Every day law firms treat client communication with unwitting disdain. Confidential or sensitive material is passed around on email, completely unprotected; law firms might as well commit the contents to open postcards for the world to read.

The legal profession has been woefully slow to consider, let alone embrace email encryption, although security measures proliferate in IT environs. The position is reckless, not to say potentially negligent.

Recent research has revealed an alarmingly apathetic approach to the whole issue of email encryption. Many firms take the view that, unless clients specifically ask them to tackle the issue, they are not going to bother. Indeed, some have admitted they hope that clients do not ask them to encrypt email because they would have no idea how to do it.

The profession has failed to understand the implications of email insecurity and to address the problem. It is seen as a 'technology' problem when it is really an issue that goes to the very core of a solicitor's professional obligation of confidentiality to a client.

A recent survey threw up some worrying findings. Research group StrategyOne explored attitudes and behaviour towards email confidentiality among law firms to determine their awareness and use of email security solutions. The survey sample consisted of 201 solicitors (both partners and non-partners) across the UK.

There was widespread – and seriously mistaken – belief that anti-virus and spam prevention solutions somehow protect the contents of an email. Because many of these software solutions are classified as email security software, people think they secure email. In fact, such software simply protects the recipient from unwanted or harmful email, it does not affect or protect the email itself.

The profession's problem with email security has been further highlighted by a related survey finding that, although people believe email is the least secure method of communication, more than half of a law firm's daily email traffic contains confidential information. Furthermore, 82% of respondents confirmed they knew that external email passed through many places before reaching the intended recipient. Yet probably less than one percent of email traffic is protected.

The Law Society is in the vanguard of advising firms to tackle the issue. The Law Society's Email Guidelines for Solicitors were published as long ago as 2005. They remind law firms that, during transmission, email messages pass through the hands of unregulated service providers and that networks used by the internet are vulnerable to 'hacking'.

Firms are recommended to provide a facility for retrieving and automatically decrypting encrypted incoming email; and automatically encrypting all outgoing email to those offering similar facilities.

The guidelines are intended to encourage best practice, including encryption, but most solicitors seem unaware of them. Those who are aware ignore them, either because they do not appreciate the risks, or they are prepared to take the risk with their clients' confidences, or they mistakenly believe that they are already covered. In any event, the effect is the same – the emails continue to travel on the internet completely unprotected.

The Data Protection Act 1998 also requires 'appropriate security precautions to be taken against accidental loss or destruction of, or damage to, personal data'. Much of the confidential information on emails also constitute personal data.

The Solicitors Code of Conduct requires solicitors to keep clients' affairs confidential – a fundamental professional obligation.

All these provisions apply to all confidential data either stored or passing through a system. They are relevant directly to data contained in email or any attachments. Yet, the research indicates that despite the recommendations contained in the email security guidelines issued by the Law Society, less than 10% of UK law firms encrypt email.

For now neither the Information Commissioner, nor the Solicitors Regulation Authority, nor the professional indemnity underwriters have developed any initiatives in mandating encryption as a service to clients but it can only be a matter of time.

What is also really surprising is how willing solicitors are to bury their heads in the sand even though there is little doubt they would be liable should there be any incident involving loss. In the face of the Law Society's recommendations, it is unimaginable that it could be argued successfully that failure to secure emails did not amount to a breach of the duty of client care.

Even more surprising is the failure of litigators (particularly criminal litigators) to be concerned. The legislation passed in recent years – ostensibly to counter organised crime and terrorism, and yet used in relation to even the most minor matters – gives almost any part of the executive sweeping powers to obtain emails without the knowledge of the parties – yet communications between all parties in criminal proceedings (including counsel and the clients) are sent routinely by email.

Anecdotal evidence suggests that many larger firms have encryption software capability in some form but hardly ever use it. This is primarily because the email recipient has no corresponding encryption capability, although some firms do set up an encryption procedure for specific clients.

In general terms, only very large law firms, with IT departments resourced to manage such technology, regularly encrypt email and, in almost all cases, this is in response to a major corporate enterprise demanding its use, rather than any general recognition that clients' data should be protected.

Those firms that have tried to address the issue have come up against the problem that encryption only works if both sides of the conversation use it. A disparity in technical ability between the two parties can mean that even if one side is capable of implementing an encryption solution, the other will not be.

Many of the available solutions are too complex for smaller organisations, whether the lawyers or the clients, to implement but that need not be the case.

There are solutions that can be bespoke to the client and lawyer relationship, that are easy to implement and cost effective to maintain. Technological know-how and cost are no longer legitimate excuses for inaction.

There is no doubt that this issue will continue rising up the regulatory agenda. Sooner or later, probably sooner, we will look back on the period when we were sending all our confidential information on electronic postcards and wonder how we let it go on for so long and how lucky we were to have avoided disaster.

David Ford is chief executive of Securecoms.