaining Confidentiality

In a Wireless World

Assessing Risks Associated With

New Communications Technology[1]

Todd C. Scott, Esq.

Minnesota Lawyers Mutual Insurance Company

Assessing Communication Risks

Technology is perhaps the only thing that changes faster than law. With rapid innovations in telecommunications, electronic messaging, and the storage of digital information, attorneys are challenged daily with new questions regarding the security of their client information.

Whether or not the lawyer’s digitally stored client data deserves the same level of protection that is applied to the client’s paper file is not in question. Rule 1.6(a)(1) of the Model Rules of Professional Responsibility states plainly, “A lawyer may not knowingly reveal a confidence or secret of a client.” This obligation, and the consequential premise that a lawyer should exercise care to prevent unintended disclosure, makes no distinction between client data in red-rope files and that on floppy disks.

Most lawyers understand this basic ethical duty at a gut level when the risks are obvious. None of us, as lawyers, would drive down the highway with our client files in the back of an open truck, yet often, we unknowingly reveal our client’s privileged electronic data to the world through substandard internet connections. It is when the risks associated with electronic client communications are not apparent that lawyers become disadvantaged assessing the likelihood of a possible Rule 1.6 violation.

Understanding the risks associated with everyday communication technology will better equip legal professionals in determining whether they may unintentionally be disclosing client information. How can a lawyer possibly know whether they are in danger of revealing client confidences if the lawyer does not understand the inherent deficiencies of their electronic communications systems?

It is important to remember that all communication carries with it some risk. Even our most trusted systems of communication can be violated by eavesdropping, wiretapping, or theft of mail. So it stands to reason that the precautions to be taken by a lawyer depend on the circumstances, including the sensitivity of the information, the manner of communication, the apparent risks of interception or unintended disclosure, and the client's wishes.

When taking precautions, you should consider that absolute security is not only impractical, but probably unnecessary. You may have a reasonable expectation of privacy for an ordinary fax transmission, even though additional encryption type, data scrambling tools are available. Interception of a properly transmitted, ordinary fax communication would involve a sophisticated level of expertise, as well as an individual with the intent to violate Federal law.

Here is where the balance of the attorney’s Rule 1.6 analysis lies: a confidential communication that could be intercepted inadvertently or with unsophisticated equipment is probably improper, however, that same confidential communication can be considered proper if interception would require intent and a high degree of sophistication.

Of course, the client’s wishes overrides all. The client may request a higher degree of security, or conversely, after being advised of the risks, can consent to receiving confidential information over what would ordinarily be improper channels of communication.

Rule Guidelines

Organizing the Rule 1.6 analysis as it applies to electronic communications may appear like this:

A “Yes” answer to any of the following would indicate that the choice for transmission of the confidential information is probably improper;

1. Could this communication be intercepted inadvertently?
2. Could this communication be intercepted with unsophisticated or readily available equipment?
3. Does the sensitivity of the confidential information require a higher degree of security?
4. Does the client expect a higher degree of security?

Cordless Phones/ Cellular Phones

To understand the risks associated with a confidential communications via wireless phones, you must first determine what type of wireless phone it is that you are using.

Cordless phones that are primarily for home use and send a signal to a base are available in two formats: analog and digital. Cellular phones that are designed for use in automobiles and throughout a regional calling area also are available in analog and digital formats.

Any analog phone is considered an improper device for a confidential client communication because of the strong likelihood that the conversation could be inadvertently intercepted by common household devices. Conversations conducted via analog telephones are routinely intercepted by other wireless analog phones, baby monitors, and radio scanners.

Digital telephones are fast becoming the norm for both cordless and cellular communication, and their popularity is due, in part, to the highly secure nature of the digital communication format. Digital transmissions involve the general process of converting your voice into binary information (1’s and 0’s) and then compressing it, before it is transferred to a cellular tower. The process works like a form of encryption that makes the communication extremely difficult to “decode” without the use of sophisticated communications equipment.

Although true digital communications are highly secure, digital cellular phones contain features that occasionally make them vulnerable to accidental interception. The “Dual Mode” feature available with most digital cellular phones allows the device to switch transmission technology it uses. If the phone supports multiple modes, it will try the digital mode first, then switch to analog if it cannot establish a digital connection. Therefore, it is vital that the caller determine whether they are in a digital communication area before discussing confidential client information on a digital cellular phone.

Cordless or cellular phones using analog transmission technology are never recommended for confidential client communications. A cordless phone using digital transmission technology is generally acceptable for confidential client communications. A cellular phone using digital transmission technology is acceptable for confidential client communications provided it is being used in a digital communication area.

Faxes

Fax machines typically transmit data over conventional telephone lines. A document that is scanned is converted into data bits that travel through the phone line and arrive at a receiving fax machine. At the receiving end the bits are decoded, uncompressed and reassembled into the scanned lines of the original document.

With fax machines, the concerns are less with interception than with unintended dissemination of the communication at its destination, or to a third-party recipient.

An example of unintended dissemination at the recipient’s site is where the communication may be received in a common area of the workplace or home and may be read by persons other than the intended recipient.

Human error in the form of a misdial by the fax sender can also result in unintentional dissemination of confidential client information.

A well-written fax cover sheet that clearly states the identity of the intended recipient, as well as the confidential nature of the fax content, is a small bit of security that the unintended dissemination may be immediately forwarded to the correct destination.

Other safe faxing techniques include adding common destination fax numbers to the machine’s auto-dial memory, to prevent accidental misdials, and phoning ahead at the destination site to ensure that the intended fax recipient is available to receive the confidential information as it is faxed in.

In summary, faxing is considered to be an acceptable method of communicating confidential client information, although human error in the form of a misdial, or careless dissemination at the destination site create a slight risk of a Rule 1.6 violation.

E-Mail

The rapid popularity of e-mail transmissions during the later half of the 90’s, and the mystery of “where do all those messages go?” at the time of the discovery lead to a lot of confusion as to the safety and security of confidential e-mail messages. For some, the simple premise that e-mail messages tend to make a handful of pit-stops on third-party computers before reaching their final destination was enough to consider the communications technology improper for confidential client communication.

Significantly, attorneys now seem to accept e-mail technology as a secure means of communication. That is, like an ordinary telephone call, it would require sophisticated technology as well as an intent to break the law to intercept an e-mail message.

Perhaps nowhere else is the initial ambivalence toward e-mail by legal practitioners better documented than in the Ethics Opinions of the Iowa Supreme Court Board of Professional Ethics and Conduct. Clearly looking out for the best interest’s of Iowa clients seeking professional legal services, the Board filed the following Opinion on August 29, 1996:

“…but with sensitive material to be transmitted on E-mail, counsel must have written acknowledgment by client of the risk of violation of DR 4- 101 which acknowledgment includes consent for communication thereof on the Internet or non-secure Intranet or other forms of proprietary networks, or it must be encrypted or protected by password/firewall or other generally accepted equivalent security system.”[2] [Emphasis added].

One year later, the same Iowa Board filed the following Opinion, amending Opinion 96-01 and eliminating Iowa’s e-mail encryption requirement:

“…In the opinion of the Board it is now desirable to change Division III of Opinion 96-1 (1997) eliminating Board determination of minimally proper e-mail security. …Opinion 96-1 hereby is amended to read as follows:

"…but with sensitive material to be transmitted on e-mail counsel must have written acknowledgment by client of the risk of violation of DR 4-101 which acknowledgment includes consent for communication thereof on the Internet or non-secure Intranet or other forms of proprietary networks to be protected as agreed between counsel and client."[3]

The Iowa Board’s decision to allow the client and counsel to agree upon the acceptable form of transmitting sensitive information is typical of the formal ethical opinions issued by licensing boards that have addressed the issue of e-mail use.

How E-Mail Works

Sometime in 1971 an engineer named Ray Tomlinson sent a text message from one computer to another over the internet, using the “@” sign to designate the receiving computer. Prior to this, you could only send messages to users over a single machine.

Little has changed with the overall technology of transmitting e-mail text since Tomlinson’s first message in 1971. Microsoft and Netscape have lead the way in developing client software and exchange server software to sort out the millions of text messages traveling the Net, but the pathways an e-mail message travels, and the method the by which the e-mail is stacked and saved is much the same since text messaging first became common on the Internet.

If you have an e-mail account, then somewhere out on the World Wide Web is a computer with a text file that represents your account. As text messages are sent to you, they are stacked up and added to your text file on the e-mail server computer, waiting for you to log in and retrieve the information. The mail client software that is on your computer, such as Netscape Communicator, works like a telephone that is designed to dial only one number, routinely dialing the computer that contains “your” text file. At the time the mail client software logs in, the information in your text file is delivered to your computer, and then text file on the internet is erased and reset. Your client software has the final task of dividing up the text file that is now on your system, back into the separate e–mail messages the way they originated.

Is E-Mail Safe?

When comparing e-mail to typically “safe” communication technologies -- such as a telephone conversation through a hard line system -- e-mail technology is a notch lower on the overall security paradigm. Like a fax, a mistaken e-mail address may send the entire text of the confidential information to an unintended recipient. More disastrous results can occur when a sender mistakenly broadcasts a confidential communication to other addresses in the sender’s electronic address book. Simply hitting the “Reply to All” button instead of “Reply” will result in sending a response to every address that was in on the original correspondence. Although uncommon, these examples do occur and the results can be harmful.

Overall, e-mail is considered a proper means for transmitting client information, however, since it is much like the fax machine in that it lends itself to accidental improper dissemination, precautions should be taken that depend on the circumstances, including the sensitivity of the information, the apparent risks of interception or unintended disclosure, and the client's wishes.

If you find yourself still having trouble getting over the fact that e-mails are routed through third-party computer servers, stop and think for a moment about the communication technologies we regard as secure without question. Soon after your telephone line leaves your house it typically runs directly into a box about the size of a refrigerator that acts as a digital concentrator. The concentrator digitizes your voice and then it then combines your voice with hundreds of others and sends them all down a single wire to the phone company office. If your making a local call, then the switch simply creates a loop between your phone and the phone of the person you called. If it's a long-distance call, then your voice is digitized and combined with millions of other voices on the long-distance network. Your voice normally travels over a fiber-optic line to the office of the receiving party, but it may also be transmitted by satellite or by microwave towers. In short, your “ordinary” phone call also makes pit stops in third-party computers before reaching its final destination.

E-Mail Attachments

Although an e-mail text message appears to be a relatively safe method of client communications, the same cannot be said for e-mails containing document attachments.

Your e-mail client allows you to add attachments to e-mail messages you send, and also lets you save attachments from messages that you receive. Attachments might include word processing documents, spreadsheets, sound files, snapshots and pieces of software. Usually, an attachment is not text (if it were, you would simply include it in the body of the message).

Most e-mail attachments in a legal matter are document attachments. Adding document attachments to the e-mail is a great convenience for both the sender and the recipient because it allows the parties to exchange a true document at cyber-speed, as opposed to a photocopy of the document.

The danger in sending document attachments is that not only is all the document text sent to the recipient in Word or WordPerfect format, but so is the underlying code that was used to create the document! In plain language, what this means is that the attached document, with little effort, could reveal to the recipient all the changes that were made in originally producing the document.

An example of a worse-case scenario for a Rule 1.6 violation involving e-mail attachments is where an attorney sends opposing counsel an e-mail attachment that contains a demand for settlement. The opposing counsel, using tools readily available in his word processing program, could examine the document, as well as all the changes that were made in putting the demand letter together. There, it is revealed that the author’s original demand amount was $25,000 lower, revealing to the recipient that the counsel making the demand was willing to settle for less.

Since document attachments are fraught with possibilities for revealing confidential client information, it is simply not recommended that such information be exchanged in the form of an e-mail attachment.

There are security tools available in word processors and protocols that can be adopted that would greatly lessen the chance of confidential client information being disseminated through document attachments. However, since it is unlikely all members of the firm will take time to understand the security features in their word processor, the quick and easy rule for maintaining the highest degree of safeguarding confidential client information, is simply to establish a firm policy that under no circumstances are e-mails to be sent with document attachments containing confidential client information.

One exception to this proposed ban on document attachments would be if the attached documents were produced in a PDF format. PDF images are documents that can be viewed and read, but the recipient does not have the ability to alter the text of the document in any way. More importantly, the PDF document sent as an e-mail attachment cannot reveal to the recipient the changes that went into the construction of the document. In order to send an e-mail attachment in PDF format, you need to install a small piece of software that will convert the word processing document into the unique format. A down-side to this proposed remedy is that the recipient needs to have a PDF document reader, that is, software that will display the attached PDF document. Free PDF document readers and software to help you create PDF files are available for download at

Mobile E-Mail Devices

Pocket-size devices designed to send and receive e-mail are rapidly becoming popular – especially for the mobile attorney. Although the devices are newly available and offer communication freedoms that didn’t previously exist, the technology behind the communication is much the same as cellular phones, and standard e-mail delivery systems.