You should be able to communicate with clients more securely than you can with email. That doesn’t mean you have to learn to encrypt your email, but it does mean you should have a secure communication portal (MyCase is the example I will be using in this article) in your toolbox.
The Problem with Email
Email has a lot of problems for attorney-client communications. The headline-grabbing problem is that a variety of government agencies are reading all the email they can get to — which is most of it. The related problem is that just about anyone else who wants to can do the same thing. That goes for script kiddies as well as, less nefariously, employers. Since employers generally own their employees’ computers, they can monitor the activity on those computers, including emails and web browsing. So can many spouses.
In other words, when you send an email to your client, someone other than your client is almost certainly reading it. However, you have a duty to use reasonable efforts to prevent that.
A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. Rule 1.6(c) of the Model Rules of Professional Conduct.
On the one hand, you can throw up your hands, decide there is nothing you can do, and go on using email just as you are now. But (a) that isn’t even an effort, much less a reasonable one, and (b) it is not true. There are at least three things you can do to prevent third parties from intercepting your communications with your clients.
Options for Communicating Securely with Clients
First, you could stop using email except for relatively trivial communications. There probably isn’t much to worry about if you send directions to your office to a client via email, for example, even if your client’s spouse or employer or a cop reads it. But you don’t want your client’s employer reading your emails about a lawsuit against that employer. Or a competitor reading your clients’ trade secrets. And you definitely don’t want to risk the FBI getting its hands on your email communications with criminal defense clients.
The frustrating and ironic thing about GPG[, the standard email encryption software,] is that even experts make mistakes with it. Even, as it turns out, Edward Snowden.
Poorly implemented email encryption is effectively the same as not using email encryption. Using email encryption with clients also means means teaching them how to use it. Besides turning you into your clients’ tech support, that means you will have a lot of non-experts on the other end of your communications. If you aren’t a security expert and you don’t want to handle your clients’ tech support, there are better options for securing your communications.
There are all kind of in-between and ad hoc options, but they all have problems. What you need is something that is easy for you and your clients to use together, convenient, and effective. I think the best option is a secure, web-based communication portal.
What is a Communication Portal?
A communication portal is a website built for messaging. In order to send a message to your client, you log into the website, type your message and attach files, and send it. Then the website notifies your client that she has a message, which she can read and respond to only by logging into the website.
Requiring your clients to log into a website does mean they will have to remember yet another username and password. This is inconvenient, but (a) it is an inconvenience common to many websites, and (b) it is far less inconvenient than teaching them to use email encryption. Besides, it gives you a chance to talk about good password practices with your clients.
Offloading security to a third party — the portal — is like hiring an expert to take care of security for you. You definitely have to trust the company that hosts your portal, but its experts are far less likely than you to make mistakes (unless you happen to be a security expert yourself).
If a communication portal sounds complicated, don’t worry. It isn’t. Most modern practice-management software includes a secure client portal. Here’s how it should work.
How a Secure Communication Portal Should Work
When you are evaluating a communication portal (and there are many options), you need to make sure that email is used for notification only. All substantive information, including messages and files, must stay safely within the portal. Here’s how it should work in practice. If you don’t recognize it from the screenshots, I’m using the popular MyCase practice management software to demonstrate a properly configured communications portal.
Make Sure Your Clients Can Log In to Your Portal
If you are using practice management software, you already have many contacts, and not all of them need to be able to log in to your portal. Your portal should let you choose which contacts you want to be able to log in and communicate with you. Enabling (or disabling) access for a contact should be as easy as checking a box.
To send a message through your portal, log into your practice-management software. You should be able to send messages and share files. Sending a message through your portal should be pretty much the same as sending an email. Just type your message and tap Send.
After you send a message, your client will receive a notification by email. The substance of this notification is critical. Notice that the notification above does not contain the message itself. It just has a link to sign into MyCase to view the message (along with documents, appointments, and billing records).
It is critical that the email sent to your client is just a notification. If it were to contain the message or file, you might as well skip the client portal and just use email. This is why most project-management software like Basecamp or Teamwork is inappropriate for case management. Project-management software is designed for efficient collaboration, not secure communication. That’s fine for software development, but not for attorney-client communications.
When your client logs into your secure portal to receive a message or download a file, their connection to the portal must be secure. That means you should look for HTTPS in your browser’s address bar. That means the website is secured with SSL (the same encryption technology used by banks) and is secure from most snooping.
SSL is not foolproof, but it is very effective against Internet-based snooping (read: the NSA, FBI, and employers using the network to listen in). If you have reason to believe a spouse, employer, or someone else might be using a keylogger or other technology to (illegally) end-around your security precautions, you should definitely counsel your clients to take additional steps. But a secure client portal is much more secure than email alone.
Lawyers need a way to communicate securely with clients. A properly-configured communication portal like MyCase is a great way to get away from email for confidentail communications — especially if you are already using it for practice management.
The best way to get your clients on board with your communication portal is to just explain the problems with using email, and tell them to expect a notification to sign up for your portal (remember, all you have to do is check a box). Once you set them up and start using your communications portal as your default, they will go along with it.
And you can rest easier knowing your confidential attorney-client communications are likely to stay that way.
Featured image: “Two tin cans joined with a cord on a wooden background for primitive communication.” from Shutterstock.