The confidentiality hole
Every day law firms treat client communication with unwitting disdain. Confidential or sensitive material is passed around on email, completely unprotected; law firms might as well commit the contents to open postcards for the world to read.The legal profession has been woefully slow to consider, let alone embrace email encryption, although security measures proliferate in IT environs. The position is reckless, not to say potentially negligent.Recent research has revealed an alarmingly apathetic approach to the whole issue of email encryption. Many firms take the view that, unless clients specifically ask them to tackle the issue, they are not going to bother. Indeed, some have admitted they hope that clients do not ask them to encrypt email because they would have no idea how to do it.
August 27, 2008 at 08:09 PM
6 minute read
Every day law firms treat client communication with unwitting disdain. Confidential or sensitive material is passed around on email, completely unprotected; law firms might as well commit the contents to open postcards for the world to read.
The legal profession has been woefully slow to consider, let alone embrace email encryption, although security measures proliferate in IT environs. The position is reckless, not to say potentially negligent.
Recent research has revealed an alarmingly apathetic approach to the whole issue of email encryption. Many firms take the view that, unless clients specifically ask them to tackle the issue, they are not going to bother. Indeed, some have admitted they hope that clients do not ask them to encrypt email because they would have no idea how to do it.
The profession has failed to understand the implications of email insecurity and to address the problem. It is seen as a 'technology' problem when it is really an issue that goes to the very core of a solicitor's professional obligation of confidentiality to a client.
A recent survey threw up some worrying findings. Research group StrategyOne explored attitudes and behaviour towards email confidentiality among law firms to determine their awareness and use of email security solutions. The survey sample consisted of 201 solicitors (both partners and non-partners) across the UK.
There was widespread – and seriously mistaken – belief that anti-virus and spam prevention solutions somehow protect the contents of an email. Because many of these software solutions are classified as email security software, people think they secure email. In fact, such software simply protects the recipient from unwanted or harmful email, it does not affect or protect the email itself.
The profession's problem with email security has been further highlighted by a related survey finding that, although people believe email is the least secure method of communication, more than half of a law firm's daily email traffic contains confidential information. Furthermore, 82% of respondents confirmed they knew that external email passed through many places before reaching the intended recipient. Yet probably less than one percent of email traffic is protected.
The Law Society is in the vanguard of advising firms to tackle the issue. The Law Society's Email Guidelines for Solicitors were published as long ago as 2005. They remind law firms that, during transmission, email messages pass through the hands of unregulated service providers and that networks used by the internet are vulnerable to 'hacking'.
Firms are recommended to provide a facility for retrieving and automatically decrypting encrypted incoming email; and automatically encrypting all outgoing email to those offering similar facilities.
The guidelines are intended to encourage best practice, including encryption, but most solicitors seem unaware of them. Those who are aware ignore them, either because they do not appreciate the risks, or they are prepared to take the risk with their clients' confidences, or they mistakenly believe that they are already covered. In any event, the effect is the same – the emails continue to travel on the internet completely unprotected.
The Data Protection Act 1998 also requires 'appropriate security precautions to be taken against accidental loss or destruction of, or damage to, personal data'. Much of the confidential information on emails also constitute personal data.
The Solicitors Code of Conduct requires solicitors to keep clients' affairs confidential – a fundamental professional obligation.
All these provisions apply to all confidential data either stored or passing through a system. They are relevant directly to data contained in email or any attachments. Yet, the research indicates that despite the recommendations contained in the email security guidelines issued by the Law Society, less than 10% of UK law firms encrypt email.
For now neither the Information Commissioner, nor the Solicitors Regulation Authority, nor the professional indemnity underwriters have developed any initiatives in mandating encryption as a service to clients but it can only be a matter of time.
What is also really surprising is how willing solicitors are to bury their heads in the sand even though there is little doubt they would be liable should there be any incident involving loss. In the face of the Law Society's recommendations, it is unimaginable that it could be argued successfully that failure to secure emails did not amount to a breach of the duty of client care.
Even more surprising is the failure of litigators (particularly criminal litigators) to be concerned. The legislation passed in recent years – ostensibly to counter organised crime and terrorism, and yet used in relation to even the most minor matters – gives almost any part of the executive sweeping powers to obtain emails without the knowledge of the parties – yet communications between all parties in criminal proceedings (including counsel and the clients) are sent routinely by email.
Anecdotal evidence suggests that many larger firms have encryption software capability in some form but hardly ever use it. This is primarily because the email recipient has no corresponding encryption capability, although some firms do set up an encryption procedure for specific clients.
In general terms, only very large law firms, with IT departments resourced to manage such technology, regularly encrypt email and, in almost all cases, this is in response to a major corporate enterprise demanding its use, rather than any general recognition that clients' data should be protected.
Those firms that have tried to address the issue have come up against the problem that encryption only works if both sides of the conversation use it. A disparity in technical ability between the two parties can mean that even if one side is capable of implementing an encryption solution, the other will not be.
Many of the available solutions are too complex for smaller organisations, whether the lawyers or the clients, to implement but that need not be the case.
There are solutions that can be bespoke to the client and lawyer relationship, that are easy to implement and cost effective to maintain. Technological know-how and cost are no longer legitimate excuses for inaction.
There is no doubt that this issue will continue rising up the regulatory agenda. Sooner or later, probably sooner, we will look back on the period when we were sending all our confidential information on electronic postcards and wonder how we let it go on for so long and how lucky we were to have avoided disaster.
David Ford is chief executive of Securecoms.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrump and Latin America: Lawyers Brace for Hard-Line Approach to Region
BCLP Mulls Merger Prospects as Profitability Lags, Partnership Shrinks
Trending Stories
- 1Founder of Failed Crypto Lender Confesses to Fraud
- 2How a Tetraplegic Linklaters Lawyer Defied All Odds
- 3Trump Seeks to Have Georgia Election Case Dismissed, Cites Presidential Immunity
- 4Elon Musk Has a Lot More Than a 'Tornetta' Appeal to Resolve in Delaware
- 5Case Will Test If Wrongful-Death Suit Can Be Brought for Fetus
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250