When communicating with clients, email is by far the most common method. It’s also the one that most people prefer. When asked their preferred method of contact by a company, 61% of those surveyed choose email.
Email is convenient, travels instantly, and can be used to share links, file attachments, and coordinate calendar invites. But all those messages flying back and forth can also be fraught with security problems for lawyers if email isn’t handled properly.
In the digital age law firms have certain responsibilities that come with protecting digital information. According to the American Bar Association (ABA) Rule 1.6: Confidentiality of Information:
“(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
More guidance on a lawyer’s responsibility to protect client communications and email in particular can be found in ABA Formal Opinion 477R: Securing communication of protected client information.
In determining when additional security methods are required to protect emails and client communications, the committee cited factors outlined in paragraph 18 of the Comment to Model Rule 1.6. These factors can help law firms determine when to take additional measures, such as encryption, for email communications:
- The sensitivity of the information
- The likelihood of disclosure if additional safeguards are not employed
- The cost of employing additional safeguards
- The difficulty of implementing the safeguards; and
- The extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Taking guidance from Opinion 477R, here are several best practices for how lawyers should use email communications with clients and keep them properly secured.
Best Practices for Secure Email Communications at Law Firms
Understand the Nature of the Threat
Not all email communications and situations are the same. For example, emailing your client an appointment reminder from your office is going to have a lower risk than having your office email you a sensitive case file while you’re out on the road using a public Wi-Fi.
It’s important to understand the nature of the threat so you can apply the appropriate protections (i.e., Email and attachment encryption, use of a VPN for your connection, etc.)
Some things to consider include:
- How sensitive the information is
- Would disclosure represent a serious data breach?
- Where is the data being transmitted from and to? (Secure connections? Public Wi-Fi?)
- How secure is the device being used to access the data?
Understand How Your Office Transmits & Stores Confidential Client Information
Emails can be accessed online and from software on any device, even a smart watch. You need to understand what types of devices emails are being accessed with and how you’re managing and monitoring those devices.
For example, if a lawyer is using his personal iPhone to read client emails, is that device being properly tracked and protected if it’s lost or stolen?
Do the devices used for email have antivirus/anti-malware installed to catch any threats that might come in via phishing emails?
Are emails archived locally on a computer or in the cloud?
All these are important things to consider when you’re thinking about email security.
Identify & Use Reasonable Electronic Security Measures
Not all emails need to be encrypted, there are other security protocols you can use to protect client information being transmitted via email. It’s important to identify all the tools you have available, so you can deploy the needed measures to protect communications.
Some of the potential email security measures you can choose from are:
- Email authentication
- Email encryption
- Spam/phishing filters
- Secure Wi-Fi connection
- Firewalls
- Antivirus/anti-malware
- Document protection policy software
- Emails that encrypt or delete themselves after a certain time period
Discuss Email Security Levels With Clients
Your office may have the most sophisticated email security tools there are, but what about your clients? Not all clients will have the same capabilities when it comes to securing electronic communications.
It’s important to discuss how to email safely and what safeguards they may have in place at their organization. If their email security is limited, you may want to advise alternate methods for sensitive communications and file sharing.
Label Client Confidential Information
A best practice when sending emails is to mark all your communications with a security classification level. This may be “privileged” or “confidential” or “public,” for example.
By ensuring each communication is properly labeled, you help avoid confusion by a recipient as to how they should protect the data in a particular email. You also show that your law firm is putting forth reasonable efforts to protect client communications from being compromised.
Using a tool like sensitivity labels in Microsoft 365, you can set up a labeling system that can automate the process and apply certain security procedures based upon the label you give.
For example, you can set up the system to require all employees add a sensitivity label to designate a security level to their email communications, set a default label, and have encryption and watermark rules attached to a specific label.
Provide Security Awareness Training for Lawyers & Other Team Members
As part of your responsibilities to protect client data from being compromised, it’s important that your team understands IT security policies, how to protect data, and general cybersecurity hygiene (such as using strong passwords).
Security awareness training can help mitigate one of the major causes of data breaches and cybersecurity incidents, which is human error. Ensuring users are well trained can decrease as much as 90% ofcybersecurity risks.
Conduct Due Diligence on Email Vendors
Make sure you conduct due diligence before committing to a particular email software app to ensure it meets security and compliance guidelines. Check out encryption policies, cybersecurity safeguards, and how your data is protected on the firm’s servers.
Ensure You Have Smart & Secure Email Policies In Place
ProdigyTeks can help your Chicago law office put smart and secure email policies in place.
Schedule a free phone consultation today! Call 312-600-8357 or reach us online.
Leave a Reply