Are You Still Using Unencrypted Technology for Client Communications? If So, Your Client Information Is at Risk
Not too long along, when lawyers and clients communicated, it was via a letter or a phone call. But thanks to technology, emails and text messaging are often the preferred communications method for most clients. (Can you even recall the last time you received a letter from your client?)
As quick and convenient as internet-based tools such as email, text, social media private messaging, and messenger apps may be, communicating via unencrypted web-based messages introduces a level of risk that may surprise most users.
Attorneys who use unencrypted electronic messaging to communicate with and about clients may run afoul of their ethical obligations of confidentiality and technological competency. In 1999 – when email was the limit of web-based communication – the ABA concluded that attorneys had a reasonable expectation of privacy in “all” forms of email (despite “some” risk of interception and disclosure), and could use even unencrypted email to communicate client information. (See Formal Opinion 99-413).
However, as the role and risk of technology in the practice of law evolved, the ABA recognized a need to revisit this opinion in Formal Opinion 477.
To exercise the duties of competence and confidentiality, lawyers must understand the nature of threats, how and where client information is stored, the scope of reasonable security measures, how electronic communications should be protected, how to label client confidential information, how to train lawyers and non-lawyers on information security, and how to vet technology vendors.
What is Encryption?
Encryption means using an algorithm to convert “regular” text into encoded text. It does not prevent a message from being intercepted, but renders it useless to anyone without access to the confidential process (“key”) used to decrypt or translate the encoded message.
Challenges Surrounding Email Communications
Email is, by default, typically unencrypted: encryption requires affirmative action. Sending an unencrypted email implicates many vulnerabilities and threats.
Email “at rest” may be hacked. Email “in motion” may be misdirected or intercepted. Email does not travel in a straight line from sender to recipient. Like a rubber ball, a web-based email bounces across the internet passing through server after server – each a potential interception point.
Compounding the risk is the pack-rat relationship most lawyers have with their email. A busy lawyer may not prioritize archiving and destruction, or may simply presume that “more is better” and save everything until IT forces a purge. This means that vast swaths of information are available not only to those with legitimate access, but also to wrongdoers who manipulate a way into the In-Box.
Wrongdoers know all about the vulnerabilities associated with unencrypted email – which is why it is such an attractive target for hacking, ransomware, and social engineering exploits.
Protect Data with Encryption
Email is one of the most likely ways a hacker will illicitly gain information. And most data breaches are as a result of lost equipment, such as a laptop, that wasn’t encrypted.
Under state data breach notification laws, you are required to notify individuals if you lose certain information, such as their first name, last name, Social Security number, and credit card number. This type of information is often in client documents. You also may have an obligation under the Rules of Professional Conduct to notify your client if you’ve lost any of their information.
Encryption is almost certainly required as a “reasonable measure” to safeguard client information of any degree of sensitivity. Encryption can be implemented at the system or device level (each operating system offers a free encryption tool). Modern encryption technology should not affect processing speed and offers many benefits:
- The protection is always on
- IT longevity
- Undetectable speed
- Government compliance
- Increased productivity
- Employee freedom
Lawyers may resist moving to cloud providers because they are fearful if it’s outside of their building, they won’t be able to protect it. But think of your firm’s in-house IT team versus the providers of these tools. Can they accomplish your goals as effectively and efficiently as Microsoft, IBM, or Doxly?
Stop Sharing Your Password
Data breaches don’t always result from a hack or lost laptop. Malicious insiders also threaten data. Best practice: Consider passphrases (rather than passwords), don’t share with anyone, and institute two-factor authentication.
Download our eBook, “Technology Solutions Mitigate Risk of Data Disclosure,” to learn how attorneys can protect client information using encryption and cloud services.
Special thanks to Nick Merker and Kim Metzger of Ice Miller LLP for their help with our guide.