Hand Rule on Email Security

By Shawn McCall, Golden Gate University School of Law

All California lawyers owe a duty of competence and confidentiality to their clients. California Rules of Professional Conduct (“CRPC”), Rules 3-110 and 3-100. As the Legal Ethics Corner of the BASF Bulletin previously noted, “competence in the digital milieu is a requirement of a modern lawyer.” Comment 18 to ABA Model Rule of Professional Conduct 1.6 also provides valuable guidance:

Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients . . .

See also Cal. State Bar Formal Opn. 2010-179 (describing similar factors based on duties of competency and confidentiality) and San Diego County Bar Association Legal Ethics Opinion 2012-1. These factors are reminiscent of the famous Hand formula (a term coined by Judge Learned Hand), wherein a breach of duty was defined as occurring when the burden or cost of taking appropriate precautions is less than the multiplicative product of the probability of loss and the severity of the outcome should a loss occur. United States v. Carroll Towing Co., 159 F.2d 169, 173 (1947).

Applying this approach, safeguards can and should be taken with regard to email security. First, using the standard login of just your username—commonly your email address—and password to access your email account is not recommended. Many email providers offer two-factor authentication. When logging into your email account from a new device, like a computer or mobile phone, you are prompted to validate yourself through a secondary, independent means.

Second, encrypted email should be used for particularly sensitive documentation or as instructed by the client based on the client’s confidentiality or other concern. Encryption services are offered by specialized providers, and generally include the option of sending emails with regular security or with heightened encryption. With enhanced encryption, the recipient must enter a specific password that is generated by the sender in order to access the content and attachments of an email. Although this technology is accompanied by some increased burden for mundane matters, the burden is not undue for more sensitive matters.

With closing considerations paid to Judge Hand’s formula, as well as the magnitude of the loss of unauthorized data access in conjunction with the evident increase in the probability of a well-publicized security breach, a competent and responsible attorney should take steps to ensure email security. The burdens on a practitioner outlined herein are minimal, when compared to the product of the outcome of an unauthorized data access multiplied by the increasingly probability—if not eventuality—of such a breach.

About the author:

Shawn McCall is a forensic psychologist, and he is pursuing a legal career to develop a deeper understanding of the law as well as expand his ability to participate in the legal community. He is currently a second-year law student at Golden Gate University School of Law.