If you have decided you need to get serious about client data protection, you will need to consider encrypting both your data and your communications. We have previously covered how to encrypt your data and will focus here on how to encrypt your email communication.
What Is Encryption?
Simply by using the Internet, you are probably using some sort of encryption scheme during some activities, whether you know it or not.
Encryption is simply the act of turning your data into unreadable gibberish. If your data is intercepted or hacked, the thief now has nothing but a pile of garbage.
End-to-end encryption is a must for transferring sensitive data across the internet. In end-to-end encryption, your data is encrypted while it travels towards your intended location and the same encryption occurs on the reverse trip. Your bank (hopefully) uses end-to-end encryption. Your practice management software (hopefully) uses end-to-end encryption if it stores and syncs data remotely. This sort of encryption is done for you without any effort on your part, as it is just a standard feature of the infrastructure you are using to bank or update client data or similar activities.
Why Do You Need to Care?
A few years ago, the ABA issued a formal ethics opinion stating that if there is a significant risk that a third party might gain access to the email, attorneys have to warn clients about that risk.
This poses a problem, because unlike your bank and practice management software, email is usually unencrypted. This is true whether you are using an desktop client or a web-based email like GMail.
Encrypting Email with Outlook
While changing a setting in Outlook is relatively simple, encrypting your email isn’t a one-way street. The person receiving your email has to be able to decrypt your email and, ideally, send you encrypted email in return. That makes it significantly more complicated than simply scrambling your hard drive, because you need to give your recipient a way to send you encrypted messages and decrypt any message of yours.
As a first step, encrypting an email message (in Outlook or elsewhere) does exactly what you would expect: it transforms the message from readable text to gibberish. However, now you are sending gibberish to your client, which doesn’t seem very helpful. You need to give your recipient a way to decode your message, which is where the notion of public and private keys comes in.
You and your recipient first need to share something called a public key certificate. A public key is a string of letters and numbers that you give to anyone that wants it, either via your website, through Outlook’s contacts, or in person. If someone wants to send you encrypted email, they look up your public key. When you receive that email (which, remember, is complete gibberish), your private key — which only you possess — will decrypt that message.
In Outlook, this all happens behind the scenes once you have set up your keys. Outlook will encrypt attachments and inform you when you are emailing someone who does not have encrypted email set up and ask if you want to send a plain text email. Things work in a roughly similar fashion in other desktop clients like Mozilla’s Thunderbird.
Encrypting Web-based Email Clients
If you are using a web-based email client, things can get much clunkier. Here, for example, is the software required for Lifehacker’s “easy” email encryption.
These are, by computer wizard standards, relatively minimal steps. The Freedom of The Press Foundation has a very extensive guide on how to set up PGP (Pretty Good Privacy) encryption in the most secure fashion possible. That guide also points out, however, that setting up PGP is so user-hateful that Glenn Greenwald had difficulty getting it to work so he could talk securely to Edward Snowden.
After you install all of that software and get up and running, you will need to ensure that all your recipients do the same, just as with Outlook, because that encryption will only work if both parties sign on. The upside of the more complicated method is that PGP is likely superior to the encryption Outlook offers.
Using a Secure Client Portal
A less difficult alternative is to communicate with your clients via a secure client portal. You already use secure portals even if you don’t call them that. When you contact your bank via their website to make transactions and communicate with bank personnel, you are working within a secure portal. The portal is an encrypted location where all communication takes place, rather than using email to send documents and information back and forth. Several case management software applications, including Clio and MyCase, already have portals built in. Typically, all you need to do is give your client login information to navigate the portal. The portal allows the client to view calendars and tasks and send documents like drafts, emails, and bills.
From the client’s perspective, the portal is a much less daunting task than dealing with encrypting their email. Everything inside the portal is encrypted, and as long as you can convince your client to only communicate via the portal rather than conventional email, you will have moved your client communications to a secure and encrypted environment.
As far as being certain that you are meeting your ethical obligations to ensure the relative security of your communications with a client, Outlook’s encryption and a client portal may be sufficient. But regardless of which method you choose, it is likely lawyers will find that both clients and the ABA have an increased expectation of email privacy, and attorneys will need to take steps to ensure that expectation is met.
Featured image: “encrypted digital lock” from Shutterstock.