What Attorneys Need to Know about Encrypting Client Email

Confidential client information and other sensitive data is extremely vulnerable when transmitted in the body of an email or as an attachment. Not only can it be misdirected as in the scenario above, but it can be intentionally intercepted or altered by hackers and other bad actors. Cybercriminals also may dwell undetected on firm networks, reviewing email content and the habits of attorneys and staff to better impersonate them prior to launching a realistic wire transfer scheme.

Encryption has become a generally accepted business practice for protecting confidential information. It is now increasingly expected by business clients, particularly with respect to attorney-client communications. Encryption converts information into a code to prevent unauthorized access. The intended recipient has a key to unlock or unscramble the code. An unprotected email is often compared to a postcard, which is perfectly acceptable for a quick note that says, “the weather is great,” but not for conveying sensitive or privileged information. Unfortunately, a significant number of law firms still haven’t gotten the message about the dangers of sending sensitive emails without proper protocols or protection.

A Nigerian Prince Is Looking for You

Remember that Nigerian prince who wants to retain your services to help transfer his sizeable funds? Well, he’s all grown up now and using sophisticated behavioral modeling to separate you from your money. Attorneys are targets because of the treasure trove of sensitive data in a firm’s possession. Firms have been slow to respond to the growing threat. The ABA TechReport 2018 (TechReport), www.americanbar.org/groups/law_practice/publications/techreport/ABATECHREPORT2018/, which is published annually by the ABA Legal Technology Resource Center, indicated that only 57 percent of responding attorneys and firms budget for technology despite increased exposure to targeted email phishing scams and data breaches from lost—and unprotected—laptops, iPads, cell phones, and flash drives. One tech vendor reported that a laptop is lost or stolen every 53 seconds. Only someone who has been in the basement playing Fortnight for the past two years has been spared from reading the hacking horror stories involving prominent firms. This author’s communications with insurance industry experts reveal that one-third of firms—particularly those with 10 to 99 attorneys—have experienced cyberattacks, and this number is growing. As a result, law firms are under pressure by their clients, competitors, bar associations, insurers and lawmakers to incorporate data security risk management, which includes measures to secure sensitive information. Encryption of data in transit and at rest helps to protect sensitive information and to mitigate the harm to and allegations from clients of negligence by their legal advisors.

Ethical Obligations and Common Law Duties

Email has become a preferred method of communication in the legal profession. Despite its vulnerability, there continues to be reasonable expectation of privacy with respect to email communications. Email use by attorneys and their clients does not waive the attorney-client privilege. Attorneys, however, have an ethical obligation to be competent with respect to the use of technology and to maintain client confidentiality. In recognition of the growing cybersecurity threat, the ABA issued a formal ethics opinion in 2017 (ABA Comm. on Prof’l Ethics & Grievances, Formal Op. 477 (2017)) emphasizing that attorneys must make reasonable efforts to prevent inadvertent or unauthorized access to confidential client information. Some state bars have been more direct, recommending that attorneys encrypt communications under certain circumstances. In its Formal Opinion 2010-179, the State Bar of California urges attorneys to encrypt email, stating that it is a “reasonable step . . . when the circumstance calls for it, particularly if the information at issue and the use of encryption is not onerous.” (Cal. State Bar Formal Op. 2010-179 (3)(a)(ii) (2010).)

In addition to ethical obligations, attorneys have common law duties to protect sensitive information of employees and clients, as well as contractual and regulatory obligations. The Health Insurance Portability and Accountability Act (HIPAA), for example, may require attorneys who receive protected personal identifiable health information to encrypt that data. Banking regulations mandate encryption of sensitive information by third-party service vendors. The data breach security laws of some states provide a safe harbor from burdensome notification requirements when personally identifiable information is encrypted.

David S. Becker, a member of Freeborn & Peters LLP in Chicago, who is chair of the ABA Tort Trial & Insurance Practice Section’s Technology and New Media Standing Committee, emphasized the need to encrypt certain communications—particularly HIPAA information. “Establish a risk matrix and identify the sensitive material that, if exposed, would endanger you and your clients the most,” he cautions. “Protecting this type of information is a regular cost of doing business.”

Network security and privacy coverage is a must for law firms, as most lawyers’ professional liability policies do not provide first- and third-party coverage to protect against a data breach. A review of any insurance application for network security and privacy coverage includes questions regarding encryption. Law firms that do not utilize reasonable risk management to protect sensitive information may have coverage-limiting endorsements, pay more for network coverage, or fall outside underwriting guidelines altogether. Beazley Group, which is a global market leader in professional liability, writes lawyers professional liability and network security insurance coverages. Killian Brady, a technology and cyber underwriter in the group’s New York City office, emphasized the need for law firms to communicate securely, especially when sharing information that is privileged or confidential.

Many attorneys—especially those without the capabilities of in-house information systems technicians (IT)—shrug off encryption, citing a number of excuses: It’s tedious, time consuming, expensive, and too complicated. The 2018 TechReport reported that only 29 percent of overall respondents encrypt sensitive email communications with clients. This is a shockingly low percentage and one that must improve. There’s a learning curve with all new skills, but the legal profession has reached the tipping point on cybersecurity, and any attorney who transmits highly confidential information by email—or text—is ethically obligated to take reasonable steps to protect that information. Stated another way, can a firm afford to lose a client’s trust—and future business—in the event of a breach of confidential information?

The Encryption Prescription

Larger firms with technology departments have the expertise on site to help with encryption needs. Even with in-house IT support, however, encryption must be part of a comprehensive security plan that is consistently utilized, both in the office and when using portable devices from home or on the road. The plan also must include the frequent training of all staff members. Managing partners or other members charged with technology responsibilities need to know enough about encryption to effectively direct and manage expectations with the IT department and outside vendors who support the firm’s technology needs.

Firms without in-house IT support—particularly solo and smaller firms—should discuss encryption strategies with their outside technology vendors and see if their liability carriers have any recommendations. Both personal computers running the Microsoft Windows operating system (PCs) and Apple Macintosh computers (Macs) come standard with simple solutions for encrypting email and/or attachments. Not everything needs to be encrypted. All attorneys and support staff should have a general understanding about encryption and recognize the situations in which it should be utilized. The types of information that should be protected are wide ranging and include the following:

• health information and records of clients and employees;
• confidential settlement agreements;
• discussions with the Patent and Trade Office;
• client trade secrets and other intellectual property;
• personally identifiable information, including social security and drivers’ license numbers;
• financial records, including tax returns;
• credit and debit payment card information;
• wire transfer instructions, including banking and brokerage account numbers; and
• client merger and acquisition information.

Attorneys need to use special care if the recipient’s circumstances—separate and distinct from the subject matter of communicated data—increase the possibility of interception. This is the crux that ensnares most solo and small firm practitioners. If the client’s email or mobile devices are accessible by third parties, either with or without a password, particular care must be taken. Family law attorneys who handle divorces need to ensure that email communications are protected from an estranged spouse who may share the same residence and computer. Likewise, an attorney representing an employee in an employment practices liability matter against his or her employer should not correspond using company email and should instruct the client to avoid using a company device. Most employees sign company policy agreements recognizing that they do not have an expectation of privacy with respect to company email or any communications on a company-issued computer or cell phone. On the criminal defense side, an attorney should be careful if there is concern that law enforcement could intercept attorney communications with or without a warrant. Email discussions among law firm partners also benefit from encryption because staff and associates always know more than you think they do. Law firm decision-makers should encrypt sensitive intra-office email concerning employment matters or other information that would be damaging to morale if intercepted.

Discuss Email Protocol with Clients

At the onset of every case, an attorney needs to discuss communications with the client and the importance of maintaining confidentiality. This discussion should include the risks inherent with email and text communications and methods for mitigating exposure.

Justin Kahn, a small firm practitioner in Charleston, South Carolina, and a member of the TIPS Cybersecurity and Privacy General Committee, has kept well ahead of the technology curve and is a recognized speaker on the subject. He emphasized to this author how important it is to discuss the use of technology in the engagement letter with the client to manage expectations and protect communications. He cautions his clients on the potential dangers and the need to be selective in copying individuals on email correspondence to avoid waiving the attorney-client privilege. Kahn also warns attorneys from jumping on the guest network at opposing counsel’s office to send email—especially to the client. “It’s no different from using the Starbucks or hotel Wi-Fi,” he says. “While I wouldn’t anticipate anything nefarious, others have access to see what you are doing, and probably you can wait to send it.”

Business clients, in particular, are taking the lead in setting expectations by presenting baseline data security controls to help protect their information. Two years ago, the Association of Corporate Counsel developed Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information, commonly referred to as “Model Controls,” for lack of any reasonable acronym. Those guidelines can be found at https://www.acc.com/resource-library/model-information-protection-and-security-controls-outside-counsel-possessing-0. As expected, encryption plays a prominent role throughout. Business clients that use a “request for proposal” process to select outside counsel inquire about network security and how proprietary information will be protected.

Encryption Made Easy—and Inexpensively

Although the technology behind encryption is complex, today’s computers and mobile devices make encryption relatively easy. The 2018 TechReport recommends subscription-based Lynda (www.lynda.com) for professional tutorials on all aspects of technology. Lynda, which is a Linked-In company, offers one month free with plans thereafter starting at $19.99 per month. The TechReport also suggests checking with the local library because many branches offer free access to Lynda and other online tutorial services. A simple Google or YouTube search identifies a significant number of free encryption “how-to” articles and videos. Both Becker and Kahn agree that effective encryption need not be expensive and that the technology is standard with most computer operating suites, including Microsoft and Apple.

If encrypting email is still perceived as daunting, the easiest method to protect communications is to encrypt attachments with sensitive information. To encrypt a Word document, for example, simply open the document and click on the “File” button on the upper left side of the toolbar. A new screen will open, and a large, square “Protect Document” button will appear to the right of the side bar. Click on “Protect with Password” and enter a strong password. The protected document can then be attached to an email. It’s that easy. The sender should not include any private information in the body of the email or in the regarding section. It’s important to remember the password and to provide the decryption key to the email recipient by phone or other means. It goes without saying that the password key should not be included in the body of the email with the encrypted attachment.

The legal profession has reached the tipping point with respect to the protection of sensitive client email communications. As cyber threats continue to increase, law firms must invest the time and money required to mitigate the exposure. Encryption is a relatively simple and inexpensive method of protecting email communications and a reasonable—and expected—cost of doing business.