September 01, 2017

Technology—Property

Technology—Property provides information on current technology and microcomputer software of interest in the real property area. The editors of Probate & Property welcome information and suggestions from readers.

Keep It Secret, Keep It Safe: Encrypting Documents and Communications

The security landscape has become overwhelming for many lawyers. In the last ten years there has been an increasing awareness that a lack of compliance with security best practices may put them and their clients at great risk. The updates to the Model Rules of Professional Conduct in 2012, which have been adopted by nearly 30 states, were a wake-up call to the fact that security and technology awareness are a part of running a law firm. Rule 1.1 (Competency) now requires a lawyer to understand the benefits and risks of relevant technology. The expansion of the comments in 1.6 (Confidentiality) includes taking reasonable precautions to prevent client information from unauthorized access as well as inadvertent or unauthorized disclosure. Ethics opinions promulgated by bar associations and disciplinary agencies regarding e-mail encryption, cloud computing, records management, and more, provide guidance on how a law firm should go about securing a client’s confidential information.

And it does not stop at ethics opinions. Law firms also hold information protected by statute and regulation, including data breach notification laws in 48 states, HIPAA, FINRA, PCI, and others. Real estate attorneys have special requirements in residential real estate transactions involving mortgage financing. Real estate practitioners acting as title agents in mortgage financing transactions have data security requirements under obligations expressed by TRID (Truth in Lending Action/Real Estate Settlement Procedures Act Integrated Disclosure), enforced by the Consumer Financial Protection Bureau.

Create a Risk Profile

To comply with regulations and ethical requirements law firms should first map out their risk profile. What kind of data does the firm store and access? Transmit? Is it data defined by statute such as PII (Personally Identifiable Information), PHI (Protected Health Information), or NPI (Non-Public Personal Information)? Financial information? Read the laws and regulations to see what guidance they may provide to help protect the data. Next, consider what the firm may keep that is privileged or confidential. How is that data protected? Look at where the data is stored, how it is transmitted, who has access to it, and what steps the firm takes to protect it—is it enough?

Follow Best Practices

Security is a moving target. Don’t let the firm get too complacent in its practices. The most important thing a firm can do to protect client data is to keep up with the latest recommendations in cyber protection and keep attorneys and staff constantly vigilant to maintain security and privacy protocols. Ninety-one percent of cyberattacks begin with a spear phishing e-mail, and 96% of executives cannot distinguish a phishing e-mail from a legitimate one 100% of the time, according to an All Covered security study. Learn to know the signs of scams and do not sacrifice security for convenience.

For instance, there has been a lot in the news about scams involving intercepted and redirected wire transfer information, especially in real estate transactions. Do not send wire instructions via e-mail. Tell clients whether to expect this type of information from the firm. Let clients know that the firm will NOT request wire transfer or electronic payment information or, if the firm does, exactly how and what it will look like.

Send Documents and Communications Securely

Law firms in the areas of real property, probate, and trust are constantly asking for and sharing confidential and protected information with clients. Although a firm may protect data on servers, hard drives, and physical files in the office, transferring these files also must be done in a highly secure manner. Sometimes even the nature of a telephone conversation may need additional security. What techniques and tools can protect sensitive information in transit? How can a law firm help a client maintain file security so the efforts to protect information do not stop once a document leaves the law office?

Encrypt E-mail Attachments

If the firm sends out documents via e-mail that contain protected or sensitive information, such as NPI or PII, then at the very least those documents should be encrypted via password protection. Current versions of Microsoft Office (versions 2013 and 2016), Acrobat (DC), and Nuance provide password protection, which trigger encryption of the document. This encryption is enabled by setting a password to open the document. Strong passwords (at least eight characters and a mix of letters, numbers, and characters, both upper and lower case) should be employed. Also, do not e-mail the password to the document with the attachment or even in a separate e-mail. Call the client or use a secure messaging application to send the password in a different way than the document was sent. Also, tools on the market make it relatively easy for someone to access file content from older versions of Microsoft Office documents, bypassing the password altogether. There are more comprehensive ways to protect documents and communications, but this method helps protect the document from inadvertent disclosure and unauthorized access.

Secure Faxing

Another method used to transmit files securely is via facsimile transmission, also known as fax. A picture of the document is sent through a dedicated secure line to a specified recipient. Sounds safe, but the reality could be somewhat different. Unless it can be ensured that the recipient receiving the fax is at a private fax machine or receiving it in a dedicated fax in-box through electronic fax, it may be possible that the faxed document languishes in a publicly accessible fax machine tray, available to all who come by. Most consumers only have access to a fax at work and any workplace privacy waivers would be invoked.

Encrypt E-mail

Although lawyers are not required to encrypt all e-mails, nor are they barred from using e-mail for confidential communications, lawyers must consider what information will be transmitted and how that information should be secured. One decision may be that securing the content well enough is not possible, and it should be sent by other means. In April 2015, the Professional Ethics Committee for the State Bar of Texas published Opinion 648, which outlines circumstances to consider when sending confidential information via e-mail and using encryption to protect e-mail. When choosing a service or tool to encrypt e-mail, a lawyer should consider the encryption of the message not only in transit, but also at rest. For instance, consider the scenario wherein a client receives the e-mail on a shared device or on a shared e-mail account or on an account that a third party knows the password. In those scenarios the e-mail must remain encrypted until accessed by a unique username and password created by the recipient and also authenticated by the recipient.

Additional considerations come from the American Land Title Association (ALTA) Best Practice No. 3 for protecting transmission of NPI. Sending NPI by encrypted e-mail, once deciphered and read by a recipient, can sit on the recipient’s computer in a download and be subject to exposure. To reduce this risk, make sure that any e-mail encryption service or tool employed maintains the encryption or secure access to the information, rather than having it sit unencrypted in an e-mail or on a computer’s drive. To reduce the risk of exposure, look at e-mail encryption solutions that allow for expiration dates or self-destruction or have recall options, if it is feared that the information may have been exposed to an unintended recipient. Also, look for e-mail encryption tools that allow a “do not forward” rule to be imposed.

Some examples of third-party e-mail encryption tools include:

  • Virtru Pro (www.virtru.com) is an e-mail encryption add-on for Microsoft Outlook/Office 365 or Gmail that costs $60 per user per year. It includes encryption of e-mail and attachments, message revocation, forwarding control, and message expiration. It is easy to set up and the client needs only to create a username and password to access the encrypted message on the Virtru server. The e-mail is not locally decrypted so the information sitting in the inbox is not exposed to third parties.
  • Delivery Trust (https:// identillect.com) from Identillect costs $8 per month per user and includes all of what Virtru Pro offers and file print restrictions, restrictions on downloads, read receipts, and more. It works with Gmail, MS Outlook, Office 365, and a web-only account for those using other e-mail services.
  • Citrix ShareFile (www.sharefile.com/) provides secure sync, storage, and sharing of files. It is functionally similar to applications like Dropbox, OneDrive, Google Drive, or Box. One unique feature of ShareFile Business ($20 per user per month for five users minimum, $10 each additional user) is that it provides a MS Outlook plugin that makes it easy to not only send an attachment securely but also to encrypt the e-mail itself. Click “Encryption On” and set up the options, which include read receipt, username and password required, and e-mail/file expiration date. A user can then attach a file from her PC or from ShareFile, and the file is sent as a link in an encrypted e-mail. Lawyers also can use this add-in to request files from clients. The clients click on a link in the e-mail and can securely share documents through ShareFile. E-mails sent encrypted via ShareFile are decrypted and responded to via ShareFile on-line so the e-mail and file require a login to access and never sit decrypted on the client’s computer.

There are many other e-mail encryption tools on the market; these are a few that scale well from a solo/small firm practice to large firms and meet the criteria laid out in the ethics opinions and some best practices from ALTA Best Practices No. 3.

Securely Share Files via Client Portals

If the firm is using a modern SaaS (Software as a Service) practice management application like Clio, Rocket Matter, MyCase, Cosmolex, Zola- Suite, among others, the product is likely to have a secure client portal. The features can vary among different applications, but all will provide the functionality to allow clients to securely access files. The client creates a username and password and sees only what the firm provides. A secure client portal can reduce exposure of messages and documents to third parties and also helps consolidate and control communication and documents by storing all in a central location so the client (and lawyer) doesn’t have to manage e-mails and documents as much. Additional bells and whistles in many client portals are shared calendars, contacts, tasks, and on-line bill pay with outstanding invoice notifications.

If the firm has no SaaS-based practice management application, on-line document storage services can provide a makeshift client portal. The biggest caveat here is that the controls and permissions are all set by each user, and it is easy to get in a hurry and inadvertently add the wrong document to the wrong folder or set a shared link instead of a private link. But, by controlling access to documents via business-level secure file synch/storage/shared services, the firm can create a de facto client portal.

When looking at using a service like Google Drive, OneDrive, or Dropbox please understand the distinctions between the free versions and the paid versions. The free versions may have many of the same features, but the security and terms of service are not adequate for confidential client information or documents that contain information required to be protected by statute or regulation. The paid (business) versions of these products offer very different terms of service and privacy protection, two-factor authentication, access control, and many other sophisticated security protections.

In the business versions of Google Drive (G-Suite), OneDrive (or Office 365), Dropbox Business, Box, Citrix ShareFile, and others, there are many security options to choose from when creating a shared folder for a client. Clients should have password protected access to an on-line folder. The folder creator determines who has access to the documents, whether they are read-only or can be downloaded, whether the client can upload to the folder, set expiration dates on the files, and much more. Some build in workflows and approval processes (Citrix ShareFile, Office 365 SharePoint), and most have comment and task tools to have context and communication on a file or folder. Some of these have third-party e-signature platforms built in so tools like RightSignature and Docusign are integrated into the workflow.

Almost all business versions of on-line document storage services make it easy to share full access to a file or folder by sharing an unprotected link with a client. The client need not create a username and password. Although this may seem appealing to a client in terms of ease of use, there is always a tradeoff between security and usability. Without a username and password, anyone can access the files. A lawyer sharing information with clients should ALWAYS make access specific to a recipient by name and require a password to be used.

To illustrate: in a case of inadvertent disclosure an insurance company waived claim to privilege to materials uploaded to an unprotected file sharing site. The case was ruled on by Judge Pamela Meade Sargent in Virginia and involved an insurance company that denied a claim filed by a funeral home. The insurance company’s investigator uploaded video surveillance footage, insurance claim files, and investigation files to Box. Defense attorneys for the funeral home requested the file regarding the investigation. The link was then relayed via e-mail, but the folder contained the materials from the investigation plus the entire claims file. Because the folder was not password protected, all of the documents were available. The insurance company found out that all the files had been accessed when the defense provided the claims documents to them on a thumb drive. The judge wrote: “Harleysville has conceded that its actions were the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it. It is hard to imagine an act that would be more contrary to protecting the confidentiality of information. . . .” Harleysville Ins. Co. v. Holding Funeral Home, Inc., No. 1:15CV00057, 2016 WL 4703755 (W.D. Va. Sept. 8, 2016).

Finally, SaaS based document management systems, like NetDocuments, have client portals designed to make it easy for attorneys to share documents with clients via a secure login.

“No Cloud” Options

Some law firms have a mistrust of any product or service that employs “the cloud.” For this discussion, “the cloud” is a server accessed through the Internet that is not on the premises or owned and controlled by the law firm. The marketplace is coming up with alternatives to sending documents and messages that land or stay on third-party servers. Early in the days of file transfer people used FTP servers. FTP (File Transfer Protocol) required one party to have an FTP server and the other an FTP client (software) to access the server to directly migrate files back and forth. The FTP protocols were not inherently secure, so FTPS and SFTP (File Transfer Protocol that supports TLS and SSL cryptographic protocols) were born. FTPS and SFTP are still an option but require a certain amount of savvy from the end users and support from IT professionals. Other tools are arriving on the market, however, that make secure, cloudless file transfer easy and user-friendly.

Binfer (www.binfer.com), a Chicago-based start-up, integrates with many e-mail applications or can have a stand-alone interface. The simple premise is that the service allows transfer of files and folders of any size directly and securely without using third-party servers. The service is fast, almost faster than e-mail. Features include password-protected batches of files, revoke access, reports, chat, file tracking, and more. The subscription prices are based on the size of the files transferred monthly, with 40GB file transfer at $5 a month to start or pay-as-you-go prices.

Secure Text Messaging

For short form communication, text messages are not encrypted and can be intercepted. There are several secure communication apps to use, so if a client wants to use a messenger service to communicate on the phone, the firm can direct the client to use Signal or Chat Secure. All these messaging apps are free, encrypted end-to-end, and authenticated (meaning you have to invite the person to communicate with you). For instance, Signal users can send end-to-end encrypted group, text, picture, and video messages. They can even have encrypted phone conversations between Signal users. Although Signal uses telephone numbers as contacts, encrypted calls and messages use the data connection; therefore, both parties to the conversation must have Internet access on their mobile devices. ChatSecure is a free instant messaging app for Android and iPhone that allows users to communicate with off the record instant messaging and chats. All messages sent via ChatSecure are private, as long as the other person is using ChatSecure.

Conclusion

Law firms that have responsibilities for keeping data secure can follow the American Land Title Association Title Insurance and Settlement Company Best Practices (alta.org/bestpractices), even if the firm’s attorneys do not act as title agents. Other useful security guidance is available through SANS.org, Locked Down: Practical Information Security for Lawyers by Sharon Nelson, David Ries, and John W. Simek (ABA Publishing), and the NIST Computer Security Division Computer Security Resource Center. Applying security best practices and standards need not be onerous or make it difficult for the firm or its clients. Better to be safe than sorry. n