Superconductor

The American Bar Association has an interesting point of view about encrypting e-mail. In their Formal Opinion 99-413, they say that lawyers can send unencrypted e-mail over the Internet without violating the ABA Rules of Professional Conduct. This means that lawyers are allowed to send confidential client information by unencrypted e-mail. Here’s how they describe the basis for this decision:

The Committee believes that e-mail communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy. The level of legal protection accorded e-mail transmissions, like that accorded other modes of electronic communication, also supports the reasonableness of an expectation of privacy for unencrypted e-mail transmissions. The risk of unauthorized interception and disclosure exists in every medium of communication, including e-mail. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of law.

So the ABA is willing to rely on the fact that people should expect their e-mail not to be read by anyone else that the intended recipient and the fact that intercepting and reading e-mail is illegal to protect confidential client information. This seems to be a fairly odd position. If you're in the health care industry, I don't think that the ABA's reasons would be enough to satisfy the requirements of HIPAA. And I'm fairly sure that an auditor checking to see if you're compliant with the PCI DSS wouldn't buy those arguments either. The ABA's guideline is the weakest that I've seen. It's not that difficult or expensive to encrypt e-mail these days. Perhaps the ABA should revisit this issue with this in mind.