Pennsylvania Opinion 97-130

September 26, 1997
Kevin M. French

CAVEAT: THIS IS NOT AN OFFICIAL OPINION OF THE DISCIPLINARY BOARD OF THE SUPREME COURT OF PENNSYLVANIA AND ANY OPINION RENDERED WILL BE AFFORDED ONLY AS MUCH WEIGHT AS THE REVIEWING AUTHORITY MAY CHOOSE TO GIVE IT. MOREOVER, THIS IS THE OPINION OF ONLY ONE MEMBER OF THE COMMITTEE AND IT IS NOT A FORMAL OPINION OF THE FULL COMMITTEE.

The inquirer has asked what are a lawyer's ethical obligations concerning the use of electronic mail, commonly known as e-mail. The answers to this question depend upon a basic understanding of the technology involved. At bottom, e-mail is simply another means of communication. However, it is the unique nature of the mode of e-mail communications that gives rise to the present inquiry.[1]

A lawyer's ethical obligations vary with the content and purpose of a communication. For example, if a communication concerns the representation of a client, the lawyer is obligated to use reasonable means to preserve the confidentiality of the communication. See Rule 1.6 of the Pennsylvania Rules of Professional Conduct ("A lawyer shall not reveal information relating to representation of a client unless the client consents after consultation"). If the purpose of a communication is to solicit new clients, the lawyer's fundamental obligations are to ensure that the communication is truthful and not misleading. See Rule 7.1 ("A lawyer shall not make a false or misleading communication about the lawyer or the lawyer's services").

What is e-mail? E-mail is mail that is transmitted electronically rather than being handwritten or typed onto a piece of paper, placed in an envelope and entrusted to a mail service for delivery to the intended recipient. With e-mail, the communication is created electronically on a computer and is delivered by means of an electronic transmission to the intended recipient. This transmission can take place within an office on the office's internal computer network (a local area network or LAN), outside an office through a telephone line directly linked to another computer (a direct dial-up connection), through a proprietary network such as America Online or MCI Mail, or through a series of interconnected computers called servers or network hubs operated by independent third-parties (the Internet), and delivered to the intended recipient's computer. E-mail is like a letter or a fax in that it is written and thus there is a persistent record of the communication. However, e-mail is also like a telephone call because of the mode of transmission. E-mail shares characteristics of both, but it also has unique characteristics which distinguish it from either of these common forms of communication.

What has prompted the explosive growth in the use of e-mail in recent years is public access to the Internet and the ready availability of affordable personal computers. The Internet has been best described as a global network of interconnected computer networks.[2] These networks are linked by dedicated lines, traditional land-based telephone lines, satellite transmissions and lines specially designed to carry electronic digital data. The Internet, in its most common usage, employs a protocol developed by the Advanced Research Division of the United States Department of Defense.[3] This protocol was designed to allow for decentralized communications in the event of a nuclear war. The idea was that no one site or line would be required to maintain communications. If a site or line was destroyed, the communication would take another route until it arrived at its intended destination. Under this protocol, electronic information, whether a message, picture, a sound or the like, is broken down into smaller coded packets. These packets are transmitted through networked servers until they reach their destination where they are reassembled. Anyone with a personal computer and a modem can access the Internet through a standard telephone line.[4]

Every day lawyers use myriad ways to communicate with clients, other lawyers, the courts and the public at large. Lawyers speak in the office, on the street, in the hallway of the courthouse, and on the phone. They use land-line based phones, cordless phones and cellular phones. They send letters and other documents through the United States Postal Service, and by overnight delivery services such as UPS and Federal Express. In recent years, the fax machine has become a ubiquitous presence in both private and government offices and even in the home. All of these means of communication are subject to the lawyer's duties of confidentiality and truthfulness.

Does using e-mail to communicate entail unique ethical obligations for the lawyer? E-mail does not appear to differ materially from current means of communication employed by lawyers to the extent that a new set of rules is required, or such that its use should be discouraged. E-mail does, however, appear to involve certain risks that are not present in other forms of communication and some different treatment is advisable, especially at this time when the full scope and magnitude of the risks associated with e-mail use are matters upon which there are substantial differences of opinion. Moreover, because this is such a rapidly developing technology, any analysis and advice in this area is subject to change as the technology changes.

Rule 1.6 obligates a lawyer to keep confidential information relating to the representation. Rule 1.6(a) allows a lawyer to disclose information with the client's consent after consultation. To comply with this rule, a lawyer is obligated to take reasonable measures to protect client confidentiality. A lawyer generally is not obligated to take all available measures to ensure confidentiality unless the matter is so sensitive and the potential for harm to the client is so great that such measures are necessary under the circumstances. Under these extraordinary circumstances, "all available measures" may be deemed reasonable measures. However, for most matters, ordinary, everyday measures are sufficient. For example, on the one hand, although the technology exists, a lawyer is generally not required to scramble a telephone communication to prevent intentional or inadvertent interception. On the other hand, a lawyer should not use a cellular phone to discuss a confidential client matter while having dinner in a crowded restaurant. Moreover, it would be highly unusual for a lawyer to encode a letter or a fax to a client or to another lawyer to protect client confidentiality. Most matters simply do not require that level of security.

Where do matters stand with respect to e-mail communications? Are there special risks associated with the use of e-mail? Are there special measures that must be taken by the lawyer to address those risks? There does not appear to be an established consensus concerning the risks associated with the use of e-mail. Some believe there is no more risk with e-mail than using a telephone, while others believe that there is great risk involved. See Ethics Malpractice Concerns Cloud E-mail, On-Line Advice, ABA/BNA Lawyers' Manual on Professional Conduct, Vol. 12, No. 3 at 59 (March 6, 1996). (This observation is also the result of an informal survey conducted by the author on a legal ethics list service over several months during the Spring of 1997.)

The most commonly identified risk is intentional interception. The second most commonly identified risk is inadvertent interception as the result of, for example, accidental misdirection of an e-mail. Interception of an e-mail communication can take place at a number of points along the transmission path: beginning with the computer where the message is created, at any of the servers through which the transmission is routed, and on the computer where the communication is finally delivered. A hacker can, using a computer and a modem, and with some skill and luck, access an office system and read, copy, change and delete files. A disgruntled employee may be able to access, read and copy files from a computer within the lawyer's office. A systems administrator at one of the server locations, commonly an Internet Service Provider, could theoretically copy e-mail communications as they are stored and then forwarded through the server.

If the message is transmitted only within the law office, or through a direct dial-up connection with the client's or another lawyer's office, the risk of intentional interception by an outside third-party appears to be minimal. If the message is transmitted through a proprietary network, such as America Online or MCI Mail, the risk of intentional interception does not appear to materially increase.

The most significant concern has been raised with respect to e-mail transmitted by means of the Internet because the message is transmitted through any number of unknown third-party computers. There is a vigorous, ongoing debate whether the risk of intentional interception of e-mail transmitted through the Internet is substantial or theoretical. Cogent arguments have been made that this risk is no greater than that which exists with respect to land-line based telephone calls. Arguments have also been made that the risk is, in fact, less because the communication is sent in several discrete packets and not all of the packets necessarily pass through the same server, and because the great volume of messages being transmitted by means of the Internet makes trying to intercept one meaningful message the metaphorical equivalent of searching for the needle in the haystack. Others have forcefully argued that given the power of relatively inexpensive computers and creative programming skills, it is certainly conceivable that interception could take place. Theoretically, intercepting e-mail would not require the time and resources required to intercept a telephone communication. Intercepting telephone communications requires either listening to or recording the communication, and the amount of time required to do this is obviously great. There appears to be no reason why a program could not be created that would scan e-mail in transit for certain key words or phrases and copies made when the key words or phrases are detected. The likelihood of this happening, however, is unknown. There do not appear to be any publicly reported instances of such an interception taking place.

The question concerning the security of data stored on an office computer, whether a stand alone or a network, involves a host of issues that must be considered, such as access control, and password and firewall protection. These issues are beyond the scope of this opinion. Anecdotal evidence suggests, however, that a greater security risk exists for unauthorized access or interception within an office than exists when an e-mail communication is being transmitted.

The question concerning the risk of interception during transmission leads to the question of whether lawyer-to-client, or lawyer-to-lawyer e-mail communications must be encrypted.[5] For most communications, encryption should not be required. Several ethics advisory committees have also reached this conclusion. Illinois State Bar Association, Opinion No. 96-10 (May 16, 1997), 13 Law. Man. Prof. Conduct 176 (1997) (Lawyers may use electronic mail services, including the Internet, without encryption to communicate with clients unless unusual circumstances require enhanced security measures.); South Carolina Bar Ethics Advisory Committee, Opinion 97-08 (June, 1997) (re-examining the issue and reversing an earlier opinion, Advisory Opinion 14-27 (January, 1995)) 13 Law. Man. Prof. Conduct 211 (1997); Vermont Bar Association Committee on Professional Responsibility, Opinion 97-5, 13 Law. Man. Prof. Conduct 210 (1997); State Bar Association of North Dakota, Opinion 97-09 (September 4, 1997), 13 Law. Man. Prof. Conduct 316 (1997) (unless unusual circumstances require enhanced security measures, lawyers may communicate with clients using unencrypted e-mail.); See also Communicating with or About Clients on the Internet: Legal, Ethical and Liability Concerns, ALAS Loss Prevention J. 17 (January, 1996); See, however, Iowa Supreme Court Board of Professional Ethics and Conduct, Opinion 96-1 (August 29, 1996)(Lawyers should not use electronic mail for sensitive client communications unless the messages are encrypted or the client expressly consents to the use of e-mail.).

First, the risk of intentional or inadvertent interception does not appear to be materially different for e-mail when compared to other forms of communication commonly used by lawyers, especially telephone and fax, and encryption by means of scrambling or encoding of these communications is not required, nor expected. Second, for the great majority of communications there is little potential for harm to the client if the communication is intentionally or inadvertently intercepted. Third, encryption is not commonly available or easy-to-use. This, however, is subject to change. There has been discussion that certain e-mail programs and Internet browsers with e-mail features will, in the near future, incorporate easy to use encryption.[6] Fourth, federal and state law makes it a crime to intercept electronic communications or data stored on a computer by anyone who is not authorized to do so. See Electronic Communications Privacy Act of 1986, 18 U.S.C. '2510, et seq; Wiretapping and Electronic Surveillance Control Act, 18 Pa. C.S. '5701, et seq.; Stored Wire and Electronic Communications and Transactional Records Access, 18 Pa. C.S. '5741, et seq.

Like many issues under the Rules of Professional Conduct, client consultation and consent plays a major role in the decision whether to use e-mail and, if so, under what circumstances. A lawyer has complied with his or her ethical obligations if the risks and benefits associated with the use of e-mail are explained to the client and the client consents. Lawyer and client together can agree to use e-mail for all, some or none of their communications. They can also agree whether or not to use encryption.

Certain steps can be taken to reasonably maintain confidentiality. Most e-mail programs can be configured to retrieve messages without leaving a copy on an Internet Service Provider's server. In addition, a brief statement can be placed on e-mail communications to alert the reader that the communication is a privileged and confidential, attorney-client communication similar to the notice that routinely appears on fax transmissions. Finally, caution must be exercised to avoid inadvertently sending the e-mail communication to the wrong person or party. Once sent, it is nearly impossible to retrieve an e-mail communication that is sent to the wrong person.

If e-mail concerns a lawyer or the lawyer's services and is intended to solicit new clients, it is lawyer advertising and is subject to the Rules of Professional conduct governing lawyer advertising. See Rules 7.1 through 7.7. E-mail is most closely analogous to targeted, direct mail and for purposes of compliance with the Rules of Professional Conduct should be treated in the same manner. E-mail should not be regarded as in-person solicitation, which is prohibited under Rule 7.3(a), because the potential for abuse and the possibility of undue influence, intimidation and over-reaching are not any greater than exist for targeted, direct mail advertisements. Like targeted, direct mail, the recipient can always deposit the e-mail in the virtual trashcan by clicking the delete button. Because a lawyer has an obligation to retain a copy of an advertisement or written communication for a period of two years along with a record of when and where it was used under Rule 7.2(b), this provides a means for third-person scrutiny and ensuring compliance with the restrictions on lawyer advertising under the Rules of Professional Conduct. However, in the first decision of its kind in the nation, the Tennessee Supreme Court disciplined a lawyer by imposing a one year suspension for "spamming," that is, indiscriminate posting of e-mail messages advertising his law firm to thousands of newsgroups and e-mail lists. See Tennessee Disciplines Lawyer For Internet E-mail Campaign, 13 Law. Man. Prof. Conduct 218 (1997).

In summary, I conclude the following:

A lawyer may use e-mail to communicate with or about a client without encryption;
lawyer should advise a client concerning the risks associated with the use of e-mail and obtain the client's consent either orally or in writing;
A lawyer should not use unencrypted e-mail to communicate information concerning the representation, the interception of which would be damaging to the client, absent the client's consent after consultation;
A lawyer may, but is not required to, place a notice on client e-mail warning that it is a privileged and confidential communication; and,
If the e-mail is about the lawyer or the lawyer's services and is intended to solicit new clients, it is lawyer advertising similar to targeted, direct mail and is subject to the same restrictions under the Rules of Professional Conduct.

Kevin M. French

Member
Pennsylvania Bar Association
Committee on Legal Ethics and Professional Responsibility

NOTES:

[1] There have been several well considered and well written articles published which discuss the technical aspects of e-mail, compare e-mail to other forms of communication, and analyze a lawyer's professional obligations with respect to e-mail. I am indebted to them, and highly recommend them. Confidentiality and Privilege in High-Tech Communications, by David Hricik, the Professional Lawyer, Volume 8, Issue Number 2, February, 1997; Ethics, Malpractice Concerns Cloud E-Mail, On-Line Advice, by Joan C. Rodgers, ABA/BNA Lawyers' Manual on Professional Conduct, Vol. 12, No. 3 at 59 (March 6, 1996); and Communicating With or About Clients on the Internet: Legal, Ethical and Liability Concerns, by William Freivogel, ALAS Loss Prevention Journal 17 (January, 1996). Another excellent resource is the website hosted by Internet Legal Services at www.legalethics.com.[return]

[2] "The Internet is the largest network of computer systems on the planet." G. Burgess Allison, The Lawyer's Guide to the Internet (1995) at p. 19.[return]

[3] Allison's The Lawyer's Guide to the Internet contains a brief, but interesting discussion of the development of the Internet at page 31.[return]

[4] A modem is a device that converts electronic data from a digital form to an analog form for transmission through standard telephone lines and back again.[return]

[5] Encryption as used in this opinion refers to coding of data by means of a program such as Pretty Good Privacy ("PGP"), a high security cryptographic software application. See Bruce Schneier, E-Mail Security (1995) for a thorough discussion of encryption.[return]

[6] Netscape Communications Corporation has recently released Netscape Communicator, a software suite that includes Netscape's Navigator, a leading Internet browser, and an e-mail program that contains encryption security features intended to work with security services provided by VeriSign, Inc.[return]