Attorney-Client Confidentiality and Email

The duty of confidentiality owed by lawyers to their clients is one of the foundations of the attorney-client relationship. Generally, this duty is memorialized in ABA Model Rule of Professional Conduct 1.6., which states in part that a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, or the disclosure is impliedly authorized in order to carry out the representation, with certain exceptions listed in Rule 1.6(b).

Lawyers routinely advise clients of the duty of confidentiality and caution clients about protecting the attorney-client privilege.  Lawyers take care to ensure that conversations with clients are not overheard and recommend that clients do not discuss their communications with others. Precautions are taken to ensure that communications between lawyer and client are not overheard. Changing technologies add a new layer to the issue of confidential communication.

Lawyers and Electronic Communication

Email has become a mainstay in attorney-client communications, but use of email and other means of electronic communications, including text messages, can give rise to additional confidentiality concerns. While lawyers have used email disclaimers in the past, these disclaimers are generally insufficient to quality as ‘reasonable steps’ to preserve client confidentiality.

In August 2011, the American Bar Association Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 11-459 relating to a lawyer’s duty to protect the confidentiality of electronic communications with clients.

The opinion specifically addresses the use of electronic communications and whether clients may have a reasonable expectation of privacy when using such forms of communication. Specifically, the opinion notes that lawyers should instruct clients to avoid using workplace devices or systems for sensitive or substantive communications between lawyer and client. According to the opinion, the duty of a lawyer to so advise the client arises as soon as the lawyer knows or reasonably should know that the client is likely to send or receive substantive lawyer-client communications via electronic means “where there is significant risk” that the communications will be read by a third party.

The opinion recites four considerations that would tend to establish an ethical duty for a lawyer to warn the client against using a business device or system for electronic communication: Where the client has already communicated by electronic means or has indicated an intention to do so; where the client is employed in a position that would provide access to a workplace device or system; given the circumstances, the employer or a third party has the ability to access the email communications and; that as far as the lawyer knows, the employer’s internal policy and the jurisdiction’s laws do not clearly protect the privacy of the employee’s personal email communications via a business device or system.

According to the opinion, lawyers should ordinarily assume that an employer’s internal policy allows for access to the employees emails sent to or from a workplace device or system. The Opinion recommends that lawyers refrain from sending substantive communications to a client’s workplace email address, and that they caution clients not to send electronic messages to their attorney through such an account, or through a personal email account using a workplace computer or system. The opinion goes so far as to note that a lawyer who becomes aware that the client is receiving personal email on a workplace computer or other device owned or controlled by the employer has a duty to warn that this practice should be discontinued. If the client does continue, the Opinion recommends that the lawyer stop sending electronic communications  even using the personal email address.

Ethical Precautions

In addition to the cautions noted in the Opinion, it would be prudent for lawyers to ask specific questions of their clients at the time of the initial consultation which would establish not only the preferred means and methods of communication, but also to uncover potential confidentiality leaks. For example, although many employees may be aware that accessing their personal email via a work computer might potentially allow the employer to view their personal email, the same employee may not be aware that accessing their personal electronic messages via an employer-provided smartphone might raise similar issues. Text messaging, which is becoming more and more popular, particularly with younger clients and lawyers alike, may raise comparable concerns.

But employer-provided computers, systems and smartphones are not the only concern here. Even where a client accesses personal email on a personal smartphone or home computer, lawyers should be sensitive to issues of access by other third parties, such as family members, particularly in cases such as divorces or will contests. Other problems may arise with the use of hotel or library computers as well.

Part of the lawyer’s duty to a client is to educate the client about the nuances of the attorney-client relationship and the obligations of both lawyer and client to preserve that confidentiality. Lawyers should instruct clients specifically about how email and other forms of electronic communication should or should not be used during the course of the representation.

Stephanie Kimbro also commented on the Opinion over at Virtual Law Practice. Kimbro recommends that attorneys use only encrypted email when communicating with clients, or that they institute the use of a system which requires both parties to log into a secure, encrypted area in order to communicate.

It remains to be seen whether the ethical obligations of lawyers will be extended to require encryption of email in certain circumstances in the future.


  • 2011-09-21. Originally published.
  • 2014-11-20. Republished.

Featured image: “Secret” by val.pearl is licensed CC BY-NC-ND 2.0.


  1. Great thoughts Allison. Do you have any suggestions for easy encryption methods that won’t add too much hassle for clients?

    • Avatar Sam Glover says:

      I think the easiest way to do it is to include any sensitive information in an attachment, and encrypt the attachment. You can do this with Word documents or (preferably) PDFs.

      Then just call your client and give them the passcode, or set one up at the beginning of the representation that they will be able to remember.

    • Avatar Brian Shea says:

      As Sam Glover says mentions about encrypted Word or PDF files, until email encryption becomes simple for ‘normal’ people to use, email should not have any private info.

      But, why even send attachments? If you have secure storage online, like Google drive, you can share access to the secure files. In the case of Google, you’d want the Google for Work version to ensure encryption while stored in the cloud. But then your recipient would just need a gmail/google account to access the files, securely.

      Secure file sharing is still very slow to catch on, but it reduces the amount of data actually traveling across the web. When you send an attachment, even if encrypted, it is still passing through many points to reach it’s destination.

      When sending an email with just a link to a secured shared document, then only those specifically given permission, AND logged into their account, can access the documents.

      Start looking into secure file sharing. Myself, I use Google for Work, which might fit other’s usage needs. Here’s the link to the full security features of Google Drive (for Work).

      While I am a reseller/partner of Google for Work, I am simply sharing info that perhaps can offer insight into how to better share docs, and perhaps use that fax machine less. I have not looked at Microsoft’s newer online versions recently, but that might also be an option.

      [I’m here because an attorney friend just emailed me using his AOL address, which drives a tech/web security person like me crazy.]

  2. Avatar Chad Greer says:

    It’s interesting to me that we worry so much about emails. We never had this kind of concern for letters. Letters can be lost in the mail, they can be delivered to the wrong address where they are opened by someone else, they can be read by an unintended third-party, and they can even be copied or scanned. The overnight delivery services have also been known to deliver packages to the wrong address–not often, but it happens.

  3. Avatar Colin Mathews says:

    I am the co-founder of–we’ve been watching this issue for about two and a half years and have built a product for this exact problem. Email is a hazardous way to communicate sensitive information, but attorneys need to be able to move on with their day. Also, clients need simple access to conversations with their attorneys, but they need to feel that their information is protected. Our product provides encryption for all correspondence, your clients are easily included, and we have integration with Outlook, iPhone, etc.

    We’ve written a response specifically to Opinion 11-459 here:

  4. When I have a client sign a retainer agreement I ask the client if there is another family member that I may discuss the case with. If so, I handwrite something like “may discuss case with wife Mary Smith” onto the retainer agreement and have the client sign this addition. This article has made me think to add something like this to my retainer agreement: “Client agrees that attorney may discuss confidential matter in e-mails to client sent to _____@____ and attorney and client have discussed the issues of family members, roommates and/or employers possibly accessing this e-mail address, but client is still comfortable receiving confidential communications at this e-mail.” OR, perhaps, after discussion the added note to be signed by the client might read, “Client has provided e-mail address _____@_____ to attorney but requests that confidential matters not be discussed other than to send a message requesting client contact attorney.”

    • Avatar Colin Mathews says:

      Interesting idea, but most people don’t realize that they make themselves vulnerable by receiving sensitive information via email–namely that it travels as plain text around the Internet. With all of the privacy issues in tech lately (email breaches, Facebook mis-sharing, etc.), I think it’s time to upgrade the weaponry.

      An accountant wouldn’t send financial data as a Word document; they’d use a spreadsheet because it’s the right tool for the job. My biased opinion is that Dialawg is the right tool in the case of attorney-client communication.

  5. This is an interesting post that leads to some additional comment. While the process protects the attorney, it fails to add a “privacy” consideration. An email can be read by other parties and create added liability. Adding an encryption capability to the email protects both the sender and email recipient.
    Adding an e-signature capability to the email permits other parties to sign the understanding/agreement and return by email. One should always remember that when sending email-related communications, the sender bears the responsibility of proof in the event of an email dispute. Copying yourself or an associates doesn’t prove that the recipient received anything!

  6. @Ken: you commented “An email can be read by other parties and create added liability.”

    What is the basis for this statement? Are you talking about interception of other people’s e-mails, which is a felony, or people mistakenly sending e-mails to the wrong party? What is the “added liability” and how is it created?

  7. Avatar Colin Mathews says:

    @Ken: well said.
    @Eric: Most email travels the Internet in plain text, able to be intercepted by any handling party (and be stored, shared, scanned, etc.). We have an educational campaign on the subject here:

    And continuing off of @Ken for the sake of completeness, Dialawg has a feature that allows the request and collection of electronic signatures of any document. A PDF audit is available that tracks all activity including signature information with date, IP address, and verified email address. We also have a feature called Front Desk that allows gives attorneys a public link where anyone can send them secure information and attachments — forms can even be designed to collect specific fields from clients. Sorry to feature-drop, but I felt it was appropriate given this conversation. :)

  8. @Colin Nearly the same thing could be said about US mail – it travels in flimsy paper envelopes that any person could rip open and read. Except that tampering with the US mail is a crime, just like intercepting e-mail. Way more people have the ability to tear open an envelope than would ever be able to intercept someone’s e-mail. Yet people have safely used US mail for hundreds of years.

    The only people who claim that e-mail is unsafe seem to be the folks selling encryption tools. All of the bar authorities that have looked at this issue have concluded that lawyers are not required to encrypt their e-mails. That’s good enough for me.

    • Sam Glover Sam Glover says:

      You are definitely right, but there is also definitely a need for security in some communications. For example, I’m more worried about clients reading emails at work than I am about the risk of interception, and Dialawg or Clio’s Client Connect are great alternatives to regular email as a way to get around that problem.

Leave a Reply