Sensitive Email? Things to Know Before Hitting Send
Some lawyers are all a-Twitter about the cloud, but you’ve actually been sending client data into the cloud for years. Email is merely information transmitted via the cloud—and all lawyers routinely send confidential messages and attachments via email. It’s how business has been done since Marty McFly hopped in the DeLorean. But today the FBI is warning lawyers that they are prime hacker targets, so it’s an ideal time to revisit your email security precautions.
Be Careful What You Send and How You Send It
Lawyers electronically store and transmit hordes of valuable client information and they typically have weak data security. We know law firms are experiencing data breaches because the cyber security firms tell us so. Whether you’re worried about deliberate hacks or unintentional leaks, you should take reasonable steps to lower the cyber risks to your firm’s and your clients’ data.
So before you send another sensitive message via email, consider the following:
- Native email is not reasonably secure. All those data security concerns about cloud data go triple for email. Once that email message leaves your server, it’s completely out of your control. Before it reaches its final destination, it will be routed across multiple servers, maybe in several countries. You can’t know where it will travel, whose servers it may cross or how long it will be stored on those servers. You can’t dictate the privacy policies or contract terms of all the email service intermediaries. You won’t be able to prevent third parties from intercepting the data–you won’t even know it happened. In other words, there is a heightened risk that the confidential information and attachments you send in email could be intercepted and accessed by third parties. No, using SSL webmail does not solve the problem.
- Ethical standards are shifting. Many lawyers think legal ethics guidelines always allow lawyers to use unencrypted email for client communications. That’s wrong. No state bar gives attorneys blanket permission to send unencrypted email in all circumstances. Bar associations are clearing up that misconception. See, for example, the State Bar of California’s Formal Opinion 2010-179 and the North Carolina State Bar’s 2011 Formal Ethics Opinion 6. Also, in 2011, the ABA issued Formal Opinion 11-459, describing a lawyer’s “Duty to Protect the Confidentiality of Email Communications with One’s Client.” Proposed Rule 1.6(c) of the ABA Model Rules of Professional Conduct would clarify existing guidance that requires lawyers to take “reasonable precautions” to prevent electronically transmitted information related to the representation of a client from coming into the hands of unintended recipients. Those precautions include encrypting email in appropriate circumstances.
- Industry regulations may require extra precautions. Some of your clients’ key regulators very likely are communicating using encrypted email. This means public company lawyers get encrypted email from the SEC and FINRA. Financial services clients get encrypted email from the FDIC and state banking regulators. And if your clients’ key regulators think encrypted email is reasonable and necessary, that’s a hint that you should, too. Also, if you represent clients who are subject to privacy laws, you may be subject to the same requirements. For example, when clients are subject to HIPAA/HITECH, their lawyer may be a “business associate” with privacy and security obligations to meet. Similar issues apply for clients in the financial services industry and those who work with government entities.
- Location, location, location. Laws in almost every state require that businesses–including law firms–take reasonable steps to protect sensitive personal information. Texas Business and Commerce Code section 521.052, for example, requires businesses to “implement and maintain reasonable procedures” to protect sensitive personal information, and it provides a safe harbor from data breach notification requirements if the information was encrypted. Even if you’re in a state that does not require the protection of personal data, you may be subject to long-arm privacy laws. Massachusetts 201 CMR 17.00 and Nevada S.B. No. 227 require that personal information of their states’ residents be encrypted when it is transmitted in email, no matter who sends or receives the email or where they’re located. Nowadays, the standards for reasonable procedures to protect sensitive information clearly include using encrypted email.
- Encryption technology has come a long way, baby. If you think email encryption is too complicated or expensive, you’re stuck with Biff Tannen back in the 20th century. Today’s encrypted email is simple to install, maintain and use. You don’t need to worry about exchanging encryption keys and managing digital identity certificates. Some will even automatically encrypt and decrypt, making the process transparent to users.
Jim Brashear is General Counsel for Zix Corporation, a leading provider of email encryption services. He earned his JD, magna cum laude, from the University of San Diego School of Law. He is a member of the Bar of the United States Supreme Court, the State Bar of Texas and the California Bar Association. Read his full bio here or read more of his in-depth blogs on this topic here.
Register for a Free Webinar and Learn More
Learn more about privacy laws and email encryption for lawyers during the free webinar Raising the Bar on Client Email Confidentiality, Thursday, May 3, at 2 p.m. ET.
Subscribe to Attorney at Work
Get really good ideas every day: Subscribe to the Daily Dispatch (it’s free).
Illustration © ThinkStock.