How To Encrypt Attorney-Client Communications

computer-security-guide-cover-2nd-ed

4-Step Computer Security Upgrade

Learn to encrypt your files, secure your computer when using public Wi-Fi, enable two-factor authentication, and use good passwords.

If you have decided you need to get serious about client data protection, you will need to consider encrypting both your data and your communications. We have previously covered how to encrypt your data and will focus here on how to encrypt your email communication.

What Is Encryption?

Simply by using the Internet, you are probably using some sort of encryption scheme during some activities, whether you know it or not.

Encryption is simply the act of turning your data into unreadable gibberish. If your data is intercepted or hacked, the thief now has nothing but a pile of garbage. 

End-to-end encryption is a must for transferring sensitive data across the internet. In end-to-end encryption, your data is encrypted while it travels towards your intended location and the same encryption occurs on the reverse trip. Your bank (hopefully) uses end-to-end encryption. Your practice management software (hopefully) uses end-to-end encryption if it stores and syncs data remotely. This sort of encryption is done for you without any effort on your part, as it is just a standard feature of the infrastructure you are using to bank or update client data or similar activities.

Why Do You Need to Care?

A few years ago, the ABA issued a formal ethics opinion stating that if there is a significant risk that a third party might gain access to the email, attorneys have to warn clients about that risk.

This poses a problem, because unlike your bank and practice management software, email is usually unencrypted. This is true whether you are using an desktop client or a web-based email like GMail.

Encrypting Email with Outlook

Fortunately, if you are using the desktop version of Outlook, there is an easy way to encrypt your email. Outlook lets you encrypt a single message or all your messages.1

While changing a setting in Outlook is relatively simple, encrypting your email isn’t a one-way street. The person receiving your email has to be able to decrypt your email and, ideally, send you encrypted email in return. That makes it significantly more complicated than simply scrambling your hard drive, because you need to give your recipient a way to send you encrypted messages and decrypt any message of yours.

As a first step, encrypting an email message (in Outlook or elsewhere) does exactly what you would expect: it transforms the message from readable text to gibberish. However, now you are sending gibberish to your client, which doesn’t seem very helpful. You need to give your recipient a way to decode your message, which is where the notion of public and private keys comes in.

You and your recipient first need to share something called a public key certificate. A public key is a string of letters and numbers that you give to anyone that wants it, either via your website, through Outlook’s contacts, or in person. If someone wants to send you encrypted email, they look up your public key. When you receive that email (which, remember, is complete gibberish), your private key — which only you possess — will decrypt that message.

In Outlook, this all happens behind the scenes once you have set up your keys. Outlook will encrypt attachments and inform you when you are emailing someone who does not have encrypted email set up and ask if you want to send a plain text email. Things work in a roughly similar fashion in other desktop clients like Mozilla’s Thunderbird.

Encrypting Web-based Email Clients

If you are using a web-based email client, things can get much clunkier. Here, for example, is the software required for Lifehacker’s “easy” email encryption.

These are, by computer wizard standards, relatively minimal steps. The Freedom of The Press Foundation has a very extensive guide on how to set up PGP (Pretty Good Privacy) encryption in the most secure fashion possible. That guide also points out, however, that setting up PGP is so user-hateful that Glenn Greenwald had difficulty getting it to work so he could talk securely to Edward Snowden.

After you install all of that software and get up and running, you will need to ensure that all your recipients do the same, just as with Outlook, because that encryption will only work if both parties sign on. The upside of the more complicated method is that PGP is likely superior to the encryption Outlook offers.

Using a Secure Client Portal

A less difficult alternative is to communicate with your clients via a secure client portal. You already use secure portals even if you don’t call them that. When you contact your bank via their website to make transactions and communicate with bank personnel, you are working within a secure portal. The portal is an encrypted location where all communication takes place, rather than using email to send documents and information back and forth. Several case management software applications, including Clio and MyCase, already have portals built in. Typically, all you need to do is give your client login information to navigate the portal. The portal allows the client to view calendars and tasks and send documents like drafts, emails, and bills.

From the client’s perspective, the portal is a much less daunting task than dealing with encrypting their email. Everything inside the portal is encrypted, and as long as you can convince your client to only communicate via the portal rather than conventional email, you will have moved your client communications to a secure and encrypted environment.

As far as being certain that you are meeting your ethical obligations to ensure the relative security of your communications with a client, Outlook’s encryption and a client portal may be sufficient. But regardless of which method you choose, it is likely lawyers will find that both clients and the ABA have an increased expectation of email privacy, and attorneys will need to take steps to ensure that expectation is met.

Featured image: “encrypted digital lock” from Shutterstock.


  1.  The instructions at the link are for Outlook 2010 running on a Windows machine. Instructions are substantially the same for older versions of Outlook and Outlook for Mac. 
Subscribe

Get Lawyerist in Your Inbox, Daily

Current Articles
Current Lab Discussions
  • The post forgets to mention Virtru: http://thedroidlawyer.com/2014/09/gmail-encryption-virtru/. This is much easier than the method described.

  • E-mail encryption is a nice idea, but given how mobile both we and our clients are, and on how many different platforms and devices we all access our messages, it’s almost impossible to implement on a uniform basis. As for 3rd party portals, I’m not sure that allowing our client communications to exist in a platform whose future, and encryption, we don’t control necessarily fulfills our ethical obligations for client record retention.

    Let’s all continue hoping that neither the ABA nor any state mandates e-mail encryption in order to preserve privilege; if that happens, we’re all in trouble. {Jonathan}

  • What about Protonmail? I was looking into it for a new client, has anyone tried it? Seems pretty simple.

    • Steve Aragon

      ProtonMail is fine, if you don’t mind your data sitting on servers in Switzerland. Have you considered a peer-to-peer solution that permits you to maintain control over your data, something that encrypts data at rest and in transit on the user’s device?

      There are a few products that do this, but the one I prefer is Encryptics. Like Protonmail and Virtru, it incorporates data rights management features to enable even greater control over the use of emailed content. But what might distinguish Encryptics is its implementation of peer-to-peer protocols that avoid placing data on Encryptics’ servers. Might be worth a try.

  • Daniel C

    There is now a new encrypted e-mail solution out there called Ghostmail.com. It is build on a Zero-Knowledge architecture which means only your password can decrypt the communication, meaning whatever is stored on the servers is useless to anybody who might gain access to your data. Chat is also supported. Best part is that there is a free version.

    • It looks similar to Virtru, which Jeff Taylor already mentioned elsewhere in these comments. These are great, easy-to-use ways to secure communications, but they are not the same as fully encrypted email. What they are is a secure portal the recipient can log into in order to read and reply to your message.

      That doesn’t mean they are bad, just that they are different than encrypted email.