Most states have adopted the view that the duty of competence includes a duty to keep up with modern technology. Also, most states have adopted the view that the duty of confidentiality includes a duty to take reasonable measures to protect confidential information from unauthorized or negligent disclosure (which can happen if a lawyer is not familiar with certain aspects of modern technology).
So, given those two facts, do lawyers need to implement e-mail encryption? I have not seen any specific decision or opinion that answers that question with an unequivocal "yes" but I have seen articles suggesting that it would be the logical answer.
And here is the latest, published in Law Technology Today.