Blind carbon copy (BCC), like the mute button on conference lines, has a reputation for attracting white-collar thrill-seekers. It appears that the New York State Bar Association's Committee on Professional Ethics had this reputation in mind when it issued Ethics Opinion 1076 in December 2015. This opinion does not prohibit the use of BCC, but it does put would-be thrill-seekers on notice. And despite its seemingly limited application, the opinion, together with recent changes to the American Bar Association’s Model Rules of Professional Conduct and the rules in a number of states, might open all lawyers’ email practices to ethical scrutiny.
Opinion 1076 was issued in response to an attorney who had received a demand from opposing counsel to stop BCC’ing the attorney’s own clients on emails. Was the attorney obligated to comply? The opinion concludes “no”: since attorneys are agents for their clients, opposing counsel has no right to expect that clients would not receive copies of correspondence between the attorneys, whether by BCC or otherwise.
If attorneys have no obligations to opposing counsel, though, what about their obligations to their own clients? The opinion next considers the following scenario: an attorney emails opposing counsel, BCC’ing a client. The client then responds to the email using "reply all." The client’s reply-all email “inadvertently disclose[s] to opposing counsel confidential information otherwise protected by Rule 1.6” of the Rules of Professional Conduct. The disclosure of this confidential information could be damaging: in addition to revealing negotiation or litigation strategy, business secrets, or embarrassing comments about the other side, the unintended reply to opposing counsel might also be deemed to waive attorney-client privilege.
Opinion 1076 cites a Massachusetts Superior Court case where opposing counsel attempted to introduce as evidence an inadvertent reply all message from a client. In that case, the court agreed to uphold privilege, but warned that “[The client] and his counsel should not expect similar indulgence again. They, and others, should take note: Reply all is risky. So is bcc. Further carelessness may compel a finding of waiver.” Given the risk of inadvertent disclosure, the opinion advises that “there are practical reasons why the lawyer should consider forwarding the e-mail correspondence to the client rather than using ‘bcc’.” The opinion thus does not find that lawyers have an ethical obligation to their clients to refrain from BCC’ing them, but it does effectively tell lawyers, “Don’t say we didn’t warn you.”
This warning might not be as limited an advisory as it first appears. In particular, it might apply to practices beyond simply BCC’ing clients and might give rise to compulsory obligations for lawyers.
First, the practice of using of BCC is not uniquely risky.  There are a variety of ways lawyers or their clients can accidentally copy unwanted recipients on emails they intended to keep private. For example, consider the following common practice: a lawyer wants to make a private comment on an email conversation with a mixed group. He or she clicks reply all and then manually removes addresses from the address field. In a moment of distraction, the lawyer allows one or more unwanted addresses to escape such manual removal. Or consider the following: a lawyer wants to email a multiparty deal team. To find all of the addresses, he or she searches for an older message, copies the addresses, and then pastes them into a new message. The older message includes a party that has since dropped out of the deal, and shouldn’t have received the message. The lawyer neglects to remove them. Opinion 1076 is right to note the risks of BCC’ing clients, but there are plenty of other common email practices that can just as easily land lawyers in hot water.
Second, the ABA advocates and many states now require that lawyers adopt safe email practices as a matter of black-letter professional responsibility. The ABA’s advocacy started in 2009 with the establishment of its Ethics 20/20 Commission to assess the impact of new technology on legal ethics. Since the 20/20 Commission began its work, ABA has increasingly focused on the obligations of attorneys to preserve client confidentiality in the face of changing technology. ABA Formal Opinion 11-459, issued in August 2011, provided an early example of this new focus. After addressing clients’ expectations of privacy when using work email, the opinion pronounced a more general principle:
Whenever a lawyer communicates with a client by e-mail, the lawyer must first consider whether, given the client’s situation, there is a significant risk that third parties will have access to the communications. If so, the lawyer must take reasonable care to protect the confidentiality of the communications by giving appropriately tailored advice to the client.
Opinion 11-459 thus signaled that lawyers were responsible both for the safety of their own email practices and for taking steps to mitigate the risks of a client’s own potentially risky practices.
A year later, in August 2012, the Ethics 20/20 Commission delivered its report to the ABA House of Delegates. The Report proposed a series of steps to ensure that lawyers “understand that technology can pose certain risks to clients’ confidential information and that reasonable safeguards are ethically required.” It identified:
[T]hree types of problems that can lead to the unintended disclosure of confidential information. First, information can be inadvertently disclosed, such as when an email is sent to the wrong person. Second, information can be accessed without authority, such as when a third party ‘hacks’ into a law firm’s network or a lawyer’s email account. Third, information can be disclosed when employees or other personnel release it without authority, such as when an employee posts confidential information on the Internet.
To address these problems, the commission proposed a key change to the Model Rules of Professional Conduct. A new paragraph (c) to Model Rule 1.6 would require that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." The commission’s proposal with respect to Rule 1.6 was adopted by the ABA in August 2012 and incorporated into the ABA Model Rules.
New York had not yet adopted the ABA’s 2012 revisions to Rule 1.6(c) but is in the process of doing so. In December 2014, the New York State Bar Association’s Committee On Standards of Attorney Conduct (“COSAC”) issued a series of recommendations regarding adoption of revisions to the ABA Model Rules. COSAC proposed adopting language substantially similar to the ABA’s revised language for Rule 1.6(c). COSAC’s proposals were approved by the New York State Bar Association House of Delegates on March 28, 2015, sent to the New York Unified Court System Appellate Division, and recently published for public comment — comments closed on June 1, 2016. Thus, while the changes to the Rules of Professional Conduct were not adopted in New York at the time that Opinion 1076 was issued, they will likely soon take effect.
Additionally, several other states have already adopted the language of revised ABA Model Rule 1.6(c) and the number appears to be increasing. As of the end of April 2016, 21 states have adopted language substantially similar to the ABA language, and 11 of those states have adopted the language in the last year and a half alone. Regardless of whether New York ultimately adopts the ABA’s language for Rule 1.6(c), Opinion 1076 might begin to affect lawyers in these jurisdictions, which include five of the 10 states with the largest populations of lawyers (Florida, Illinois, Pennsylvania, Massachusetts and Ohio). Lawyers and legal writers in other jurisdictions have already begun to cite the opinion as evidence of good practices for email and it could soon find a role in disciplinary claim proceedings and perhaps even professional liability claims.
If the “practical reasons” for adopting email best practices (including those concerning use of BCC) soon harden into ethical imperatives, what reasonable efforts should lawyers take with respect to email? To guide lawyers in determining whether a particular effort is “reasonable,” the ABA also adopted new language in what is now Comment 18 to Rule 1.6. States adopting the new Model Rule 1.6(c) have generally also adopted this comment. The comment states that lawyers are not in violation of Rule 1.6(c) if their efforts to preserve confidentiality are “reasonable” in light of the following:
Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Thus, the new rules subject lawyers to a black-letter requirement to take reasonable efforts to avoid inadvertent disclosure. They temper this black-letter obligation by allowing lawyers to take into account judgments about costs and benefits.
In practice, however, the process of making and implementing policies that responsibly balance costs and benefits might be more challenging than it first appears. Lawyers send out dozens or even hundreds of emails per day and the vast majority do not contain any serious errors, but an error in a single email can be disastrous. Human beings, lawyers included, are notoriously bad about making judgments about such low-probability/high-consequence risks and the conclusions they reach often depend on their personal viewpoint.
Take for example the issue of BCC’ing clients. From the standpoint of a firm’s risk management committee or general counsel (or their insurer’s loss prevention officer), the benefits of taking the precaution of forwarding emails to clients rather than BCC’ing them would obviously outweigh the minimal costs of going into one’s sent mail folder and manually sending a forward. The fear of an embarrassing newspaper headline is vivid and the threat of a professional liability claim salient.
The individual lawyer might well agree with this in the abstract. However, over the course of the workday, the costs of the new practice — piling one more little rule on a mountain of little rules and adding one more few-second step to a day of few-second steps — may feel like they outweigh the benefits. The lawyer might have to change a habit that she has practiced for years without negative consequence and she herself might never have heard of a client replying to all from a BCC’d message. Further, the individual lawyer’s reticence is likely to be unspoken and perhaps even unconscious. This reticence might manifest itself in inconsistent records of compliance and informal ways of working around safety measures, evidence of which might serve as grounds for believing that the lawyer or his or her firm has not actually made “reasonable efforts,” notwithstanding their formal policies.
A pat way of framing the problem of implementing email safeguards might be to say it is a matter of policies on the books versus practical realities. But each viewpoint is, in fact, “practical.” The challenge is reconciling them. While training and firm policies might have a role, technological solutions have a unique ability to bridge the gap between the liability concerns voiced at a policy level and the realities of day-to-day legal work. If designed thoughtfully, they might improve both the safety and usefulness of email. Any technological solution that hopes to help lawyers comply with Rule 1.6(c) should address the following three challenges:
1. Safeguards should lighten and not add to users’ burden. Like all tasks that people perform multiple times per day, every day, email eats into limited resources of time and attention. There is a natural tendency for email users to economize these resources, especially when they are under pressure or working long hours. Safety precautions that add steps or extra decisions to the normal email process must swim upstream against this tendency. A better approach is for software tools to lighten users’ load, for example by making potential dangers easier to spot and act on.
2. Safeguards should not create “alert fatigue.” Software-based solutions to inadvertent disclosure often work by posting warnings to users when they click send or reply all. If these warnings arise regularly and usually surface “false positives,” users are likely to learn to ignore them. Instead, warnings should be tailored to capture actual problems.
3. Safeguards should help lawyers consider all potential issues. As Tolstoy might say, each unfortunate email is unfortunate in its own way. An email might inadvertently waive privilege. It might violate prohibitions on directly contacting opposing parties. It might assume knowledge of a draft document that has not yet been shared or a concession that has not yet been given. In order to avoid these sorts of mistakes, the email user must consider all relevant factors before sending the email. While good judgment in this regard depends in part on experience, it can be aided by well-designed tools such as checklists or visual cues within a user interface.
To keep ahead of these quickly evolving ethical standards, lawyers will need to adopt practices that hone and consistently apply their best judgment to email. Soon, such good email practices might not just be a good idea, they might be the law.
—By Peter Norman. Winnieware LLC
Peter Norman is a New York-qualified lawyer, and co-founder and chief legal officer of Winnieware, which develops and sells an application called ReplyToSome. He previously served as legal counsel at renewable energy company SunEdison Inc. and practiced as an associate at Milbank Tweed Hadley & McCloy LLP and Arent Fox LLP.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
 See Charm v. Kohn, 27 Mass L. Rep. 421, 2010 (Mass. Super. Sept. 30, 2010).
 Ironically, one of the best ways of avoiding reply all mistakes is to put *all* recipients into the BCC field. If an individual recipient replies to all, the message will only go back to the original sender and not the other BCC’d recipients. This is often not practical when emailing opposing counsel, but it is a great way to avoid that scourge of law firm life – the inappropriate replies to intra-firm distribution lists. See, e.g., http://abovethelaw.com/2011/08/mofo-partner-offers-cautionary-tale-in-use-of-reply-all/ (last visited May 9, 2016).
 See e.g., Ashby Jones, Email Gremlins Strike Skadden’s Sheila Birnbaum, The Wall Street Journal, Feb 20, 2008.
 American Bar Association, Formal Opinion 11-459 (2011), available at [●].
 Commission on Ethics 20/20, Report to the House of Delegates (2012), available at [●].
 Id. at 6.
 Id. at 4.
 See http://www.americanbar.org/groups/professional_responsibility/aba_commission_on_ethics_20_20/house_of_delegates_filings.html (last visited May 11, 2016).
 John W. McConnell, Request for Public Comment on Proposed Amendments to the New York Rules of Professional Conduct (April 4, 2016), available at http://www.nycourts.gov/rules/comments/PDF/ProfConduct.pdf (last viewed May 11, 2016).
 American Bar Association, ABA National Lawyer Population Survey: Lawyer Population by State (2016), available at http://www.americanbar.org/content/dam/aba/administrative/market_research/national-lawyer-population-by-state-2016.authcheckdam.pdf
 See e.g., Jett Hanna, Email CCs and BCCs to Clients are Ethical, but Risky, Texas Lawyers Insurance Exchange (Feb 12, 2016), available at http://www.tlie.org/email-ccs-and-bccs-to-clients-are-ethical-but-risky/ (last visited May 13, 2016). Texas, like New York, has not yet adopted the revised ABA Model Rule 1.6(c).
 Comment 18 was identified as “Comment 16” in the Report. The enumeration of Comments here reflects the current version of the Model Rules of Professional Conduct as of May 1, 2016.
 The Commission also preserved existing language in Comment 19 which is relevant to the electronic transmission of confidential information. This language was originally introduced as a result of debate in the late 1990s about whether lawyers had an ethical obligation to use encryption to protect emails from interception by third parties. The ABA’s position, reflected in Formal Opinion 99-413 was that lawyers are not required to use “special security measures” such as encryption and that unencrypted email affords “a reasonable expectation of privacy.”
 See e.g., Jonthan S. Masur, Probability Thresholds, 92 Iowa L. Rev. 1293, 1358 (2006-2007).