Over the years, written communication with clients has shifted from letters to emails. As early as the 1990s, bar association’s ethics committees have approved the use of unencrypted emails to clients.
In 2012, the American Bar Association (ABA) added “technology amendments” to the Model Rules of Professional Conduct. These added a core competency for lawyers to safeguard client-related data against unauthorized access or disclosure.
In 2017, the ABA published Formal Opinion 477, which concluded that unencrypted communications may not be appropriately secure for all client communication. Lawyers must determine the right method of communicating to and regarding clients based on the sensitivity of the personal information contained in each message.
In other words, unencrypted email may be fine for some client communications, but for those containing confidential or sensitive material, lawyers need to use more secure electronic communication methods.
Here are some options:
Security Features of Web-Based Email PlatformsMany popular web-based email applications, such as Gmail and Yahoo provide HTTPS encryption. While HTTPS will prevent others on the network from reading your emails, it still allows your email provider to retain an unencrypted copy of your message. Law enforcement can access this if they obtain a warrant.
Gmail’s new confidential mode allows the sender to create a passcode to protect messages with multi factor authentication - see more on that below.
Additionally, senders can set expiration dates on sent emails, so the messages are deleted from the network entirely. They can also prevent the downloading, forwarding, or printing of the email, or copying its contents. However, people can still take screenshots - nothing is ever entirely safe.
Email Password ProtectionThe best way to protect any email account is a strong password protection system using a combination of secure passwords and multi factor authentication.
Secure PasswordsA secure passwordis on that is almost impossible to guess. While hackers might be able to break any password using sophisticated software, why make it easy?
A secure password:
- Is at least 8 characters long - 12 or more is preferable
- Uses both upper and lower case letters
- Uses numbers and characters ([email protected]#$%&* - but not < or >, which may create problems in Web browsers.
- Randomizes numbers, symbols and letters, instead of complete words: i.e., pa$$W0rD1too3 vs. Password123
- Doesn’t use easy to guess/discover facts like your birthday, business name, city, brand, or information people would associate with you
- Uses phrases rather than words
Multi-factor AuthenticationMulti-factor authentication (MFA), also known as two-factor authentication or two-tier authentication, builds another step into the process of entering a password. How it works:
- You enter your password into your email application.
- The application sends a randomly generated code to a second device or application, such as your cell phone, a second email address, or IM application.
- You enter that second code to complete the process of accessing your email application.
Mail EncryptionEven if someone manages to breach your email password security, the next step is to use an encryption process to protect the content of the messages.
There are many mail encryption programs that use complex cryptography to jumble the message into unintelligible strings of letters, digits and symbols. It can only be decrypted with a private key, another series of letters, numbers and symbols, which the receiver enters into the program to view the message as intended.
Many encryption programs use some variation of PGP. This is an encryption algorithm, which, ironically (we hope), stands for Pretty Good Privacy. It was originally created as open source technology by visionary Phil Zimmermann. Eventually, through a series of ownerships and acquisitions, the PGP program became the property of Symantec. However, there is an open source standard known as Open PGP, which is free to the public, and is utilized by any programs and technology consultants.
Drawbacks to PGP are that it still exposes metadata and subject line to anyone on the network of either the sender or the receiver, and also, researchers have discovered vulnerabilities in the Open PGP standard. However, most programs and technology consultants add extras into their programs to counteract these issues.
Cloud-Based Email ServerFor larger companies, a dedicated in-house server, or a service that offers dedicated secure servers is the best way to protect data. However, in-house servers require staff to maintain and monitor the technology, and outside services are expensive.
Enter the Cloud: that mysterious global network of internet servers that hosts a seemingly endless library of data and computer resources with constant on-demand availability. A commercial cloud-based email host provides lawyers a cost-effective way to encrypt their client communications. Many cloud-based providers host software, apps, and other add-ons on safely encrypted networks.
Encrypted cloud hosting servers can also store sensitive files and client data. You can also grant access privileges to create private exchanges of data between you and a client.
Which brings us to:
Client PortalsAnother option you can take is to not use email at all, but use an encrypted online portal. Clients can access this software via the internet, using a password (and multi factor authentication, if desired). There is a user interface they can use to send and receive encrypted data, such as messages and documents, and provide electronic signatures for time-sensitive agreements, and much more. You can also password protect the individual documents for an added layer of security.
Often, client portals are built into legal practice management software, and are also available as stand-alone, cloud-based services. These portals provide one secure, convenient location for end-to-end communication that is fully encrypted from prying eyes. Naturally, your firm will still use email for less-confidential exchanges.
Updates and TrainingWhatever method, or combination of methods you use to protect the privacy of client communications, the solution is only as good as the systems and people who support it.
Apply software updates as soon as they come out. Review your security methods regularly to ensure they are still working for you, and determine if there are newer, better solutions that you should check out.
- Use good email hygiene, and train anyone who works for/with you to use it as well:
- Use strong, secure passwords (see above)
- Don’t walk away from your computer with your email or other sensitive data open and in view - lock your computer whenever you need to step away:
- Windows key + L on a PC
- Ctrl + Shift + Power on a Mac
- Don’t open email attachments or links from unknown senders
- Learn to recognize spoofed email addresses or phishing attempts
It is an attorney’s responsibility to ensure all communications with clients are appropriately confidential and secure - including electronic communications. Use these tips to make sure you’re up to speed.