In today’s cybercrime-ridden business environment, hackers are increasingly targeting law firms to mine sensitive client data. As the ABA has noted, cybercriminals love to pick on law firms because they often store sensitive information, often using less adequate safeguards than their clients would, and the information firms typically keep is much higher-quality, since law firms typically receive clients’ most important data.
One of the easiest steps lawyers can take to help protect themselves against cybercriminal activity is to use encryption when communicating with their clients. As the most recent ABA TechSurvey revealed, however, only 26 percent of attorneys across all types of firms use encryption when sending and receiving sensitive client data via email—a marked decrease from the 35% of attorneys who used encryption in client communications last year.
This, to put it mildly, is a staggering development, especially considering the potential consequences involved. As a growing number of state bar associations are starting to make clear, attorneys who fail to take reasonable steps to prevent inadvertent or unauthorized disclosure of client data online risk facing ethical sanctions that can result in reprimands or even revoked licenses.
As the ABA clarified in Model Opinion 477, incorporating encryption measures that are proportionate to the sensitivity of the data you’re storing can help you meet your ethical duties of competence and confidentiality. Better yet, you don’t have to be a cybersecurity expert to be compliant; you just need to be aware of your available options, and work with outside experts as appropriate. Here are some immediate steps you can take to incorporate encryption into your attorney-client communications.
1. Move Your Email Accounts to the Cloud
Going with a commercial cloud hosting platform is a safe bet for any lawyer looking to encrypt their attorney-client email communications and meet their duties of competence and confidentiality. This is because many cloud-based providers host software, apps, and other add-ons on 256 AES-encrypted server networks. Such networks would force hackers to rummage through 2^256 different security key combinations to crack—that’s 115 quattuorvigintillion combinations.
The benefits of virtual hosting do not end there either; encrypted cloud hosting servers can be a great place to store sensitive files and client data exchanged between you and your clients, and access privileges can be delegated on the server in such a way so that both attorneys and clients can exchange and view confidential data without having these connections intercepted. Virtual cloud hosting environments can also be configured to meet a number of industry-specific state, federal and international data security standards, ensuring that you also store sensitive client data in compliance with HIPAA, GDPR, PIPEDA and other common data security regimes.
2. Regularly Update Software and Test Your Servers for Vulnerabilities
Encryption, unfortunately, is only as good as the systems and procedures supporting it. Servers that aren’t regularly updated with software patches addressing various vulnerabilities can undermine otherwise sound security protocols. According to congressional testimony for the Equifax data breach, for example, millions of Americans’ sensitive email data was compromised because Equifax’s IT team failed to install an Apache system vulnerability fix after being alerted about it.
Poor encryption and hygiene is also a factor regarding why many companies—including law firms—are struggling with having email credentials stolen and sold on the black market. Applying software updates as they come out is one good step you can take to ensure that the email client you’re using is up-to-date and, in turn, protected against the types of new data vulnerability threats. Working with outside specialists and penetration agencies—which consist of white-hat hackers for hire—can be a good way to spot and address unobvious flaws in your email and IT systems that cybercriminals could take advantage of.
3. Disable POP/IMAP for Your Email Accounts—or at Least Use it Responsibly
While this may be a tall order in today’s 24/7 legal services environment, you may be better off forgoing your business email account’s POP/IMAP capabilities when accessing work emails. POP/IMAP, when turned on, allows you to access your email accounts on your cell phone, laptops, and other devices via programs such as Apple Mail, Thunderbird, Outlook and others. The downside of activating this, however, is that any cybercriminal with access to your password and IMAP/POP server settings can set up their devices to receive your emails as well. Contact your business email provider or IT department to see how you can disable POP/IMAP functionality on your firm’s accounts, as this varies from system to system; G Suite-based email accounts, for example, only require you to uncheck some boxes, whereas Office 365 plans require PowerShell coding knowledge to carry this out instead.
If you need to have your email accounts synced across your devices, however, regularly change your passwords or—better yet—use multi-factor authentication to prevent hackers who’ve obtained your password from even logging in. Multi-factor authentication programs such as Google Authenticator generate time-sensitive alphanumeric codes that you can type in a separate box to validate your account access. Google Authenticator can also provide one-time prompts when signing into an account from a new device. Log in to your email from an unrecognized computer, for example, and you’ll be able to confirm the sign in from your mobile phone. Other apps such as Symantec VIP allow you to tack on time-sensitive numeric codes to the end of your existing passwords each time you log in.
4. Use Encrypted Communications Platforms, Apps and Extensions
Another option you can take is to not use email at all, but third-party providers that allow you to send and receive encrypted communications and more beyond standard email providers. Startups such as Legaler, ArmorText, and Dust can help you conduct video conferences, exchange electronic files, and send messages over encrypted channels that are robust enough to ensure you meet your ethical duties of competency and confidentiality when dealing with sensitive client data.
Even lawyers who use run-of-the-mill Gmail or Yahoo accounts can incorporate additional encryption into their accounts by exchanging messages and files using add-ons like Virtru—which sends messages that you can only read and access on the company’s encrypted servers. The only downside with these apps are that they may create more steps for your clients to initiate and receive communications, but it could be worth looking into depending on your and your clients’ specific needs.
5. Take Human Error Out of the Equation—or at Least Reduce Its Impact
Perhaps the most troubling aspect of email security issues is that it’s not so much the weaknesses of the technology involved that causes most breaches, but rather users who aren’t savvy enough to recognize spoofing, malware downloads and other common cybercriminal tactics. Careless email practices not related to cybercrime can also cause trouble for lawyers and law firms, especially from a confidentiality perspective. Jared Kushner’s lawyer, for example, recently fell victim to a prankster posing as Jared himself, while one AmLaw100 firm accidentally disclosed one client's privileged whistleblower documents to the Wall Street Journal through an email gaffe.
Combatting these personnel-related issues will often involve a mixture of online and offline solutions. Better training programs, harsher conduct consequences, and awareness campaigns are some steps you can take to address and correct any misperceptions among your firm’s employees and associates over email encryption issues. You should also work with your firm’s IT team to create auditing and mitigation strategies to detect and resolve employee- and partner-created errors before they compromise your firm. Using technological safeguards such as network access rules, password management policies, sender notification alerts, and identity access management processes to give your firm some measure of control over how partners and associates share information over their firms’ email accounts.
This post was authored by Eric Pesale, an attorney who writes about eDiscovery, cybersecurity and other legal topics for law firms, publications, and companies. He is the founder of Write For Law, and is a graduate of New York Law School and the University of North Carolina at Chapel Hill. Eric can be reached at firstname.lastname@example.org or on Twitter at @writeforlaw.