Header graphic for print
Law Practice Matters Insight on Small Firm Law Practice Management & Legal Technology

Should Lawyers Use Encrypted Email?

By Erik Mazzone on Posted in Digital Security, Ethics

A few days ago, a lawyer friend of mine asked if I meet a lot of lawyers who use encrypted email. I told him I hadn’t – that apart from the lawyers whose clients (banks, mostly) required the use of encrypted email, I hadn’t come across many other lawyers using it.

Undeniably, and maybe unfortunately for our collective productivity, email has become the communication backbone of many lawyers’ practices. Email is everywhere, chirping and beeping for our attention. No matter how tantalizingly close we get to Inbox Zero at night, few of us wake up without an Unread Email count bursting from our phones and computers.

Despite its ubiquity, though, email as a technology does not command much of our attention. I talk to lawyers every day who wonder if an iPhone or iPad is secure enough, or if using Dropbox will cause them problems for client confidentiality. But most of these same lawyers happily peck away at emails without ever considering how secure it is.

A Google search on “is email secure?” reveals a torrent of articles over the years on the topic, most of which conclude that email is not a terribly secure technology.

Given the general consensus that email is not particularly secure combined with lawyers’ penchant for avoiding or reducing risk, especially technological risk, it’s a bit surprising that there is not wider adoption of secure alternatives to email among the practicing bar. Using encrypted email is not an ethical requirement in North Carolina, and I don’t know of any jurisdictions where it has been required.

That said, with the continued clash of ethical self-regulation and technology, it won’t surprise me when some unsuspecting lawyer somewhere has a client communication intercepted and becomes the ethics test case for encrypted email. All lawyers are required to maintain the confidentiality of their clients’ information. If you, in the course of your practice, also have occasion to email trade secrets like, say, the recipe for Coca Cola, it’s probably a good idea to have some passing familiarity with encrypted email.

I’ve lately been experimenting with Enlocked, an email encryption software (still in beta) that has mobile apps for iPhone and Android as well as plug-ins for Outlook, Google Chrome, Mozilla Firefox and more. Enlocked is simple and free and in my early testing has been easy to use. If you’d like to read a primer with a bit more depth on how to encrypt email, here is a recent article from PC Magazine.

There may not yet be a need for a lawyer to encrypt every single email, but now is a good time to understand and experiment with encrypted email (or other secure communication) if for no other reason than to have another tool in your toolbox.

 

  • http://www.ofaolain.com David Whelan

    Good post, Erik.  I think your first paragraph underscores part of the omission of encryption.  There aren’t easy-to-use encryption tools that lawyers can ask their clients to use to decrypt the e-mail that is sent.  Sophisticated clients may be able to accomplish that, or lawyers can use pseudo-e-mail encryption that saves a copy on a remote site for the client to download via an e-mailed link.  Other than that, with the ABA’s 1999 opinion that encryption wasn’t necessary, I don’t see this moving unless a client demands it.

    • http://www.lawpracticematters.com/ Erik Mazzone

      Thanks for the comment, David. You make good points. At this point, I suspect that when the needle does eventually move on this the technology is going to move past encrypted email right into the space of hosted secure communications. That looks like what Dialawg has been doing as it morphs into Sendgine.

  • Eric Cooperstein

    A paper envelope is not a “terribly secure” technology either. A child can open an envelope. Multiple people, likely unkown to the lawyer, will have physical possession of a piece of mail. The contents can sometimes be read just by holding it up to the light, or opened by steaming and resealed.

    And yet, for about 2 hundred years, paper mail has been secure enough for the transmission of most lawyer communications.

    Ordinary email is far more secure than paper mail. Interception of email, which is a felony, takes a level of technological knowledge that few people posess. Prior to interception, it is nearly impossible to know whether the target will yield the formula for Coke or the lawyer’s lunch order. Few people with the technological knowledge to intercept email would be willing to risk getting caught just to find out that a lawyer likes pastrami sandwiches.

    When a lawyer’s office is broken into by a thief, it does not mean that the next day all of us will be required to post 24-hour security guards. It may be that someone will intercept a lawyer’s email someday (most so-called hacking results from user error, such as clicking an unknown link) but that will not mean that regular email is no longer a reasonable means of lawyer communication.

    Email is a critical tool for lawyers that helps them represent clients more efficiently and inexpensively. Let’s not allow unfounded fears to interfere with that.

    • http://www.lawpracticematters.com/ Erik Mazzone

      Eric, thanks for the comment and the healthy dose of common sense. I agree with your assessment generally – though I fear that is actually frightfully easy to intercept unencrypted email sent over an open network. But that is neither here nor there.

      Your comment highlights the folly of treating digital ethical issues not as corollaries to their analog cousins (email to paper mail) but rather as different (and typically more threatening) beasts altogether. Cf, Florida judges blocked with being Facebook friends with lawyers: 

      http://www.volokh.com/2009/12/15/florida-judicial-ethics-advisory-committee-forbids-facebook-friendships-between-judges-and-lawyers/

      Nobody would forbid judges from being *actual* friends with lawyers, but these digitized relationships (which many people, I think, would rate as being a paler shade of actual friendships) cause more concern. We could speculate on why that would be – fear of the unknown, perhaps – but the why doesn’t matter much.

      The Facebook thing doesn’t happen in isolation, either – there’s a lot of hand-wringing about the Terms of Service of various software (Apple’s Siri, Dropbox, Google, etc.) and the confidentiality of client data, when there is far less concern about individual IT consultants (to say nothing of office cleaning crews, etc.) with respect to access to confidential data. 

      I’m not trying to gin up “unfounded fears” and god knows I’m a fan of lawyers using tools to help them practice efficiently. If I had to appear before my State Bar on the issue, I’d want a lawyer like you representing me. I just don’t believe that the possibility of an ethics issue arising in this space is the least bit beyond the pale.

  • John Simek

    Erik,

    As usual, a timely post. While encryption itself is not overly difficult, management of the key pairs is a royal pain. I try to keep it simple for our clients and tell them not to worry about encrypted e-mail unless it is required by clients as you mentioned. If they need to send information via some electronic communication scheme, I tell them to put the data in a password protected Word or PDF document as an attachment. Having an open password on a Word or PDF file encrypts the contents. The caveat is not to use a dictionary word as a password or to state the password in the message contents. Duh. :-)

    -john-