From spear phishing to DNS hijacking, cybercriminals are increasingly turning law firm emails into entry points for accessing confidential data. One of the easiest ways to safeguard against these types of attacks is through encryption, a process which scrambles information contained in messages in a way that prevents anyone other than the sender and recipient from reading their contents.
While this provides a more advanced level of protection against hacking, lawyers are not implementing this into their confidential client communications. In fact, roughly 3 in 4 attorneys are not encrypting any confidential or privileged documents and communications they send to clients, according to the ABA’s most recent TechReport, marking a significant rise from the previous year’s study, where 65 percent of attorneys reported the same. Unfortunately, this issue is pervasive across all types of law firms; while 80 percent of solo practitioners reported not using encrypted emails, 52 percent of attorneys at firms with over 500 attorneys were not encrypting important emails either.
In the midst of a profession-wide crackdown on technology incompetency, the American Bar Association recently issued Formal Opinion 477, which addresses how lawyers should handle technology and security issues relating to confidential email communications. In its opinion, the ABA opined that lawyers should take reasonable steps to prevent inadvertent or unauthorized access, and should take special measures above and beyond minimum security requirements where the client or nature of the information requires it.
While the ABA’s model opinions are merely advisory, they are highly influential, and the opinion makes clear that failing to consider appropriate security measures for client communications could violate attorneys’ ethical duties to provide competent representation and to mitigate the inadvertent or unauthorized disclosure of, or unauthorized access to, confidential client information.
But, lawyers do not need to be technology experts to ensure ethical compliance. According to the ABA, attorneys must instead make reasonable efforts to prevent unauthorized access and inadvertent disclosure to any client communications. While any attorney should reach out to qualified experts to ensure their communications are in compliance with current privacy and encryption standards, lawyers can take a number of immediate steps to better protect their emails, texts, and other client correspondence and data—by embracing encryption.
Email Encryption Can Help Attorneys Meet Their Ethical Duties
Attorneys embracing a more mobile workstyle should incorporate encryption best practices into their client communications, as failing to do so could set them up for disastrous data breaches. As the ABA TechReport suggests, lawyers are increasingly doing work outside the law office; 77 percent of the lawyers who participated stated they did legal work at home, while 38 percent worked on tasks while traveling.
In addition, more lawyers are unchaining themselves from their desktops. Nearly 86 percent of attorneys today now use laptops, smartphones or tablets as their primary work devices. These numbers will only grow with the rise of Bring-Your-Own-Device (BYOD) workplaces and remote working arrangements, which firms such as Shearman & Sterling, and Morgan Lewis & Bockius are beginning to embrace.
Although popular platforms such as Gmail, for example, can support encrypted messaging between Gmail accounts, that does not guarantee encryption where the recipient or sender uses a different email provider. While lawyers have a plethora of free and paid email encryption options to consider, one easy-to-use plugin attorneys can try is Virtru. Plugins such as Virtru give users the option of converting standard Gmail and Outlook emails into encrypted messages that recipients can then read and respond to on Virtru’s encrypted servers after clicking an email link. Virtru has a free Gmail personal-use plugin that attorneys can test out, and programs such as Hushmail can provide similar encryption services that integrate with smartphone and tablet-based email platforms along with desktops and laptops. Microsoft Outlook and Exchange users can also use both programs’ built-in encryption features as an additional safeguard.
How Attorneys Can Better Encrypt Text Messages & Other Communications
In addition to unencrypted emails, unsecure text messaging can entail potential pitfalls for lawyers. Of the 93 percent attorneys who use smartphones in some capacity at work, roughly 3 in 4 use their personal devices instead of firm-issued devices. Network and app vulnerabilities can not only compromise confidential data stored on those apps, but also give hackers backdoor access into restricted content stored on privately-owned smartphones.
While multi-factor authentication is one way to provide a safeguard against cybercrime, text message-based authentication is not a viable option anymore. Attorneys would be better off using multi-factor authentication apps such as Symantec VIP Access and Google Authenticator, which generate ever-changing, one-time access codes that users can use in addition to their usual passwords, providing an extra layer of protection. For ultra-confidential client texting, apps such as Dust can send encrypted, temporary texts that disappear without leaving a digital footprint—just be aware that self-destructing messages may raise issues around spoliation in the future.
In addition to emails and texts, attorneys should consider other forms of communication they share with clients. Cybercriminals can easily exploit VoIP telephone systems message data, for example, and videoconferencing platforms such as Skype do not guarantee total encryption. Even file-sharing platforms such as Dropbox are susceptible to vulnerabilities; the company recently dealt with kernel-access vulnerability issues related to a recent update that would have granted hackers ultimate control of a user’s computer. Encrypted conferencing and file-sharing platforms such as Legaler can provide robust protections for attorneys and clients, while consistent metadata scrubbing for files and PDFs can strip away edits and deletions containing confidential information.
And, of course, when it comes to discovery and data management, Logikcull's secure, closed-loop platform encrypts data while in motion and at rest, while Logikcull's ShareSafe feature eliminates risky exchanges entirely, ensuring end-to-end security through the duration of discovery.
How Attorneys Should Handle Confidential Communications Going Forward
Whatever encryption strategy you pursue, it is important to discuss any security-related considerations and expectations with your clients, and to take reasonable measures to incorporate them into your client communications—including hiring qualified experts where necessary. In Formal Opinion 477, the ABA recommends weighing a number of factors when considering what safeguards to use, such as the sensitivity of the information, the likelihood of disclosure without sufficient safeguards, the cost of employing safeguards, the difficulty of implementing safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent the client. Implementing encryption into your day-to-day communications with clients, however, is one step that will immediately make a difference.
This post was authored by Eric Pesale, the founder of Write For Law, who writes regularly about eDiscovery, cybersecurity and other legal topics for law firms, publications, and companies. He is a graduate of New York Law School and the University of North Carolina at Chapel Hill, and recently passed the New York bar exam. Eric can be reached at firstname.lastname@example.org or on Twitter at @writeforlaw.