Firing off an email to a client may become a bit more complicated as some in-house legal departments are looking to email encryption as a way to combat law firm data breaches.
But adopting the technology hasn’t always proved easy.
Corporate counsel are encrypting emails with outside counsel on sensitive matters, including high-stakes litigation and mergers and acquisitions. But every company is approaching this differently as in-house lawyers work to implement best practices. Some in-house lawyers said complications in technology and installation are hindering their efforts.
“I never considered something like this before I came to Sophos,” said Eleanor Lacey, the network security company’s senior vice president and general counsel, who joined from SurveyMonkey in November 2016. “But I should’ve, because law firms have had data breaches.”
Late last year, Preet Bharara, U.S. attorney for the Southern District of New York, announced that three Chinese nationals had been charged with hacking into two national law firms to steal information on upcoming M&A deals. According to the unsealed indictment, the three individuals illegally profited $4 million from insider trading. Though the complaint did not name the law firms, The American Lawyer reported the firms likely were Weil, Gotshal & Manges and Cravath, Swaine & Moore, where cyberbreaches previously were reported.
In December, state bar associations issued warnings about phishing emails with malicious attachments purporting to be from “The Office of The State Attorney Complaint” that lawyers received in several U.S. states.
Email encryption is a company-by-company issue, predicted by neither company size nor budget. In-house counsel at billion-dollar revenue makers, who did not comment for attribution, said installing email encryption is either not a priority for the legal departments or too cumbersome to install and train a department on its use.
Darcy Manning, former president to the San Francisco Bay Area chapter for the Association of Corporate Counsel and current GC and chief operating officer at skin care company DHC USA LLC, said her small company does not rely on outside counsel enough to lose sleep over email encryption.
But at Sophos, the decision to encrypt was obvious, said Lacey, the general counsel.
“We’re a security company,” she said.
Email encryption has two models, said UpLevel Ops co-founder and former Flex legal ops director Stephanie Corey. The message’s transportation or the message itself are encrypted. Method one is like using a lock box, Corey said; method two, like coding a message with a cypher.
For method two, “the content is encrypted, and it’s very difficult to implement,” Corey said, explaining that end-to-end encryption requires computer-by-computer installation. She said banking, finance and highly regulated industries rely on this type of encryption.
Lacey said she uses Sophos’ email and encryption products to encrypt every sensitive document emailed to her outside law firms.
“For documents, I’m asked, ‘Do you want to set a password?’ and so I do encrypt,” Lacey said. “I’ll give the law firms the password in another way, obviously not in that email.”
Lacey said she does this multiple times a day.
A legal operations professional at a Fortune 200 company, who was not authorized to have quotes attributed to her name or company, said her company has secured email “tunnels” with outside counsel on high-stakes litigation.
“We contacted our firm, they put us in touch with the right IT contact, who then talked to our IT contact, and it was done,” the source said, explaining the ease of the process. “Once it’s set up, it’s done. It’s invisible to me.”
The source also said some companies are skittish to publicly announce that they use email encryption because it could make them a “target” for outside hackers.
There are few community-driven conversations around email encryption in the legal industry.
“I can’t recall if we have had an ACC panel discussion on this, but it would be a great topic if not,” said Manning, the former ACC Bay Area president.
Sophos’ Lacey nominated herself.
“This hasn’t been something I’ve been evangelizing, but I should,” Lacey said.