Should Lawyers Worry About Confidentiality in Instant Messages?

Recently a few posts urged lawyers to embrace instant message as a medium in communicating with clients (Dennis Kennedy, Chuck Newton.) This spurred discussion about whether email or instant message offered sufficient security for use by lawyers (Carolyn Elefant, Carolyn Elefant, Amy Brining). I wondered about what the ethical rules have to say on the issue of use of emails and instant message by lawyers.

Current Rules Regarding Email: A quick search brings up some early docs that quaintly and painstakingly walk through the issue of whether it’s appropriate for a lawyer to communicate with clients via email. (See, for example: Ernet Sasso, “E-Mail and Client Confidentiality,”; Tana Materi, “Email Confidentiality”.) In the last 10 years, many states have expressly addressed this issue, finding that email offers sufficient security and privacy and is therefore an appropriate medium for attorney/client communications. (Florida (2000); Wisconsin (2002); Maine (2008).) Ohio (in 1999) seems to have been one of the earlier jurisdictions to address this issue and a Supreme Court ethics opinion (99-2) concludes that communication via unencrypted email is appropriate from the standpoint of an attorney’s ethical obligations:
First, through the use of computers in the practice of law, electronic mail communication has become a popular and efficient method of communication. Second, while there are security risks that e-mail will be intercepted, the risk of interception is not singular to this one method of communication. Every method of communication carries with it a risk of interception. Mail can be intercepted. Telephone messages can also be intercepted. Land-based telephones may be wiretapped, eavesdropping may occur by listening through a receiver of a telephone extension, or too loud voices may be overhead by others. Yet, these forms of communication are considered reasonable under the rule.

Third, interception of electronic communication is a criminal activity. Interception of e-mail is illegal under both federal law and state law. Federal law prohibits interception and use of electronic communication at 18 U.S.C.A. ยง 2511 (West 1998). …

Fourth, there is support in case law for the proposition that a reasonable expectation of privacy may exist even though a form of communication is capable of being intercepted. …
No big surprise. Some states, such as Washington, have a less explicit rule in place that only requires a lawyer to act reasonably. No special security precautions are required if the “method of communication offers a reasonable expectation of privacy”. (Washington RPC, Rule 1.6.)

What About Instant Message: Not surprisingly, I did not come across any rules or ethics opinions expressly addressing communication via instant message. Nor have I come across a comprehensive comparison between email and instant message as far as security and confidentiality. (Here’s an NPR blurb on IM privacy quoting someone from EFF, and here’s a cNet survey, both helpful.) My feeling from personal experience is that instant message actually affords greater privacy and confidentiality than email. I say this based on the reactions of a couple of privacy obsessed clients who happen to be technically savvy. They prefer to communicate sensitive information via IM, rather than email. Federal statutes governing interception of electronic communications likely cover instant messaging. (The statutes are nuanced, to say the least, and turn often on where the communication resides and where it’s routed through. On a side note, recording an IM conversation without permission may violate certain statutes.)

From a practical standpoint, you can obtain a secure IM client and/or use a plug-in that provides for greater security and privacy. (Gaim, now called Pidgin, and Trillian are two worth checking out.) Additionally, instant message programs allow you to change the settings to not archive conversation or to provide for greater security. The risk of a mis-typed / auto corrected email address delivering confidential information to a third party isn’t likely to happy via IM (e.g., “Eli Lilly’s Email Travails”). There’s also less risk that the email is forwarded on by the client or accessed by someone at the client’s location. By most measures, IM is more secure than email, and if a breach is going to happen in a conventional setting, it’s equally plausible in the context of IM. From the standpoint of ethics rules and guidelines, it seems like lawyers would be on safe ground communicating with clients via IM.

Facebook and Twitter: One should resist the temptation of taking this too far and communicating with clients via Facebook and twitter. Twitter has had its share of well publicized hacks and privacy snafus (here and here). I’ve seen more than a few “direct messages” that were accidentally sent out to everyone, or have received messages that were clearly not meant for me. Third party applications such as Twitterberry complicate matters by transmitting replies to “direct messages” to everyone. The plain vanilla Twitter application doesn’t seem terribly reliable as far as privacy and security. (Twitter will probably market a “corporate intranet” version, and others have similar applications in the market place.) Facebook seems to be equally unreliable as far as confidentiality and privacy in communications. (See, e.g., “Nigerian Scammers Hit Facebook”; “Your Facebook Info Isn’t So Private”.) (I digress, but most lawyers probably don’t want to mix their high school friends and their clients. To the extent these two groups of people are in divergent social categories, lawyers are probably wise to avoid “friending” clients.)

Epic’s privacy tools page looks good. There are a ton of tools out there for the privacy minded emailer and instant messager (I almost said “instant messenger”). At the end of the day, there are many ways to have a conversation which offers sufficient privacy and security from the standpoint of lawyer ethics.