Protecting E-mail For Complete Client Privacy

In recent studies conducted by e-mail analyst firm Radicati, 97% of business people surveyed were aware that e-mail is insecure. More than two thirds of those surveyed worry about the privacy of e-mail, and the same number agree that they would use e-mail to send confidential information if they had access to e-mail encryption technology.

E-mail Interception and Tampering

Fifteen years ago, when lawyers first started to communicate with clients, the head of IT for law firms small and large warned of the dangers of e-mail. E-mail travels from the sender to the receiver as a virtual postcard, and as e-mail is stored and forwarded through the Internet, there is a real risk that someone other than the sender or the intended receiver can intercept and either read it or tamper with it. Attorney-client privilege, liability for breach of confidentiality obligations and damage to a firm's reputation were all reasons originally cited for stopping the use of e-mail at law firms before it even started. Convenience and responsiveness to clients became justification enough to ignore the basic issue that e-mail was inherently insecure. The standard form disclaimer that we now see at the end of every lawyer's e-mail became the solution to protecting the confidential nature of attorney-client communications. Is it sufficient today?

Is a Disclaimer Sufficient Protection?

Lawyers decided in the early days of e-mail that there was a commercially reasonable expectation that e-mail would not be read by those not authorized to read it. That was then. Now e-mail is read multiple times by filtering programs that test for viruses and spam. Law enforcement authorities are intercepting e-mail, too, which means that e-mail interception is a generally available capability for anyone interested in e-mail content. The fact is that we use e-mail so much and that e-mail contains vast quantities of sensitive and private information that intercepting e-mail is a lucrative endeavor for hackers as well. The fact that large volumes of e-mail can be collected, scanned, filtered, read and altered makes e-mail an easier target for illegal interception than regular physical mail.

Legal Best Practices and Rules of Conduct

Everyone should take positive steps to protect this vital communications channel. Lawyers, financial advisors, accountants, educators, health care providers and other professional advisors have ethical, legal and fiduciary duties to protect confidential information of their clients. Lawyers are also subject to their own Rules of Professional Conduct.

Privacy Legislation Compliance

Clients too have started to require that lawyers adopt measures to protect the privacy of e-mail communications, either because of common sense, or because of privacy legislation that generally requires that they take “reasonable measures” to protect the privacy of third party information and ensure the integrity and authenticity of corporate information. Sarbanes-Oxley, the Gramm-Leach-Bliley Act (GLBA), the California Security Breach Notification Act (CB 1386) and others include specific requirements for protecting private data. Legal reasons aside, doesn't it just make sense to put e-mail into envelopes if it can be done easily and inexpensively?

PKI Encryption Standards

Encryption based on industry trusted public key infrastructure (PKI) standards is undoubtedly the most trusted option for protecting the privacy of e-mail content, but until recently, the cost, complexity and inflexibility of commercially available solutions have kept all but the truly dedicated from making use of them.

New PKI-based encryption products are now being offered by Internet service providers (ISPs), carriers and other large service providers that give everyone an easy and cost efficient option of enclosing e-mail in the digital equivalent of tamper-proof envelopes. As these new encryption products become more prevalent, no longer will we be able to rely on the excuse that encrypting sensitive e-mail is too difficult, or too expensive.

Drawbacks of Traditional Solutions

Protecting files with passwords provides a level of protection, but is often inconvenient and is less secure. Establishing the equivalent of VPN connections to allow the secure movement of e-mail from the law firm to particular client servers is not scalable. Catering to client requests to establish and administer multiple non-standard encryption systems quickly becomes prohibitively expensive.

Firms can establish secure connections with client mail servers on a case-by-case basis. This solution is not scalable and is of limited usefulness because only e-mail from the firm to that particular client is protected.

Hosted encryption solutions that require users to subscribe for a new secure e-mail address, and communicate with the hosted secure e-mail service through a browser using a SSL encrypted connection is inconvenient and of limited use. Such products significantly restrict the way users can send e-mail messages, and create “walled gardens” in which only members can send messages securely to other members.

Gateway or “boundary” solutions consist of hardware and software systems installed at the firm, and at every other entity with which the firm wishes to communicate. E-mail is routed through these gateways, encrypted, and forwarded onto a compatible gateway on which decrypts the message before sending the unencrypted e-mail on to the intended recipient. These systems are suitable for intra-corporate e-mail communications and not the needs of lawyers who have no control over their clients' e-mail infrastructure. In addition, e-mail remains open for interception from the sender to the gateway, and from the gateway to the recipient.

Non-standard encryption products have been developed that try to simplify the process of encrypting and decrypting e-mail. These non-PKI based products often fall short of the security and confidence that industry trusted PKI-based solutions offer. In addition, these products may not permit the revocation of subscribers credentials if they have been compromised; e-mail addresses may have to be changed if credentials have been compromised; it may not be possible for a firm to acquire the decryption key for an employee alone; and non-subscribers who receive secure mail messages may be required to register for multiple user IDs and passwords just to receive secure mail messages.

One last option is to simply have each person who wishes to exchange encrypted e-mail acquire a PKI digital certificate, manually install the certificate in their computer's certificate store, and then manually exchange public keys with everyone that the user wishes to exchange encrypted e-mail. This option is simply too complicated and a significant administrative burden which to date, has not caught on.

Underlying each of these other solutions is the issue that small and large firms alike do not have the resources or the desire to build their own encryption infrastructure.

Improve Client Privacy Now

Adopting an encryption mechanism based on standard PKI-based technology and designed with the mass market in mind is the most cost effective and efficient option. PKI-based encryption products also give both the sender and recipient confidence that the e-mail and its content can only be unlocked and read by the intended recipient; that the e-mail was not altered en-route to its destination; and that the sender was in fact the sender.

In a PKI system, each subject user (or principal) is issued a digital certificate for the public key that is used to encrypt a message and/or verify a digital signature on a message; such a key is the public component of a public/private key-pair securely generated by the principal. Until recently, you had to understand the details of PKI to some degree, and had to buy and administer specialized hardware and software. Keys have to be generated, registered, backed up and lifecycle-managed (renewed, re-keyed, re-certified, revoked, etc.); and public keys have to be made available to everyone with whom you want to communicate. Large ISPs (like Verizon), and technology and service providers (like Sun Microsystems and Lucent who operate PKI infrastructure on behalf of Verizon and other well known carriers) now offer secure e-mail services, targeting small and medium businesses, relieving them from the ongoing lifecycle and infrastructure costs for managing keys and certificates. (See, http://secure-mail.verizon.net)

Offered on a subscription basis like anti-virus and anti-spam security products, these solutions provide a full PKI-based encryption solution without the need for a law firm to acquire and manage expensive equipment and infrastructure software. Lawyers are able to send “secure e-mail” to anyone, without having to exchange credentials or requiring non-subscribers to download specialized software or register for any service. Non-standard encryption products have been developed that try to simplify the process of encrypting and decrypting e-mail. These non-PKI based products often fall short of the security and confidence that industry trusted PKI-based solutions offer.

No More Excuses

Now that e-mail encryption products are being made available to the mass market, we should no longer rely on the outdated excuse that encryption products are too complex and expensive to implement and are therefore not commercially reasonable to adopt. We protect ourselves against viruses and spam, but until recently, have not been offered e-mail encryption products that would justify taking action. Next time you exchange with a client e-mail containing a draft statement of defense, litigation opinion, advice on deal negotiations or other sensitive or privileged information, consider whether it should be placed in a the digital equivalent of a tamper-proof envelope. Carriers, ISPs and trusted technology providers are now offering cost effective e-mail encryption products that are geared to the mass market. Encrypting e-mail is no longer limited to rocket scientists.

In recent studies conducted by e-mail analyst firm Radicati, 97% of business people surveyed were aware that e-mail is insecure. More than two thirds of those surveyed worry about the privacy of e-mail, and the same number agree that they would use e-mail to send confidential information if they had access to e-mail encryption technology.

E-mail Interception and Tampering

Fifteen years ago, when lawyers first started to communicate with clients, the head of IT for law firms small and large warned of the dangers of e-mail. E-mail travels from the sender to the receiver as a virtual postcard, and as e-mail is stored and forwarded through the Internet, there is a real risk that someone other than the sender or the intended receiver can intercept and either read it or tamper with it. Attorney-client privilege, liability for breach of confidentiality obligations and damage to a firm's reputation were all reasons originally cited for stopping the use of e-mail at law firms before it even started. Convenience and responsiveness to clients became justification enough to ignore the basic issue that e-mail was inherently insecure. The standard form disclaimer that we now see at the end of every lawyer's e-mail became the solution to protecting the confidential nature of attorney-client communications. Is it sufficient today?

Is a Disclaimer Sufficient Protection?

Lawyers decided in the early days of e-mail that there was a commercially reasonable expectation that e-mail would not be read by those not authorized to read it. That was then. Now e-mail is read multiple times by filtering programs that test for viruses and spam. Law enforcement authorities are intercepting e-mail, too, which means that e-mail interception is a generally available capability for anyone interested in e-mail content. The fact is that we use e-mail so much and that e-mail contains vast quantities of sensitive and private information that intercepting e-mail is a lucrative endeavor for hackers as well. The fact that large volumes of e-mail can be collected, scanned, filtered, read and altered makes e-mail an easier target for illegal interception than regular physical mail.

Legal Best Practices and Rules of Conduct

Everyone should take positive steps to protect this vital communications channel. Lawyers, financial advisors, accountants, educators, health care providers and other professional advisors have ethical, legal and fiduciary duties to protect confidential information of their clients. Lawyers are also subject to their own Rules of Professional Conduct.

Privacy Legislation Compliance

Clients too have started to require that lawyers adopt measures to protect the privacy of e-mail communications, either because of common sense, or because of privacy legislation that generally requires that they take “reasonable measures” to protect the privacy of third party information and ensure the integrity and authenticity of corporate information. Sarbanes-Oxley, the Gramm-Leach-Bliley Act (GLBA), the California Security Breach Notification Act (CB 1386) and others include specific requirements for protecting private data. Legal reasons aside, doesn't it just make sense to put e-mail into envelopes if it can be done easily and inexpensively?

PKI Encryption Standards

Encryption based on industry trusted public key infrastructure (PKI) standards is undoubtedly the most trusted option for protecting the privacy of e-mail content, but until recently, the cost, complexity and inflexibility of commercially available solutions have kept all but the truly dedicated from making use of them.

New PKI-based encryption products are now being offered by Internet service providers (ISPs), carriers and other large service providers that give everyone an easy and cost efficient option of enclosing e-mail in the digital equivalent of tamper-proof envelopes. As these new encryption products become more prevalent, no longer will we be able to rely on the excuse that encrypting sensitive e-mail is too difficult, or too expensive.

Drawbacks of Traditional Solutions

Protecting files with passwords provides a level of protection, but is often inconvenient and is less secure. Establishing the equivalent of VPN connections to allow the secure movement of e-mail from the law firm to particular client servers is not scalable. Catering to client requests to establish and administer multiple non-standard encryption systems quickly becomes prohibitively expensive.

Firms can establish secure connections with client mail servers on a case-by-case basis. This solution is not scalable and is of limited usefulness because only e-mail from the firm to that particular client is protected.

Hosted encryption solutions that require users to subscribe for a new secure e-mail address, and communicate with the hosted secure e-mail service through a browser using a SSL encrypted connection is inconvenient and of limited use. Such products significantly restrict the way users can send e-mail messages, and create “walled gardens” in which only members can send messages securely to other members.

Gateway or “boundary” solutions consist of hardware and software systems installed at the firm, and at every other entity with which the firm wishes to communicate. E-mail is routed through these gateways, encrypted, and forwarded onto a compatible gateway on which decrypts the message before sending the unencrypted e-mail on to the intended recipient. These systems are suitable for intra-corporate e-mail communications and not the needs of lawyers who have no control over their clients' e-mail infrastructure. In addition, e-mail remains open for interception from the sender to the gateway, and from the gateway to the recipient.

Non-standard encryption products have been developed that try to simplify the process of encrypting and decrypting e-mail. These non-PKI based products often fall short of the security and confidence that industry trusted PKI-based solutions offer. In addition, these products may not permit the revocation of subscribers credentials if they have been compromised; e-mail addresses may have to be changed if credentials have been compromised; it may not be possible for a firm to acquire the decryption key for an employee alone; and non-subscribers who receive secure mail messages may be required to register for multiple user IDs and passwords just to receive secure mail messages.

One last option is to simply have each person who wishes to exchange encrypted e-mail acquire a PKI digital certificate, manually install the certificate in their computer's certificate store, and then manually exchange public keys with everyone that the user wishes to exchange encrypted e-mail. This option is simply too complicated and a significant administrative burden which to date, has not caught on.

Underlying each of these other solutions is the issue that small and large firms alike do not have the resources or the desire to build their own encryption infrastructure.

Improve Client Privacy Now

Adopting an encryption mechanism based on standard PKI-based technology and designed with the mass market in mind is the most cost effective and efficient option. PKI-based encryption products also give both the sender and recipient confidence that the e-mail and its content can only be unlocked and read by the intended recipient; that the e-mail was not altered en-route to its destination; and that the sender was in fact the sender.

In a PKI system, each subject user (or principal) is issued a digital certificate for the public key that is used to encrypt a message and/or verify a digital signature on a message; such a key is the public component of a public/private key-pair securely generated by the principal. Until recently, you had to understand the details of PKI to some degree, and had to buy and administer specialized hardware and software. Keys have to be generated, registered, backed up and lifecycle-managed (renewed, re-keyed, re-certified, revoked, etc.); and public keys have to be made available to everyone with whom you want to communicate. Large ISPs (like Verizon), and technology and service providers (like Sun Microsystems and Lucent who operate PKI infrastructure on behalf of Verizon and other well known carriers) now offer secure e-mail services, targeting small and medium businesses, relieving them from the ongoing lifecycle and infrastructure costs for managing keys and certificates. (See, http://secure-mail.verizon.net)

Offered on a subscription basis like anti-virus and anti-spam security products, these solutions provide a full PKI-based encryption solution without the need for a law firm to acquire and manage expensive equipment and infrastructure software. Lawyers are able to send “secure e-mail” to anyone, without having to exchange credentials or requiring non-subscribers to download specialized software or register for any service. Non-standard encryption products have been developed that try to simplify the process of encrypting and decrypting e-mail. These non-PKI based products often fall short of the security and confidence that industry trusted PKI-based solutions offer.

No More Excuses

Now that e-mail encryption products are being made available to the mass market, we should no longer rely on the outdated excuse that encryption products are too complex and expensive to implement and are therefore not commercially reasonable to adopt. We protect ourselves against viruses and spam, but until recently, have not been offered e-mail encryption products that would justify taking action. Next time you exchange with a client e-mail containing a draft statement of defense, litigation opinion, advice on deal negotiations or other sensitive or privileged information, consider whether it should be placed in a the digital equivalent of a tamper-proof envelope. Carriers, ISPs and trusted technology providers are now offering cost effective e-mail encryption products that are geared to the mass market. Encrypting e-mail is no longer limited to rocket scientists.