Lawyers are very conscious about protecting client confidences in electronic documents. We password protect our computers and smartphones. We use VPN (virtual private networks) to connect with the firm’s server while out of the office. We even use SSL when accessing our emails or data stored in the cloud. One tool that lawyers, and the general public for that matter, have been slow to adopt is email encryption. Currently, our emails and their attachments are viewable by anyone who can intercept them in transit. In this article, I argue that email encryption is unnecessary for all but the most sensitive communications, and maybe those should not be sent electronically in the first place.
2. When Are Emails Vulnerable?
If you’re using an Exchange server or cloud-based email provider (Gmail, Hotmail, AOL, Yahoo!), the connection between your computer and the server is secure because it is sent either over your private network or is encrypted before it leaves your computer and travels via the internet to your provider’s email server. The email server then decodes the message, breaks it into smaller pieces and then sends it to the recipient’s server via the internet. Because it is unencrypted during transit, anyone who intercepts a piece of the message can view that piece. If they can get a hold of enough pieces, they can get a good idea of what the message says. And the closer they are to your provider’s server or the recipient’s server, the higher the chance that they’ll get more pieces of the email. Once received by the recipient’s email server, the bits of the email are reassembled, encrypted and sent securely to the recipient’s computer.
3. Why Encrypt Emails?
The primary reason to encrypt emails is to prevent an interloper from catching and reading the packets as they travel over the internet. But, what is the chance of that happening? As described above, the chances of catching one, let alone all parts of an email are remote. In 1999, one researcher looked into this issue and concluded that the multiple routes a packet can take are not sufficient protection because communications between two nodes on the internet often take the same routes.
What this means is that if a hacker can somehow identify one of the routers that Steve Balmer’s emails usually hits on its way to his fellow Microsoft directors, then he can piece together much of their communications and possibly trade on that information. But to do this, the hacker would need to identify the node, infiltrate and tap it and somehow filter just those packets he needs from the billions of packets that flow through on a daily basis. That’s not an easy task.
Some companies are not taking the risk, especially ones who must comply with Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, Payment Card Industry Data Security Standards or the E.U. Data Privacy Protection Directive. Those firms have implemented email encryption.
The out of pocket cost to encrypt emails is trivial – one provider, Voltage charges $65 per user per year. Microsoft offers encryption for free in Outlook. Security companies like McAfee and Symantec usually offer it as part of their overall security package.
4. Cons to Encrypting Emails
If the cost is so cheap, why doesn’t everyone encrypt emails? There are several reasons: hassle, lack of awareness, remoteness and alternate methods of transmission.
Hassle: Most encryption providers offer an Outlook plug-in, so senders can activate encryption with a single click. However, it is a step that the sender has to think about. The sender can set his default to encryption on, but that leads to hassles when sending emails to people without easy access to decryption software.
Recipients of encrypted emails are often turned off because the encryption provider requires them to register and create an account. And even after they have registered, the recipient often cannot view the encrypted emails in their own inbox. Instead, they get a notice saying that they have received an encrypted email and should go to their secure account to open it. So, whenever they get the email, they have to execute 3 additional clicks to read each email. While that does not sound like much, multiply 3 clicks with how many emails we all receive every day and the deadweight loss is apparent. So, we end up with parallel email inboxes – one secure and one regular.
Some providers offer encryption with less hassles. For example, McAfee’s service can automatically scan and encrypt the email if it matches the policy set by the administrator, or if the word “[encrypt]” appears anywhere in the subject or body of the email. The recipient still has to view the message through a secure email website/application or on their email client, if they have a plug-in.
Lack of awareness: Most people have no clue how their emails get from their computers to the recipient’s computer or vice versa. They do not know about email encryption or even the possibility that their emails could be intercepted en-route.
Remoteness: As discussed above, the chance that someone could intercept enough bits of an email and put them back together in a coherent fashion is near zero. So, those that know of the potential risk realize that it is so unlikely that mitigation is unnecessary.
Alternate methods of transmission: When a document is so sensitive that it cannot be sent via regular email, then it calls into question whether it should even be sent electronically. Some lawyers who began practicing before email, insist on faxing sensitive documents and only to recipients they know are not using a service that converts faxes into emails. Others will courier the documents. For those who are more comfortable with technology, the email or attachment could be saved onto a secure server and a link to download that file could be sent to the recipient. The recipient would then click on the link and securely download the file. Once, a party was unwilling to email me his W-9 form because it contained his social security number. He proposed encrypting the file and emailing me the encrypted file. Unfortunately, he uses Windows and I use a Mac, so I couldn’t run the decryption software. Ultimately, we decided on securely uploading the W-9 form to my secure cloud storage site and I was able to retrieve it from there. So, there exists a way to securely send documents via the internet, with just about the same hassle factor as sending/opening an encrypted email.
5. Ethical Obligations
There may be some instances where an attorney is required to send a document in an encrypted format. Under California Rule of Professional Conduct 3-100, “A member shall not reveal information protected from disclosure by Business and Professions Code section 6068, subdivision (e)(1) without the informed consent of the client….” Section 6068(e)(1) states that every attorney has a duty “To maintain inviolate the confidence, and at every peril to himself or herself to preserve the secretes of his or her client.”
In 2010, the State Bar of California’s Standing Committee on Professional Responsibility and Conduct issued formal opinion No. 2010-179 on whether attorneys are ethically prohibited from using technology to transmit confidential client information when the technology may be susceptible to unauthorized access by third parties. The electronic storage referred to in the opinion was the use of a laptop at an unprotected wifi hotspot. The committee set forth the following six-factor test: (1) the level of security associated with that technology; (2) the legal ramifications to a third party who receives the data (i.e. whether the attorney-client privilege has been waived or whether an Evidence Code sections 917(a) and 952 exception applies); (3) the degree of sensitivity of the information; (4) the possible impact on the client of inadvertent disclosure; (5) the urgency of the situation; and (6) the client’s instructions or circumstances.
Applying the six factors, there definitely could be instances where the information contained in the email is extremely sensitive such that inadvertent disclosure could cause great harm to the client and the information is so urgent that it cannot be sent by courier or other more secure means. In those instances, it might be prudent to encrypt the email prior to sending it. However, given the remoteness of an unauthorized disclosure, it is highly improbable that not using encryption will lead to liability.
Shirish Gupta is a certified mediator and a member of the
California State Bar Solo and Small Firm
Section Executive Committee.
firstname.lastname@example.org or (650) 539-4019.