Sensitive Email? Things to Know Before Hitting Send

By | Apr.24.12 | Communicating, Daily Dispatch, Ethics, Legal Technology

Some lawyers are all a-Twitter about the cloud, but you’ve actually been sending client data into the cloud for years. Email is merely information transmitted via the cloud—and all lawyers routinely send confidential messages and attachments via email. It’s how business has been done since Marty McFly hopped in the DeLorean. But today the FBI is warning lawyers that they are prime hacker targets, so it’s an ideal time to revisit your email security precautions.

Be Careful What You Send and How You Send It

Lawyers electronically store and transmit hordes of valuable client information and they typically have weak data security. We know law firms are experiencing data breaches because the cyber security firms tell us so. Whether you’re worried about deliberate hacks or unintentional leaks, you should take reasonable steps to lower the cyber risks to your firm’s and your clients’ data.

So before you send another sensitive message via email, consider the following:

  1. Native email is not reasonably secure. All those data security concerns about cloud data go triple for email. Once that email message leaves your server, it’s completely out of your control. Before it reaches its final destination, it will be routed across multiple servers, maybe in several countries. You can’t know where it will travel, whose servers it may cross or how long it will be stored on those servers. You can’t dictate the privacy policies or contract terms of all the email service intermediaries. You won’t be able to prevent third parties from intercepting the data–you won’t even know it happened. In other words, there is a heightened risk that the confidential information and attachments you send in email could be intercepted and accessed by third parties. No, using SSL webmail does not solve the problem.
  2. Ethical standards are shifting. Many lawyers think legal ethics guidelines always allow lawyers to use unencrypted email for client communications. That’s wrong. No state bar gives attorneys blanket permission to send unencrypted email in all circumstances. Bar associations are clearing up that misconception. See, for example, the State Bar of California’s Formal Opinion 2010-179 and the North Carolina State Bar’s 2011 Formal Ethics Opinion 6. Also, in 2011, the ABA issued Formal Opinion 11-459, describing a lawyer’s “Duty to Protect the Confidentiality of Email Communications with One’s Client.” Proposed Rule 1.6(c) of the ABA Model Rules of Professional Conduct would clarify existing guidance that requires lawyers to take “reasonable precautions” to prevent electronically transmitted information related to the representation of a client from coming into the hands of unintended recipients. Those precautions include encrypting email in appropriate circumstances.
  3. Industry regulations may require extra precautions. Some of your clients’ key regulators very likely are communicating using encrypted email. This means public company lawyers get encrypted email from the SEC and FINRA. Financial services clients get encrypted email from the FDIC and state banking regulators. And if your clients’ key regulators think encrypted email is reasonable and necessary, that’s a hint that you should, too. Also, if you represent clients who are subject to privacy laws, you may be subject to the same requirements. For example, when clients are subject to HIPAA/HITECH, their lawyer may be a “business associate” with privacy and security obligations to meet. Similar issues apply for clients in the financial services industry and those who work with government entities.
  4. Location, location, location. Laws in almost every state require that businesses–including law firms–take reasonable steps to protect sensitive personal information. Texas Business and Commerce Code section 521.052, for example, requires businesses to “implement and maintain reasonable procedures” to protect sensitive personal information, and it provides a safe harbor from data breach notification requirements if the information was encrypted. Even if you’re in a state that does not require the protection of personal data, you may be subject to long-arm privacy laws. Massachusetts 201 CMR 17.00 and Nevada S.B. No. 227 require that personal information of their states’ residents be encrypted when it is transmitted in email, no matter who sends or receives the email or where they’re located. Nowadays, the standards for reasonable procedures to protect sensitive information clearly include using encrypted email. 
  5. Encryption technology has come a long way, baby. If you think email encryption is too complicated or expensive, you’re stuck with Biff Tannen back in the 20th century. Today’s encrypted email is simple to install, maintain and use. You don’t need to worry about exchanging encryption keys and managing digital identity certificates. Some will even automatically encrypt and decrypt, making the process transparent to users.

Jim Brashear is General Counsel for Zix Corporation, a leading provider of  email encryption services. He earned his JD, magna cum laude, from the University of San Diego School of Law. He is a member of the Bar of the United States Supreme Court, the State Bar of Texas and the California Bar Association. Read his full bio here or read more of his in-depth blogs on this topic here.

Register for a Free Webinar and Learn More

Learn more about privacy laws and email encryption for lawyers during the free webinar Raising the Bar on Client Email Confidentiality, Thursday, May 3, at 2 p.m. ET.

Subscribe to Attorney at Work

Get really good ideas every day: Subscribe to the Daily Dispatch (it’s free).

Illustration © ThinkStock.

Sponsored Links

Recommended Reading

5 Responses to “Sensitive Email? Things to Know Before Hitting Send”

  1. Denver Lawyer
    24 April 2012 at 9:22 am #

    Shame on you Attorney at Work for publishing an article so clearly written to scare lawyers into buying the encryption services sold by the author! This is nothing but a marketing piece! I’ve read the opinions cited and NONE of them say native email has no expectation of privacy or require lawyers to use encrypted email. The only one that even mentions encryption is the California opinion which says: “Similarly, encrypting email may be a reasonable step for an attorney to take in an effort to ensure the confidentiality of such communications remain so when the circumstance calls for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.” Not exactly a mandate.

    There are certainly security concerns with email. Most of them are not any different than the security concerns of any technology – which means that the way you use them matters. Public networks are insecure. Make sure you have a good password on everything you use to access confidential files – including your phone and tablet, not just your laptop. Don’t let the person next to you see your screen. Don’t email your client at his workplace about his personal legal matters. Read the privacy policies and terms on any cloud services and use them judiciously. Use encryption if dealing with very sensitive information.
    Finally, don’t get taken in by marketing blather!

  2. Joan Feldman
    24 April 2012 at 1:01 pm #

    Thanks for taking the time to respond to today’s post. Jim Brashear’s affiliation is clear, and we trust readers like you to judge the value of his advice. In our years publishing practice management tips for lawyers, we’ve found that some of the best guidance comes from those who supply the products and technology lawyers use. When they bring us good ideas and raise key issues, we publish them.

    We asked Jim Brashear to comment and here’s his response:

    “My affiliation is clearly spelled out in the bio, so readers can assess the information in the post with my potential biases in mind. I deal with the U.S. and international legal and ethics issues of email privacy and email data security every day. It’s part of my job. Helping to educate the Bar about those issues is both part of my job and part of my professional responsibility as a lawyer.

    A key point of the post is “Native email is not reasonably secure.” Ms. Wolf acknowledges: “There are certainly security concerns with email.” She recommends that lawyers “use encryption if dealing with very sensitive information” and “read the privacy policies and terms on any cloud services.” That’s fine advice, to a point – although it’s a bit out of date.

    Unfortunately, it is not practical (if even possible) to read or dictate the privacy policies or contract terms of all the intermediaries involved in delivering email. In that respect, email is quite different from other cloud services.

    The perspective that encryption is appropriate only for “very sensitive information” is likely based on opinions from the 1990s (e.g., Formal Opinion 99-413 (Protecting the Confidentiality of Unencrypted Email)), when email was used far differently than it is today and was exposed to less risk that it is now. Importantly, none of those older opinions authorize lawyers to always use unencrypted email. They “generally” authorize it, but make clear that additional precautions may be warranted under the ethics rules, depending on circumstances such as the sensitivity of the information. The post also points out that the ethics rules are changing to correct the misimpression left over from 1990’s ethics opinions. Ms. Wolf said only the California opinion mentions encryption. Actually, the NC State Bar opinion does mention encryption as a reasonable precaution. The opinion notes that lawyers have an ethical obligation to use “reasonable precautions to prevent the information from coming into the hands of unintended recipients.” The opinion does not mandate encryption, nor any particular technology, but recommends that law firms evaluate the SaaS vendor’s measures for safeguarding the security and confidentiality of data, including encryption techniques.

    The post does not assert that the cited opinions mandate encryption in all circumstances. It points out, however, that lawyers should neither assume it’s always okay to send email unencrypted. It advocates “encrypting email in appropriate circumstances.” Today, it’s clear that the sensitivity of the information being transmitted is only one consideration, among many, for whether encryption or other reasonable precautions are warranted. In the draft of comment 16 to proposed ABA Model Rule 1.6, the ABA Commission on Ethics 20/20 describes five factors to consider in determining the reasonableness of the lawyer’s efforts to affirmatively protect a client’s information, in addition to the client’s instructions (that proposed rule is merely clarifying obligations spelled out in comments to the current rule). The State Bar of California, in Formal Opinion 2010-179, listed six factors that attorneys should consider before using a particular technology (such as cloud document storage or unencrypted email) to store or transmit confidential client information. The checklist below includes factors that I think are relevant:
    o Client’s instructions
    o Degree of sensitivity of the information
    o Possible client impact from disclosure
    o Data breach laws
    o Likelihood of disclosure
    o Inherent level of security
    o Reasonable steps to increase security
    o Cost of additional safeguards
    o Urgency of the situation
    o Legal ramifications of unauthorized interception, access or use

    Other guidance is also relevant when considering what precautions are “reasonable.” For example, the International Legal Technical Standards Organization proposed in its 2011 Guidelines for Legal Professionals that “whenever client data is transmitted across the Internet, it must be encrypted at every point.” ALAS recently recommended that law firms “encrypt all protected information sent from or stored on any electronic device” in a 2011 ALAS Loss Prevention Journal article titled “Data and Privacy Protection in a Regulated World.” In 2011, the FTC in its Protecting Personal Information: A Guide for Business instructs businesses to “Encrypt sensitive information that you send to third parties over public networks (like the Internet) … Consider also encrypting email transmissions within your business if they contain personally identifying information.”

    If encrypting confidential email is a reasonable step for any business, it’s even more reasonable for lawyers with ethical duties to clients. Whether failing to do so would constitute malpractice is a topic for future discussion.”

    — Jim Brashear