Email and other forms of electronic communications have become everyday communication tools for attorneys. They are fast, convenient and inexpensive, but also present serious risks, particularly in the area of confidentiality. It is important for attorneys to understand and address these risks, and the role that encryption plays.
In the webinar “Encryption for Lawyers: Fulfilling Your Ethical Duties,” sponsored by the ABA Law Practice Division, John Simek of Sensei Industries and David G. Ries of Clark Hill LLC’s Pittsburgh office outlined the ethics issues involved and an overview of how encryption works.
Encryption is a topic most attorneys don’t want to touch with a 10-foot pole, or even a 100-foot pole, Ries said, but it is an increasingly important part of security of your clients’ data. Fortunately, many easy-to-use encryption methods are available. Most attorneys will need technical assistance to install and set up encryption, but using it is generally easy after that. And contrary to popular belief, most attorneys will need to use encryption at some time during their career to avoid ethics violations. Attorneys have ethical duties to take “competent and reasonable measures” to safeguard client information as well as contractual and regulatory duties to protect confidential information.
Several ethics rules in the ABA Model Rules of Professional Conduct have particular application to protection of client information, including competence (Rule 1.1), communication (Rule 1.4), confidentiality of information (Rule 1.6) and supervision (Rules 5.1, 5.2 and 5.3).
The ABA has issued two formal ethics opinions on security topics since the 2012 rules amendments. ABA Formal Opinion 477, “Securing Communication of Protected Client Information” (May 2017), while focusing on electronic communications, also explores the general duties to safeguard information relating to clients in light of current threats. It suggests a fact-based analysis and concludes, “the use of unencrypted routine email generally remains an acceptable method of lawyer-client communication,” but “particularly strong protective measures, like encryption, are warranted in some circumstances.”
In October 2018, the ABA published Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack.” It reviews lawyers’ duties to safeguard data and concludes, “[w]hen a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their obligations under these model rules.”
Encryption transforms readable data into unreadable data and requires a key to make data readable again. It all happens automatically via encryption software. Encryption can be used to protect data at rest, such as data stored on servers or devices, and data in motion, such as networks, the internet and cellphones. There are multiple options available for protection of electronic communications, which are inexpensive, easy to implement and easy to use. While some attorneys will need assistance in selecting and setting up encryption, it is then generally easy to use – either automatic or point and click.
Google G Suite and Microsoft Office 365 offer optional email encryption. Another option is Transport Layer Security (TLS), which provides encryption from email gateway to email gateway. For example, if a law firm and client both have e-mail servers that support TLS encryption, all traffic between them will be encrypted after they are set up. It protects traffic between the servers but may not protect traffic within the sender’s and recipient’s networks. Protection can also be lost if emails are copied to or forwarded to recipients in systems that do not support TLS.
File password protection in some software, like current versions of Microsoft Office, Adobe Acrobat and WinZip, use encryption to protect security. Acrobat also includes security envelopes that can be used to protect multiple files placed in an encrypted “envelope.” Password protection/encryption can be easier to use than full encryption of e-mail and attachments when encryption has not been set up. The confidential information can be included in a password-protected (encrypted) attachment rather than in the body of the email. However, the protection can be limited by use of weak passwords that are easy crack. Current recommendations say passwords should be complex, at least 14 characters in length, “the longer the better,” Ries said. The password should be transmitted securely to the recipient in a phone call or text message, and certainly not in the same email as the encrypted attachment.
When setting up devices like cellphones, smartphones and tablets, follow the manufacturer’s instructions to enable encryption. Use caution when using consumer cloud storage, Ries said. There are special editions of security software that include cloud protection, which is recommended.
Passwords should be changed only when you know your password has been compromised, Simek said. “Your bank or credit card company will let you know when you need to change your password.” If you need to manage encryption on several devices, there is software to help you do that. To protect data on a laptop, Ries recommends full-disk encryption, which encrypts the entire device, no matter where the sensitive data is stored.
For additional information on encryption options, see “Encryption Made Simple for Lawyers” (American Bar Association 2015), Law Practice Division resources (Law Practice magazine, Law Technology Today, Law Practice Today, webinars and the Legal Technology Resource Center). The Electronic Information Privacy Center maintains a website with information on encryption and other tools to protect privacy.