Why aren’t you encrypting the email that you send to your clients? I mean, c’mon, at least the communications that contain legal advice and sensitive personal data.
You wouldn’t let an unrelated third-party rifle through your file room each night, would you? That’d be ridiculous and unethical, and ridiculously unethical (or unethically ridiculous, I can’t decide). And likely — if you’re storing Personal Health Information – it would be a reportable breach. Have fun explaining that to HHS.
I don’t imagine you’d let a third-party record the phone calls you make to your clients either? I mean, at least not without getting informed consent. That’d be a blatant failure to safeguard client information. And even if you did get their consent, it’d call into question your client’s privilege.
Suppose you had a confidentiality agreement with that third-party? Would that be enough to safeguard the information? Would it be enough to protect your client’s privilege? I don’t imagine it would comply with HIPPA, or GLBA. You’d probably need a Business Associate agreement for that. But would that even be enough to protect privilege?
Here’s my point. It’s likely you use a third-party as your email server (Microsoft Exchange, Gmail, Yahoo, AOL, etc…). Or at least, your client does. Are you positive that your data is unreadable while it sits on your server? How about your client’s server? What about when it’s in motion from server to server? Can anyone other than you or your client read the contents of your email? If you don’t know the answer to those questions, you need to assume the information is readable.
This can get complicated pretty quickly. And it’s awful cavalier to rely on other parties to protect your client data for you. The hope-and-wish method of data security is not useful for a lawyer. “I sure hope no bad actors are reading my clients’ information right now,” and, “man, I wish my provider had better out-of-the-box security,” aren’t what your clients paid for.
So, let’s get a basic handle on the mechanics here.
EMAIL AND EMAIL SERVERS:
Everybody knows that when you create and send an email, an enchanted invisible carrier pigeon comes to your computer, uploads the email file onto a USB thumb drive attached to its leg and then flies off and delivers that information directly to the recipient’s computer – unseen, and at the speed of light. It’s almost like magic. Unicorns are involved. It’s inherently secure – it’s inherently safe. We’ve been trusting pigeons with our messages for millennia, and for good reason – they can’t even read. It’s the perfect system. I just wish it were real.
The truth is, when you send an email, your data exists in many different places, pretty much at the same time. And in a lot of those places, it stays there for much longer than you’d like to think. Although the specific mechanics of each journey may vary a bit, a typical scenario will give you the gist of it.
When you create an email in a local version of Outlook (one on your computer, not in your browser), your draft and a copy of the final email lives on your computer – most likely in your local files (C:Users/[Your_User]/AppData/Local/Microsoft/Outlook/OutlookDataFile.ost). When you hit “send”, the information in that email is transferred to the outgoing email server of your Email Service Provider (your remote Microsoft Exchange server, for example). From there, your outgoing email server relays this information to the recipient’s incoming email server, let’s say Google. That email server then relays the information directly to the recipient, either to their computer, or to a remote location where they can access it. So, at this point, your information has existed on at least four different machines, three of which, you have no control over.
Keep in mind, however, this is not a bucket brigade passing your information from hand to hand without leaving any trace. At a bare minimum, each email server stores a copy of your data, either for their records or for quick access later. And there are likely many other players who have stored a copy of your information for various reasons. (Ahh, the wonders of infinite reproducibility). So here’s a communication with your client, sitting on at least three foreign machines, and travelling god-knows-how-far along wires and fiber-optic cables that you have no control over – and you can’t say for certain whether it has been encrypted or not. That sounds fun.
Now, transferring information in this way is not inherently problematic. We’re not automatically sharing information with a third-party when we use telephone wires to make a phone call. However, when one or both of the owners of the email servers start to analyze the information that you’ve sent through their system (whether to feed you ads, or to aid in your productivity), you’ve got four serious problems to think about: 1) the exposure of confidential client information, 2) the potential waiver of attorney-client privilege, 3) the possible disclosure of Personal Health Information as its defined in HIPPA, and 4) the possible disclosure of protected financial information under the GLBA.
HOW YOUR DATA IS TREATED
The best way to mitigate your risk here is to trust no one. Assume that your information is being copied, read, and sent all over the place every time you send something out. Take a look at a few of the more common providers’ terms of service for some enlightenment:
Their free version specifically mines the information “about” your email in order to aggregate it and sell it to third parties and serve you ads. While the GSuite version doesn’t feed you ads, both agreement appear to be silent on whether they mine the actual content of your email.
This one’s pretty simple, Yahoo literally, “analyzes and stores all communications content,” whether using their paid service or not. At least they aren’t dancing around it.
It would appear that Microsoft does not aggregate your data and sell it to third-parties. Which is helpful, since they will also sign a Business Associate Agreement with you if you go through the right channels. However, it would still appear that they analyze your email information for their own internal purposes (ostensibly to help you).
As you can see, even when you pay for the service, it is highly likely that your provider is looking at the content of your email for various reasons, which are not necessarily nefarious. You just have to assume that it is happening and take appropriate precautions for your sensitive communications.
At the end of the day, the best method for addressing each of these problems is to encrypt all sensitive communications. This may seem like more club than is needed, but the interplay of these problems makes it the best solution. A waiver won’t work, and business associate and confidentiality agreements aren’t broad enough.
Can’t we just get written informed consent from our client? I mean, most of our ethical issues can be solved this way, right? Why not this one? If a lawyer isn’t dealing with PHI and isn’t covered by the GLBA, this could be a simple and effective solution. Just, tell your client what’s happening, and let them consent to it. This could work. But only if you’re never concerned with privilege in your email communication.
You see, getting your client to a point where he or she can make an informed decision also lets your client now that none of your communications are totally private. And so far, the relevant factor in maintaining privilege in email communications is whether the client had a reasonable expectation that his or her communications were private.1, 2, 3, 4, 5, 6, 7, 8. If you go off telling everybody that they aren’t private, there goes your argument. Now, I’m not sure that a judge will find that disclosure to Google’s email servers waives the attorney-client privilege. But I don’t want to be the guy defending against a motion that could have easily been avoided.
Enter asymmetric encryption . . .
“But wait, you didn’t even talk about Business Associate agreements, or confidentiality agreements.”
You’re right. Because even using those, you still have an attorney-client privilege problem, so they aren’t a complete solution. Additionally, how do you propose to execute a Business Associate agreement with your client’s email server provider? One should rely on those only for their intended purpose, allowing you to disclose information to the end user.
Can I get back to encryption, now?
When encrypting email, we typically use asymmetric encryption (symmetric encryption is not really private). Which means that a public and private-key pair are created by a user (You). You then keep the private-key secret from the rest of the world and distributes the public-key to anyone that you want to be able to send encrypted email to you. The sender (your Client), then uses the public-key to encrypt the email that she sends to you. That email can only be decrypted using the corresponding private-key, which only you have (provided you kept it secret). In this way, both parties can be assured that even if a third-party has a copy of the encrypted email, unless the private key has been compromised, the third-party cannot read the contents. (Side Note: as with all encryption methods, if a third-party wants to decrypt your content badly enough, they can. They’ll use brute force and essentially try every combination of keys out there until they find yours. So, it’s not exactly correct to say that a third-party “cannot” read your contents. You just want to make it unreasonable for them to try. Because, as you can imagine, brute force takes time and money.)
So how do we use this in our daily practice?
- set up a key-pair system between you and your clients on your own, or
- enlist a third-party to help you create and maintain this system.
With this method, you download a program onto your computer that allows you to create and manage your public and private-keys (Like GPG). You’ll then either use an email provider that integrates this in to their system or get a plug-in to do it for you. Although you have the most control over your encryption this way, your intended recipient will need to be set-up appropriately for it to work. It’s great for inter-office communication, but probably not workable for your most recent divorce client.
For those of you who are interested, we’ll discuss methods of setting this up in a later article. However, for now, you can get more information at: GnuPG.org, or you can look into the Encryption provided by Office365 (if you are a customer).
Third-Party encryption provider:
In using a third-party encryption provider, you’re dispensing with the need for your recipient to be set-up with a public/private-key manager. However, your encrypted communications will need to be initiated by someone who has this third-party service (in this case – you), and your communications will typically be routed to that third-party’s platform.
There are a few services out there including, Baracuda, PGP (Symantec), JumbleMe, and Sendinc that will allow you to send an encrypted email without the hassle of the public/private-key exchange. There are also some plug-ins for Google Chrome and Firefox that will allow you to do the same. You will, however, need to vet their security.
Non-email-based communications portals:
Another way to make sure that a third-party doesn’t snoop is to refrain from using a third-party for those communications in the first place (and then encrypt that information).
I’m not saying that all of your communications need to be via letters or phone calls. (Carrier pigeon would work pretty well too). Communicate with your clients using a secure portal that they log-in to and leave you messages. This is my favorite solution, not only because of the control you have over the security, but because you can incorporate this into a broader strategy for client communications. Look at how our banks have incorporated this into their overall client websites.
Now, if you don’t have the time or inclination to have this created for you, you may want to look into solutions like Slack, or Microsoft Teams – but again, make sure your information is protected and they are not snooping. The added benefit is that this may solve your, “I get text messages from my clients all the time and I have trouble organizing them,” problem.
If your email are being “analyzed” by your, or your client’s service provider, you likely run into confidentiality and privilege issues that cannot be solved with a simple waiver from your client or an agreement with the providers. As stewards of our clients’ information we cannot afford to trust anyone. Assume everyone is reading your email and protect it accordingly. Obviously, you don’t have to encrypt every email that you send, but you should make it a practice to do so when you are relying on the confidentiality or privacy of the information.[DISPLAY_ULTIMATE_SOCIAL_ICONS]
- Stengart v. Loving Care Agency, Inc., 990 A.2d 650, 663 (N.J. 2010).
- Sims v. Lakeside Sch., 2007 WL 2745367, at *2 (W.D. Wash. Sept. 20, 2007).
- National Econ. Research Assocs. v. Evans, 2006 WL 2440008, at *5 (Mass. Super. Aug. 3, 2006).
- Holmes v. Petrovich Development Co., 191 Cal.App.4th 1047, 1068-72 (2011).
- Scott v. Beth Israel Medical Center, Inc., 847 N.Y.S.2d 436, 440-43 (N.Y. Sup. Ct. 2007).
- Long v. Marubeni Am. Corp., 2006 WL 2998671, at *3-4 (S.D.N.Y. Oct. 19, 2006).
- Kaufman v. SunGard Inv. Sys., 2006 WL 1307882, at *4 (D.N.J. May 10, 2006).
- ABA Formal Opinion