70% of Lawyers Think Words Make Email Safe, Are Incompetent

securityprecautionstaken
computer-security-guide-cover-2nd-ed

4-Step Computer Security Upgrade

Learn to encrypt your files, secure your computer when using public Wi-Fi, enable two-factor authentication, and use good passwords.

If you think a confidentiality statement in your email counts as a precaution when you are sending confidential information, you are incompetent. We can argue about whether precautions are necessary in the first place, but there is no argument to be made that words constitute a precaution. Disclaimers (including confidentiality statements) are pointless.

Apparently 70.7% of lawyers responding to the ABA’s technology survey fall into that category.1 I’m just so discouraged by that. Even more discouraged than I was on discovering 70% of lawyers don’t think they use the cloud. Lawyers who don’t get this: you are not competent to represent clients.

Every lawyer should have a way to communicate securely. It doesn’t have to be encryption. I’m a fan of secure client portals, which many lawyers already have even if they aren’t using them.


  1. It looks like respondents could select multiple options, or another 26.4% think putting the confidentiality statement in the subject line makes a difference. 

Subscribe

Get Lawyerist in Your Inbox, Daily

Current Articles
Current Lab Discussions
  • Jamie Sutton

    Any suggestions on sending secure/encrypted emails? I know that the practice management software we’re planning to use has client portals, and that’s technically going to be the most secure way. But prior to officially retaining someone/opening a matter, or during the info/intake gathering phase, it doesn’t always make sense to use a client portal and we just wind up using regular old Gmail more often than not

    • Anything you use is going to require the recipient to set something up on their end or sign up for a user account with some service. Why not just create contacts for potential clients in your client portal?

      • Jamie Sutton

        Yeah, it’s a possibility I guess. My anecdotal experience is that clients really will rarely ever follow through on using a client portal unless they’re forced to, and that they never seem to like it.

        • Clients don’t like paying you, either. That’s not a reason not to get paid.

          Look, earlier you mentioned the keylogger situation. That’s a good example, because if you know someone is using a keylogger to intercept your client’s attorney-client communications, you cannot ethically communicate anything through the compromised system. The same goes for work computers where the employer is the defendant. But what about confidential information where you don’t have any specific reason to think it is being intercepted?

          As I said above, you don’t have to secure all communications. If you’ve done the math and you think email is fine, go ahead and use it. But if you’ve done the math and you think you need extra security, suck it up and use extra security. Explain to your clients and potential clients why you are doing it, and why not doing it is irresponsible, if not unethical. Having that conversation is your job.

          Lawyers who aren’t willing to talk to their clients about security and use extra security when necessary, shouldn’t be representing clients. (I don’t mean to suggest this describes you, but looking at that chart, it describes an awful lot of lawyers.)

  • BillyBobSpeaks

    Client portals sound fine, but I am interested in hearing about options to this, apart from ceasing email use and encryption; surely other alternatives exist.

    Something that strikes me about the portal method is the attorney and client still seem to be entrusting information to a third party (i.e., the portal).

    So, what if the portal is compromised? If the OPM can be hacked, etc.

    • I mean, there are a lot of different portals, including those mentioned in the comments to this post. And there there are email encryption services like Virtru that basically function as a portal.

      Some offer “zero-knowledge” encryption, which means that even if this portal provider is hacked, your data should be secure.

      With or without zero knowledge encryption, it’s probably more secure to use a third party. Email encryption is really hard to get right on your own. Even the security experts Edward Snowden worked with screwed up email encryption at first.

      As for other options, I’m not really aware of any. If you want to communicate securely with clients in text over the Internet, you either need to adopt some kind of portal (again, there are a lot of options), or else figure out email encryption.