Legal & Policy

What Bar Ethics Rules Actually Require of Encrypted Client Communication

July 15, 2026 8 min read Haven Team

In 2017 the American Bar Association issued Formal Opinion 477R, replacing an older, blunter rule that treated unencrypted email as categorically acceptable for client communication. The new standard is more demanding than most firms realize, and less prescriptive than most vendors selling encryption tools would like you to believe.


Model Rule 1.6 requires a lawyer to make reasonable efforts to prevent unauthorized access to, or disclosure of, information relating to the representation of a client. That language has been in place for years. What changed with 477R is the ABA's guidance on what "reasonable efforts" means when the communication channel in question is email, and by extension any other digital channel a firm uses to talk to clients.

Why the old rule stopped working

A 1999 ABA opinion had held that lawyers could generally use unencrypted email without violating confidentiality obligations, reasoning that email carried a reasonable expectation of privacy comparable to a phone call. That reasoning made sense against the threat landscape of 1999. It stopped making sense as email became the default channel for everything from routine scheduling to the exchange of settlement terms and unreleased financial disclosures, and as the realistic threat model expanded from wiretapping to mass credential theft, business email compromise, and email provider account takeovers that don't require anyone to tap a line at all.

What 477R actually says

The opinion does not require encryption for every communication. It rejects a blanket rule in either direction, no encryption ever required or encryption always required, in favor of a fact-based approach that asks lawyers to weigh several things: how sensitive the information is, whether the client has given instructions about a specific communication method, what safeguards are already reasonably available, and how burdensome a given safeguard would be relative to the risk it addresses.

The practical reading

Routine scheduling emails and general case-status updates rarely need special protection. A settlement demand, an unreleased financial disclosure, medical records tied to a personal injury claim, or communication in a matter where the client has specifically asked for extra caution, that's the category where standard unencrypted email starts to look like it falls short of "reasonable efforts."

This is a genuinely different posture from "buy an encryption product and you're covered." The opinion asks for judgment applied matter by matter, which means a firm's actual obligation is closer to a documented policy, what triggers extra protection, who decides, what tool gets used, than a single technology purchase.

Confidentiality duty versus privilege waiver: two different questions

It's worth separating two things that get conflated constantly. The ethical duty of confidentiality under Rule 1.6 is a professional responsibility question, enforced by bar discipline. Whether an unencrypted communication waives attorney-client privilege in litigation is an evidentiary question, governed by case law and, in federal matters, Federal Rule of Evidence 502 on inadvertent disclosure. A firm can fall short of the ethical standard without losing privilege in a specific case, and a firm can maintain solid ethical practices while still facing an inadvertent-disclosure fight if a privileged email lands in the wrong inbox through ordinary human error, a misaddressed reply, an autocomplete mistake, a broad CC.

The two risks compound in cloud-hosted email specifically, because subpoenas and preservation orders reach the provider as well as the firm. A third party holding plaintext copies of privileged communication is a different legal posture than a firm holding encrypted copies where only the client relationship holds the keys, even before any breach or leak occurs.

State bars didn't all move the same way

477R is ABA guidance, not binding law. State bars issue their own opinions, and they don't converge on identical language even when they reach similar conclusions. Some state opinions lean harder into requiring encryption for specific categories, health information, financial account numbers, Social Security numbers, treating those as presumptively sensitive rather than leaving the sensitivity call entirely to case-by-case lawyer judgment. Others stay closer to the ABA's general reasonableness framing without listing specific triggers. A firm practicing across state lines, which is most firms handling anything beyond purely local matters, ends up needing to check the strictest applicable standard rather than assuming the ABA opinion alone covers every jurisdiction it operates in.

What firms actually do with this

What tooling can and can't do here

No single product satisfies 477R by itself, because the opinion's core requirement is a documented, matter-aware decision process, not a checkbox. What a genuinely end-to-end encrypted email tool changes is the floor: for the matters a firm decides warrant it, PGP-based encryption means the message content is unreadable to the email provider itself, not just to a casual eavesdropper, which matters directly for the subpoena-to-provider scenario above. That's a real technical property worth having in the toolkit. It doesn't replace the judgment the opinion actually asks for.

The staff training angle gets less attention than the technology purchase, and it shouldn't. A paralegal who forwards a privileged attachment to the wrong recipient because autocomplete filled in a similar name has undone whatever protection the firm's email gateway was providing, and no encryption product defends against that particular mistake. The realistic policy has two layers: a technical baseline that covers the matters a firm has flagged as sensitive, and a training habit, double-checking recipients before sending anything marked privileged, that covers the failure mode no software addresses.

Try Haven free for 15 days

Encrypted email and chat in one app. No credit card required.

Get Started →