The path to secure client communications isn’t as complex as you might think.
In my last post, I covered the recent ABA ethics opinion, Opinion 477, which I believe established a new standard for secure client communication. As I explained in my post, using unencrypted email may be appropriate for routine or low sensitivity communications, due to “cyber-threats and (the fact that) the proliferation of electronic communications devices have changed the landscape…it is not always reasonable to rely on the use of unencrypted email.”
Since its release, much has been written about this opinion, including posts by my fellow Above the Law columnists. Bob Ambrogi addressed the implications of the opinion in this post, wherein he described in great detail the many hurdles that lawyers who choose to continue using unencrypted email will have to face when determining, on a case-by-case basis, how to best secure client communications.
After reading our posts on the impact of the new emails standards along with the analysis of others in the legal tech space, my co-author Carolyn Elefant weighed in, lamenting the inherent complexity and amorphous requirements of the opinion, concluding that instead of a performing a case-by-case security song and dance, what busy lawyers really need is “checklists and online tutorials and readily accessible manuals so that they quickly and at little or no cost put in place a security system that works for their firm.”
I couldn’t agree more! The case-by-case analysis laid out by the ethics committee is indeed burdensome and time consuming, especially for solo and small firm lawyers who are struggling to keep up with the day-to-day obligations of running their law firms while providing the very best client representation possible.
But, I would suggest that there is an easy way to avoid wasting the precious time required to create a tailored client communication security plan for each matter. Instead, lawyers should establish a standardized communication process that is used for all but the most extreme cases — one that provides a secure, encrypted channel for all case-related interaction. And for those cases where the information is too sensitive for any type of electronic communication, the firm should revert to the time-tested and arguably inconvenient old-school methods of communication: face-to-face meetings and snail mail letters.
But for all other communications with clients a case-by-case determination can be avoided by putting in place a single, encrypted, secure system for the electronic sharing of all case-related information. The good news is that there are a number of different options available, one of which is sure to meet your firm’s needs.
The Electronic Frontier Foundation (EFF) offers a great guide to secure communications. It explains the different types of end-to-end encryption, including OTR and PGP, and then provides advice on encrypting different types of communications. Here are some of their recommendations.
Encrypted Voice Calls
According to the EFF, the key to ensuring secure voice communication is to use VOIP (Voice Over Internet Protocol). But it’s important to understand the difference between transport encryption (such as that used by Skype and Google Hangouts), which prevents eavesdroppers — but not the providers — from listening in, and end-to-end encryption, which prevents all types of eavesdropping.
For end-to-end encryption for voice calls, both parties must be using the software. Here are the tools EFF recommends:
Encrypted Text Messaging
If you send or receive text messages from clients on your smartphone, it’s important to use apps that provide end-to-end encryption for the messages. As is the case with encrypted voice software, both parties must be using these apps in order to communicate securely since the apps work by using their own communications protocols. Many of these apps have been used by protestors in recent months to avoid law enforcement interception during political protests.
Two of the more popular encrypted text messaging apps that can be used on both Android and iOs devices that are recommended by EFF are Signal and ChatSecure.
Encrypted Email
There are varying degrees of encryption available for web-based email messages. The most basic level of encryption offered by many popular email providers is to support HTTPS encryption. Gmail and Yahoo provide this type of encryption by default. However, although HTTPS will prevent others on the network from reading your emails, as explained by EFF, there are many things it does not do: “When you send email using HTTPS, your email provider still gets an unencrypted copy of your communication. Governments and law enforcement may be able to access this data with a warrant.”
That’s why using PGP encryption is often a good option for lawyers seeking to secure communications. However, it can be difficult to set up properly and oftentimes the use of a technology consultant is needed. But if you’d like to try to set it up on your own, EFF provides detailed guides for Mac users, Windows-users, and Linux-users.
Other options to consider that tend to be better suited for larger firms and will likely require the services of a legal technology consultant to set up include AppRiver, DataMotion, HP SecureMail, and Mimecast.
Another problem with encrypted email is that it still leaves some information exposed to prying eyes. EFF describes the loopholes as follows: “End-to-end encryption only protects the content of your communication, not the fact of the communication itself. It does not protect your metadata—which is everything else, including the subject line of your email, or who you are communicating with and when.”
I discussed this concern in a recent post here on Above the Law, which was prompted by the Trump administration’s repeal of Internet privacy laws and pre-dated the ABA’s issuance of Opinion 477. In that post, I suggested that secure client portals were a solution to this particular issue.
Secure Client Portals
Encrypted online portals, which are often built into other software programs such as legal practice management software, solve this problem. All communications occur within the portal, so once you log into the portal, your activities occurring therein, along with your communications, are encrypted from prying eyes.
Of course, as is the case with any encrypted communications solution, client portals require a buy in from your clients. However, in light of the new ABA email guidelines, the time saved by avoiding the case-by-case communications analysis and the security gained by using client portals will likely outweigh any push back from clients. And the ABA opinion gives new teeth to requirement that communications be secure, making it easier for you to explain to clients why such measures are needed.
In this post at Lawyerist, which outlines the security benefits of online portals, Sam Glover offers this advice for getting clients on board: “The best way to get your clients on board with your communication portal is to just explain the problems with using email, and tell them to expect a notification to sign up for your portal (remember, all you have to do is check a box). Once you set them up and start using your communications portal as your default, they will go along with it.”
In the late 1990s, acclimating to email seemed strange to both lawyers and their clients, but is now commonplace. Encrypted communication will follow that same path. You may feel overwhelmed in the wake of issuance of the new email guidelines, but rest assured, the path to secure client communications isn’t as complex as you might think. Once you choose a methodology and implement it, using it will become second nature.
Editor’s Note – This article was published with the permission of the author. The article was first published on the site Above the Law.