No matter your profession, encryption is a smart way to protect your intellectual property and sensitive email messages, but email encryption is especially important for lawyers.
There’s a reason why the American Bar Association has an entire page on their website dedicated to encryption. When you’re an attorney, solid encryption isn’t just important to the security of your clients, it’s crucial for the safety of your practice. Not only are you responsible for protecting your clients’ personal information, but you also have to worry about keeping all communication secure, so that your client knows there’s no chance their case will end up falling into the wrong hands.
Lawyers deal with an absolutely brutal amount of email. There are often multiple conversations between clients, partners, and just about everyone else involved in a case. Magnify that by however many cases they’re currently dealing with, and you’ve got an inbox that is practically overflowing on a routine basis. When you’re dealing with that kind of volume, keeping your security and confidentiality in check can be a hassle. Email encryption provides a solution to this problem, as encrypted emails are protected by default, meaning that there’s no need to download and archive hundreds of messages in order for the information within those messages to be secure.
A data breach can be potentially crippling for any business, and this is especially true for lawyers. In addition to financial records and any health insurance data they might store on their employees, they also must protect all of their clients’ records, as well as any other documents relating to cases that they are working on. Documents shouldn’t just be secured while they are being archived, either — every piece of sensitive information should always remain encrypted, even when it’s in transit. Failure to do so might lead to hefty penalties, not to mention a severely damaged reputation.
As a lawyer, you’ll likely encounter many different pieces of regulation throughout your career. Depending on what sort of cases your practice specializes in, your firm might find itself needing to encrypt all kinds of specific information. As if that weren’t complicated enough, regulation is often a moving target, with new specifications constantly changing what your firm is specifically required to do.
For example, if your firm frequently assists with real estate transactions, TILA-RESPA is likely to impact your practice. TILA-RESPA is an attempt by Consumer Financial Protection Bureau (CFPB) to consolidate and update a series of real estate and lending rules to help streamline the home buying process for consumers.
While TILA-RESPA does not explicitly require encryption, it does require that you protect the financial information of consumers. As encryption goes beyond the requirements for compliance, not only does it protect your business now, but it potentially protects it from future updates to the regulation.
To learn more, we reached out to Gordon D. Cruse, an attorney practicing divorce and family law in San Diego. When he’s not representing clients, Cruse also provides eDiscovery consultation through his firm eDiscovery Readiness and Results, which helps attorneys learn how to securely work with electronically stored information (ESI). An attorney and a digital security advocate, Cruse explained to us why he thinks every attorney should include email encryption as part of their overall security and privacy policy.
I do. What I use right now is Virtru — I just find it to be both incredibly easy and incredibly secure, so I can send the client data without risk of it being intercepted. As it is now, we have a policy that every client has to sign asking permission for us to use email to transmit sensitive data. We advise the clients that we can’t guarantee the security of using email without some sort of encryption software.
We suggest that they allow us to use Virtru because for us, it’s a matter of clip and switch. It’s literally just a slide bar on our mail program. We can then encrypt the email, and there’s nothing for our clients to download. They don’t have to get Virtru themselves and they don’t have to buy anything — there’s no cost to them — they literally just have to log in with their email address and then they’re able to get the mail that we send them. The email message is protected, and the attachment is protected.
Settlement agreements, which might encompass estates worth multiple millions of dollars, tax returns, credit card statements, pay information, brokerage account statements — things that I would have had to redact a great deal of info out of (which damages the utility of the document), or I would have had to photocopy and FedEx to the client with an email saying, “I have FedExed the documents to you. You’ll have them tomorrow. I cannot include them in an email.”
I’ve had this discussion with other lawyers. When you send an email, it doesn’t go from your computer to mine. It goes from your computer to whatever mail server, then bounces all over the place before it eventually gets to mine. Little bits can be left anywhere, and anyone with a packet sniffer can get that email. With many of these documents, you’ve given an address, social security numbers and bank account information. That sets your clients up for data theft, identity theft and credit card theft. It’s “below the standard of care” to send naked tax returns or other documents via email. You should at least be password protecting your documents, but you should also encrypt the email and attachment.
We’re always surprised at how trusting people are with their data.
On one hand, people have an inordinate fear of technology, but at the same time, they have this belief that the data inside the metal case of their computer is somehow safe. They have no understanding that the minute they plug into that network cable or they hook up to WiFi that they’re outright broadcasting data that any receiver that’s tuned correctly can intercept, or (if they have the right applications) read and understand. Anyone’s account can be hacked.
We’ve written about how limited email disclaimers are in scope. To be frank, they don’t really do much.
In California, our inadvertent client privilege material disclosure rules are a little stronger than the federal rule. Under the federal rules, if you inadvertently disclose attorney-client privileged information, then the privilege is waived and no side gets to use the stuff. In California, you’re supposed to notify the sender if you’ve inadvertently received privileged information, since the sender is blind to the fact they’ve sent it. You then have to return it or destroy it, not use it.
If you send a client letter in a Virtru secured email, and there’s an attachment, you can call it back. But the fact is: we’re all adults here. You know they’ve read it. You can’t unring the bell. It’s going to be there every time someone makes a decision affecting the case. Now, Virtru gives you the ability to recall any secure email you’ve sent, so you can at least shut off access if it went to the wrong person. It does require vigilance on the sender’s part — if you sit on that email for a week, for all you know, the receiver might have already logged on and read it, maybe even written things down.
The other thing I love is that I can stop people from forwarding what I’m sending. Sometimes, as a divorce lawyer, you run into the client who uses an email you sent as a way to intimidate their spouse: “Well, you know, my lawyer says.” Of course, that’s a confidential email, so being able to prevent forwarding is a very useful feature.
In some cases, you might be living in the same house as the person you’re having the dispute with, so privacy is a bit more complicated.
We always instruct the client to set up a new email account with a password that the other side won’t be able to guess (because inevitably, people tend to use the same kinds of passwords). You have to use a different password, and you can’t write it down.
By the time the client opens a new account, they’ve been married long enough that it’s really easy that at some point in the past they said, “Oh just copy that and send it to the accountant.” Well, it’s in their email account, so they might have given their spouse their password. While you have a defense because you only allowed conditional use of the password that one time, it’s still easier to avoid the problem and open a new account.
In the policy I have, we talk about using encryption. I say, “I will use Virtru on my end.” More and more of my clients agree to use it because it’s so simple. It doesn’t require that they do anything other than that one-time login.
Right now, lawyers are about 20 years behind where they need to be in terms of technology and security. I think that the fact that Virtru is so convenient will absolutely help it catch on. I’ve done Virtru demonstrations for colleagues simply by saying, “I’m going to send you a secure email,” and then sending the email. It costs nothing, and then you compare that to something like Pretty Good Privacy (PGP), where you pay, get an encryption and a decryption key, and then the client loses the key within the first week. Now you have to fix it by creating a new key for them. It’s just hassle after hassle, versus Virtru.
With Virtru, you slide the little bar over, click how long you want the email to last, select whether or not you want it to be forwarded, add any attachments, and click send. Done. It’s idiot-proof.
The other thing that’s good about Virtru that a lot of lawyers don’t understand is that any time you do cloud storage — and in a way, Virtru is cloud storage for lawyers, since your messages are in an off-site email server — here we have control over the physical media. Even if Virtru is served a subpoena, the data is encrypted and unreadable. So the client’s data is protected, the servers are in the United States and I understand the law of this country, since I’m an attorney who lives here.
By using email encryption, I’ve done everything I can, well beyond the standard of care, to make sure that my client’s data is protected, even if it’s sitting on Virtru’s server. I don’t understand why every lawyer isn’t using this.
With the complicated nature of family law, privacy can get hairy, so it’s important to take all necessary measures to protect your clients’ data. Email encryption is a big piece of that puzzle. But email encryption isn’t just a great way for attorneys to look out for their clients. Whether you’re a lawyer worried about attorney-client privilege, a doctor on the hook for HIPAA compliance or simply an individual user looking to improve your own online privacy, encryption can help you make sure that your email stays between you and the recipient.
Ready to adopt email encryption for your law firm? Contact our sales team today to learn more about Virtru.