Law Firm Security Best Practices
Let’s face it: Law firms have historically been behind the curve when it comes to adopting new technologies. Many are just now realizing the tremendous benefits of electronic document management (EDM) systems. when it comes to storing and retrieving case information compared to the old filing cabinet, there is no comparison. Certified postal mail and faxes are still a staple at most firms, but they’re slowly being replaced by email and other electronic forms of communication. But here specifically, there can be a big problem with making the jump to digital: Is is secure?
According to an article from the American Bar Association, “Most attorneys do not consider the implications of encryption and cybersecurity in their daily lives”. However, they are often handling some of the most private and sensitive information about their clients’ lives. In the medical and financial industries, this type of information is subject to many regulations that mandate how the information is stored, transmitted, and protected: HIPAA, HITECH, GLBA, Sarbanes-Oxley, just to name a few.
Lack of Regulations
Unfortunately, “There is no omnibus law dictating what information about you is sacrosanct and what is off-limits” The legal industry does NOT have any federal acts or laws dictating how private client information is handled. The closest thing they have is an opinion letter from the ABA form 2017, called Formal Opinion 477. This opinion updates the previous statement that unencrypted email is an acceptable way for lawyers to communicate with their client about case information. It states that “cyber-threats and the proliferation of electronic communications devices have changed the landscape and it is not always reasonable to rely on the use of unencrypted email.”
Why TLS Encryption Isn’t Enough
The opinion goes on to reference an ethics opinion that outlines some circumstances where email communication should be given special protections:
1. communicating highly sensitive or confidential information via email or unencrypted email connections;
2. sending an email to or from an account that the email sender or recipient shares with others;
3. sending an email to a client when it is possible that a third person (such as a spouse in a divorce case) knows
the password to the email account, or to an individual client at that client’s work email account, especially if the email
relates to a client’s employment dispute with his employer…;
4. sending an email from a public computer or a borrowed computer or where the lawyer knows that the emails
the lawyer sends are being read on a public or borrowed computer or on an unsecure network;
5. sending an email if the lawyer knows that the email recipient is accessing the email on devices that are
potentially accessible to third persons or are not protected by a password; or
6. sending an email if the lawyer is concerned that the NSA or other law enforcement agency may read the
lawyer’s email communication, with or without a warrant.
Turning Email Security into a Differentiator
These are perfect examples of why a firm’s email security solution should be a selling point, rather than a check-the-box compliance obligation. Only dedicated email encryption systems like the SecureMail Gateway or our managed service Fast&Secure can provide this type of protection to clients. Using a secured web portal like SecureMessenger guarantees that the data is encrypted at rest and in transit with TLS encryption. But more importantly, the lawyer and client can create unique authentication passphrase to the secure access to the messages. So, for instance, even if a spouse has access to a client’s computer or their email account, they will NOT be able to access the secured emails without the unique passphrase established between the lawyer and client.
GlobalCerts’ Securemail Gateway solution utilizes the ‘SecureMessenger‘ delivery system, which delivers secured emails over a branded, TLS encrypted web portal, direct to the client’s computer or smartphone. The SMG stores secured emails with military grade AES-256 encryption in the sender’s environment. The sending organization is always in the complete control of the email. Messages are automatically deleted after a specified lifetime, or on-demand by the admin.