The New York Times reported on February 15, 2014 in an article titled Spying by N.S.A. Ally Entangled U.S. Law Firm that the Mayer Brown law firm exposed confidential communications with a client by using email.
The article says a document leaked by Edward Snowden describes how an Australian intelligence agency monitored email communications between Indonesian officials and an American law firm retained by Indonesia for trade talks with the United States. According to the NYT article, the Australians told NSA officials that “information covered by attorney-client privilege may be included” in the intelligence gathering.
Although the document does not name the law firm, the NYT article says Mayer Brown was then advising the Indonesian government on trade issues.Curiously, the Mayer Brown lawyer handling the matter apparently dismissed the risk that the firm was leaking client confidences:
“I always wonder if someone is listening, because you would have to be an idiot not to wonder in this day and age,” he said in an interview. “But I’ve never really thought I was being spied on.”
Another Mayer Brown lawyer light-heartedly dismissed the ethical concerns, saying the spies would have been bored reading the confidential emails. That seems a very casual lack of concern about a serious ethical obligation.
“A Rising Concern for Lawyers”
The NYT article notes “Most attorney-client conversations do not get special protections under American law from N.S.A. eavesdropping.” It points out that:
Amid growing concerns about surveillance and hacking, the American Bar Association in 2012 revised its ethics rules to explicitly require lawyers to “make reasonable efforts” to protect confidential information from unauthorized disclosure to outsiders.
The NYT article never says whether or not Mayer Brown was using email encryption. I’ve blogged about lawyers’ ethical responsibilities to take affirmative steps to protect client confidences in email. See my post ABA: Lawyers Must Implement Reasonable Data Security for Client Information. Most lawyers don’t encrypt emails because they have not been required to by their state bar associations. Given the scope of U.S. and other governments’ email surveillance, it’s likely that other lawyers’ emails also have been intercepted. So, it is absurd to rely on ethics opinions from the 1990s that allow the use of unencrypted email and ignore current events and the ABA’s more-recent guidance.
Unencrypted Email is Not Secure
There is no reasonable expectation of privacy in unencrypted email … there are merely fictional legal protections. Using SSL encryption (HTTPS:) alone does not make email secure from interception – even if the NSA had not broken some SSL encryption.
See my post Unreasonable Expectations of Email Privacy. As I said there: “users’ expectations of privacy are unreasonable where the law does not clearly protect that privacy and the user has taken no steps to protect the confidentiality of their email.” It is no longer reasonable to ignore the clear facts – unencrypted law firm email is exposed to interception.
What Should Lawyers Do?
- Lawyers should encrypt the content of sensitive client communications. Edward Snowden used encrypted email and he endorsed it as being effective against NSA spying. That should speak volumes.
- Lawyers should disclose email risks in client engagement letters. That should include a description of potential adverse consequences to the client (e.g., loss of attorney-client privilege, loss of trade secret status, exposure to identity theft).
For more information, see my series on Lawyer Use of Cloud Services – Reasonable Steps to Protect Confidentiality and Privacy.
Pingback: Law Firm Can’t Tell Whether Client Email Was Intercepted | Brash Tacks·
Pingback: Law Firm Email Security Questions the ABA Should be Asking | Brash Tacks·