The State of Email Security and Confidentiality
Long before there was such a thing as a virtual law practice, there was email. Email is now one of the world’s primary forms of communication, most of which is conducted via unsecured systems, and the legal profession is struggling to balance its use with a lawyer’s duty to keep client data confidential.
The issue is one of many addressed by ABA’s Ethics 20/20 Commission, formed to review and suggest possible changes or additions to the Model Rules, or propose other methods to assist lawyers in remaining compliant while using technology and other emerging law practice trends. Fortunately, due to the complexity and evolution of technology, the committee is not advising that the rules be substantially rewritten to specify lawyers’ conduct in using technology. Rather, they have proposed the following language as an addition to Model Rule 1.6, paragraph (c) in their Initial Draft Proposal – Technology & Confidentiality:
A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.
And added the following provisions to comment 16:
Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons. . . . Factors to be considered in determining the reasonableness of the lawyer’s efforts include the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, and the cost of employing additional safeguards…
In order to encourage lawyers to employ best practices in preserving online confidentiality, they have also added a provision to Model Rule 1.1 (Competency) section  requiring lawyers to stay abreast of “…the benefits and risks associated with technology.”
In other words, lawyers are being charged with the obligation to learn and understand the security levels employed by their email host, and use only those hosts that provide the highest level security and encryption enhancements in their practices. They must also be aware of security levels employed in WiFi hotspots such as airports, hotels, or coffee shops.
Using email hosts such as Gmail, Yahoo, Hotmail, or any large-scale enterprise is particularly troublesome. For example, high-level security measures are used only in the Premier edition of Google Apps, now called Google Apps for Business. The standard edition does not offer bank-grade security, and its use would be doubtful in considering a lawyer’s obligations to secure client data against data breach.
Although the Model Rules revisions are only in the proposal phase, best practices require lawyers to use email systems that take every available precaution to ensure the communication they transmit and store remains confidential. Using a system with bank-level security is paramount. Here are two suggestions for email hosts:
- Luxsci: an email, web, and collaboration platform where email services and premium dedicated servers reside in very high-performance, high-security, SAS70 Type II-certified data centers
- Case Record: All data placed is held on servers hosted by Amazon Web Services, which participates in the Safe Harbor program developed by the US Department of Commerce and the European Union, and certify that they adhere to the Safe Harbor Privacy Principles agreed upon by the US and the EU.
A better choice is to integrate a cloud-based law practice management system into your practice. These systems are developed keeping the special obligations of lawyers to preserve the privacy and confidentiality of client information and data front of mind. Although not all such platforms offer client communication capabilities, upgraded pioneering and newly emerging systems are now offering secured client communication, document transmission, and collaboration functions within a highly securitized cloud environment. Here is a list of the most proven and reliable collaborative platforms available:
- Total Attorneys: This is a full-service practice management system that offers direct client portal functionality, with easy communication, document transmission, and collaboration functions for lawyers and their clients and anyone associated with the matter. Permissions for authorized access can be set for each. Currently, it is still in beta as an upgrade from its original platform, VLOTech.
- DirectLaw: The platform is built around their ClientSpace application, enabling attorney-client interaction and delivery of legal services online via a secure client portal.
- Clio: Clio’s communication component is called Clio Connect, a secure web-based client portal, allowing Clio users to share information and collaborate with clients through an online interface employing bank-grade security.
- Advologiz: A practice management system built on a Force.com platform, it enables you to send email from AdvologixPM, log email from any email system using your own tracking key, or fully and completely integrate with Microsoft Outlook, Google Apps, and Gmail, bringing all email sources within its security parameters.
- MyCase: Titling itself “social practice management,” MyCase has the ability to create a group, comprised of attorneys, clients, necessary staff, and any others involved in the case (i.e., expert witnesses), for the matter. The platform enables anyone in the group to communicate each and every action in the case to other applicable group members, all residing on Amazon’s E2 platform and utilizing bank-grade data security.
- PBWorks: PBWorks has created a legal edition that includes a “legal client extranet” in which you set up a shared workspace for each client to collaborate on legal strategy, scheduling, and document sharing.
The legal profession has standards of confidentiality and protection of client data that are higher than most normal business functions. In response, developers are continuing to meet the needs of our profession with options to existing email platforms. As these options evolve, it is clear that lawyers need to replace standard email functions with technology that will provide the best security possible to protect our clients and their information.