Email Security in the Legal Profession

For individuals who only send emails to family and friends, email security isn’t always a top priority. However, once you’ve crossed the threshold of sending routine communications to those of a more private or sensitive nature, the security of your email account takes on a much greater significance.

Lawyers, in particular, should be concerned about the security of their professional email accounts, especially if you’re using a cloud solutions provider. This may even be true for personal email accounts, which are sometimes used by attorneys for the sake of convenience, without ever knowing just how protected their email really is.

The subject of email confidentiality and security has produced one of the more thought-provoking debates in the legal field over the past few decades. And much of it is caused by the number of growing technologies lawyers are using, like the cloud and managed services, to improve their professional efficiency and overhaul their firm’s productivity.

The debate has primarily centered on how to maintain privacy when sending email communications to clients, which often include confidential or privileged documents, in addition to sensitive, “for your eyes only” information.

As a result, email encryption began its insertion into the debate, and became a key component of the discussion, as many lawyers and law firms sought out facts on best practices to follow. Which brings us to 1999, when the American Bar Association officially stepped in by issuing a formal opinion on the matter, saying that encrypted emails were not required by ethical standards, therefore establishing a precedent which nearly every jurisdiction followed from then on.

After the ABA’s view became known, which also stated that these types of communications should happen in person rather than over email, privacy statements and confidentiality/privilege disclaimers became the norm. In effect, these statements and disclaimers sought to replace the need for email encryption through cautionary statements included in the subject line or body of an email. But other precautions have also been in play during this time, including:

• Password protected documents
• Written and/or oral consent from clients
• Registered email

While some of these are fairly effective in providing security for both senders and recipients, the risks have largely outweighed the inherent benefits of using email to communicate with clients. What are the advantages? Swift and simplified interaction, of course, which adds tremendous value for busy lawyers and clients who prefer the speed of this type of delivery.

The disadvantages, however, are numerous, and include:

• Shared email accounts, passwords and computers at a law firm create too many opportunities for privacy disasters
• Public Wi-Fi connections and unsecured, or poorly secured, networks that leave communications vulnerable on either party’s side
• An increase in hacking attempts on both individuals and private organizations resulting in huge data losses
• Unauthorized receipt and viewing of messages by outside parties who are not part of a case or could be affected by it

Yet despite these drawbacks, a surprising number of attorneys and law firms have decided against using encryption for their email communications, as evidenced by the 2015 Legal Technology Survey Report that was released by the American Bar Association’s Legal Technology Resource Center.

In the report, we find that only 35% of attorneys are currently using email encryption when sending confidential information to clients or in everyday professional communications. What’s interesting about this number is that it has largely gone unchanged in the past several years, notwithstanding many law firms and their attorneys understanding the necessity of email privacy and security.

Strangely enough, the largest majority of attorneys (70.7%) still use confidentiality statements in an email’s body to “protect” their messages, while 26.4% employ them in the subject line of their private emails.

As time goes on, and email between lawyers and clients continues to be scrutinized, some jurisdictions are beginning to back off from their shared views on encryption being utilized in most, if not all a firm’s emails. Thankfully, many private cloud and case automation software providers are already well ahead of the game, knowing privacy and security will always be of the highest priority.

If you have questions about the status of your own area’s rules on how confidential emails should be sent to a client, contact your state or local bar association for more information.