Center For Practice Management, Ethics, Security

Encrypting Communications

The security landscape has become overwhelming for many lawyers. The last 10 years have witnessed an increasing awareness that a lack of compliance with security best practices may put lawyers and their clients at elevated risk. The updates to the ABA Model Rules of Professional Conduct in 2012, now adopted by nearly 39 states, served as a wake-up call to the fact that security and technology awareness are an essential part of running a law firm. Rule 1.1 (Competency) now requires a lawyer to understand the benefits and risks of relevant technology. The expansion of the comments in 1.6 (Confidentiality) includes taking reasonable precautions to prevent client information from unauthorized access as well as inadvertent or unauthorized disclosure. Recent ethics opinions promulgated by bar associations and disciplinary agencies regarding email encryption, cloud computing, records management and related subjects provide guidance on how a law firm should go about securing a client’s confidential information.

It does not stop at ethics opinions. Law firms also hold information protected by statute and regulation, including data breach notification laws in 48 states, HIPAA, FINRA, PCI and others.

Create a Risk Profile

To comply with regulations and ethical requirements, law firms should first map out their risk profile. What kind of data does the firm store and access? Transmit? Is it data defined by statute such as PII (personally identifiable information), PHI (protected health information) or NPI (nonpublic personal information)? Financial information? Read the laws and regs to see what guidance they may provide to help protect the data. Next consider what the firm may hold that is privileged or confidential. How is that data protected? Look at where the data is stored, how it is transmitted, who has access to it and what steps the firm takes to protect it. Is it enough?

Follow Best Practices

Security is a moving target. Don’t let the firm get too complacent in its practices. The most important thing a firm can do to protect client data is to keep up with the latest recommendations in cyber protection and keep attorneys and staff constantly vigilant to maintain security and privacy protocols. For instance, there has been a lot in the news about frauds involving intercepted and redirected wire transfer information, especially in real estate transactions. Do not send wire instructions via email. Tell clients whether to expect this type of information from the firm. Let clients know that the firm will not request wire transfer or electronic payment information or, if the firm does, exactly how and what it will look like.

Securely Sending Documents and Communications

Law firms are constantly asking for and sharing confidential and protected information with clients. While a firm may protect data on servers, hard drives, and physical files while in the office, transferring these files must also be done in a highly secure manner. Sometimes even the nature of a telephone conversation may need additional security. What techniques and tools can protect sensitive information in transit? How can a law firm help a client maintain security on files so the efforts to protect information does not stop once a document leaves the law office?

Encrypt Email Attachments

If the firm sends out documents via email that contain protected or sensitive information, such as NPI or PII, then at the very least those documents should be encrypted via password protection. Current versions of Microsoft Office (and older), Adobe Acrobat DC and Kofax provide password protection, which trigger encryption of the document. This encryption is enabled by setting a password to open the document. Strong passwords (at least eight characters and a mix of upper and lowercase letters, numbers, and characters) should be employed. Also, do not email the password to the document with the attachment or even in a separate email. Call the client or use a secure messaging application to send the password in a separate way than the document was sent. Tools on the market make it relatively easy for someone to access file content from older versions of Microsoft Office documents, bypassing the password altogether. There are more comprehensive ways to protect documents and communication, but this method helps protect the document from inadvertent and unauthorized access.

Secure Faxing

Another method used to transmit files securely is via facsimile transmission, also known as fax. A picture of the document is sent through a dedicated secure line to a specified recipient. Sounds safe, but the reality could be somewhat different. Unless it can be ensured that the recipient receiving the fax is at a private fax machine or receiving it in a dedicated fax inbox through electronic fax, the faxed document may linger in a publicly accessible fax machine tray, available to all who come by it. Many (most) consumers have access to a fax machine only at work, which should be avoided for several reasons including the prevalence of workplace privacy waivers.

Encrypt Email

While lawyers are not required to encrypt all emails, nor are they barred from using email for confidential communications, lawyers must consider what information will be transmitted and how that information should be secured. Sometimes the proper decision is to send the information by other means because it is not possible to secure the content well enough. The Professional Ethics Committee for the State Bar of Texas published Opinion 648 in April 2015, which outlines circumstances to consider when sending confidential information via email and using encryption to protect email. When choosing a service or tool to encrypt email a lawyer should consider not only the encryption of the message in transit, but also at rest. For instance, consider the scenario wherein a client is receiving the email on a shared device or on a shared email account or on an account for which a third party knows the password. In those scenarios the email must remain encrypted until accessed by a unique username and password created by the recipient and authenticated by the recipient.

Once decrypted does the email sit on the recipients’ hard drive? To reduce this risk, make sure that any email encryption service or tool employed maintains the encryption or secure access to the information, rather than having it sit unencrypted in an email or on a computer’s drive. To reduce risk of exposure, look at email encryption solutions that allow for expiration dates or self-destruction or recall options if it is feared that the information may have been exposed to an unintended recipient. Also, look for email encryption tools that allow a “do not forward” rule to be imposed.
Some examples of third-party email encryption tools include:

  • Delivery Trust from Identillect costs $8 per month per user and includes file print restrictions, restrictions on downloads, read receipts and more. It works with Gmail, Microsoft Outlook, Office 365 and a web-only account for those using other email services.
  • Citrix ShareFile provides secure syncing, storing, and sharing of files. It is functionally similar to applications like Dropbox, OneDrive, Google Drive or Box. One unique feature of ShareFile Advanced ($77 per user per month for five users minimum, $15 each additional user) is that it provides an Outlook plugin that makes it easy not only to send an attachment securely, but also to encrypt the email itself. Click “Encryption On” and set up the options that include read receipt, username and password required, and email/file expiration date. A user can then attach a file from her computer or from ShareFile and the file is sent as a link in an encrypted email. Lawyers can also use this add-in to request files from clients. The clients click on a link in the email and can securely share documents through ShareFile. Emails sent encrypted via ShareFile are decrypted and responded to via ShareFile online, so the email and file requires a login to access and never sits decrypted on the client’s computer.
  • Microsoft 365 Business Premium has email encryption built in. It can be turned on by the user, or rules can be applied to identify certain text in the email so that it automatically engages.

Although there are many other email encryption tools on the market, these are a few that scale well from solo and small firm practices to large firms.

Securely Share Files via Client Portals

If the firm is using a modern SaaS (software as a service) practice management application like Clio, Rocket Matter, MyCase, CosmoLex or Zola Suite, the product is likely to have a secure client portal. The features may vary between the different applications, but all will provide the functionality to allow clients to securely access files. The client creates a username and password and sees only what the firm provides. A secure client portal can reduce exposure of messages and documents to third parties. It also helps consolidate and control communication and documents by storing them all in a central location, so the client and lawyer do not have to manage emails and documents as much. Additional bells and whistles in many client portals are shared calendars, contacts, tasks, and online bill pay with outstanding invoice notifications.

If the firm has no SaaS-based practice management application, online document storage services can provide a makeshift client portal. The biggest caveat here is that the controls and permissions are all set by each user, and it is easy to get in a hurry and inadvertently add the wrong document to the wrong folder or set a shared link instead of a private link. However, by controlling access to documents via business-level secure file synch/storage/shared services, the firm can create a de facto client portal.

When looking at using a service like Google Drive, OneDrive or Dropbox please understand the distinctions between the free versions and the paid versions. The free versions may have many of the same features, but the security and terms of service are not adequate for confidential client information or documents that contain information required to be protected by statute or regulation. The paid (business) versions of these products offer very different terms of service and privacy protection, two-factor authentication, access control and many other sophisticated security protections.
In the business versions of Google Drive (Google Workspaces), OneDrive (or Microsoft 365), Dropbox Business, Box and Citrix ShareFile there are many security options to choose from when creating a shared folder for a client. Clients should have password protected access to an online folder. The folder creator determines who has access to the documents, whether they are read-only or can be downloaded, whether the client can upload to the folder, what expiration dates apply to the files and much more. Some build in workflows and approval processes (Citrix ShareFile and Office 365 SharePoint), and most have comment and task tools to add context and communications for a file or folder. Some of these have third-party electronic signature platforms built in so tools like RightSignature and DocuSign are integrated into the workflow.

Almost all business versions of online document storage services make it easy to share full access to a file or folder by sharing an unprotected link with a client. The client need not create a username and password. While this may seem appealing to a client in terms of ease of use, there is always a trade-off between security and usability. Without a username and password anyone can access the files. A lawyer sharing information with clients should always make access specific to a recipient by name and require a password to access.

To illustrate, in a case of inadvertent disclosure an insurance company waived claim to privilege to materials uploaded to an unprotected file sharing site (Harleysville Insurance Company v. Holding Funeral Home, Inc.). The case involved an insurance company that denied a claim filed by a funeral home. The insurance company’s investigator uploaded video surveillance footage, insurance claim files and investigation files to Box. Defense attorneys for the funeral home requested the file regarding the investigation. The link was then relayed via email, but the folder contained the materials from the investigation plus the entire claims file. Since the folder was not password protected all the documents were available. The insurance company found out that the files had been accessed when the defense provided the claims documents to them on a thumb drive. In Harleysville Insurance Company v. Holding Funeral Home, Inc., Judge Pamela Meade Sargent wrote: “Harleysville has conceded that its actions were the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it. It is hard to imagine an act that would be more contrary to protecting the confidentiality of information.”
Finally, SaaS-based document management systems, like NetDocuments, have client portals designed to make it easy for attorneys to share documents with clients via a secure login.

Secure Text Messaging

For short-form communication, text messages are not encrypted and can be intercepted. There are several secure communication apps to use, so that if a client wants to use a messenger service to communicate on the phone, the firm can direct the client to use Signal or ChatSecure for iOS. All these messaging apps are free, encrypted end to end and authenticated (meaning you must invite the person to communicate with you). For instance, Signal users can send end-to-end encrypted group, text, pictures and video messages. They can even have encrypted phone conversations between Signal users. Although Signal uses telephone numbers as contacts, encrypted calls and messages use the data connection; therefore, both parties to the conversation must have internet access on their mobile devices. ChatSecure is a free instant messaging app for iPhone that allows users to communicate with off-the-record instant messaging and chats. All messages sent via ChatSecure are private if the other person is using ChatSecure.

Conclusion

Law firms who have the responsibilities to keep data secure can follow the American Land Title Association Title Insurance and Settlement Company Best Practices (alta.org/bestpractices) even if the firm’s attorneys do not act as title agents. Other useful security guidance is available through SANS.org; Locked Down: Practical Information Security for Lawyers by David G. Ries, and John W. Simek and Sharon D Nelson (ABA Publishing); and the National Institute of Standards and Technology Computer Security Division Computer Security Resource Center. Applying security best practices and standards need not be onerous or make it difficult for the firm or its clients. Better to be safe, not sorry.

©2022. First published in Law Practice Magazine Vol. 48 Issue 4 July/August 2022 by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder.