Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Commercial LawFeaturesKickerLitigationLJN NewslettersNewsRegulationSectionsTopics

e-Mail Risk Mitigation For Law Firms

By William O'Brien
September 02, 2015

Each day, law firms are entrusted with valuable and sensitive client information. Moreover, attorneys create and handle documents that require strict confidentiality to avoid loss of evidentiary privileges. In today's digital workplace, many of these files are exchanged via e-mail. While e-mail allows for convenience, speed and portability, each attorney using e-mail must ask before sending: “Am I putting my client's confidentiality needs and expectations, as well as my ethical obligations, at risk?”

Now more than ever, data security ' whether when exchanging documents via e-mail, storing them in the cloud, or using other forms of digital collaboration ' must be at the forefront of law firms' priorities. Law firms and individual attorneys are becoming top targets for hackers, which is no surprise based on the volume of intellectual property and financial information handled by lawyers. Opportunities for data breaches abound and they occur among law firms more often than is publicized. Consider, for example, that the New York Times Dealbook published a piece on Citigroup's finding that major U.S. law firms are frequently experiencing data breaches, but they are rarely disclosing this publically to avoid loss of clientele and damage to their reputation.

The Outlook on e-Mail: Best Practices for a More Secure Firm

Unfortunately, most e-mail service providers offer no or precious little security at all. Consequently, everything you send or receive ' usernames, passwords, e-mail content, attachments, identities of senders and recipients ' is susceptible to being viewed by unwanted third parties.

To better secure sensitive information ' to mitigate the risk of e-mail ' law firms must implement electronic communications best practices throughout the firm ' from senior partners all the way to temporary part-timers. Best practices to reduce the risk of data theft via e-mail exchange include:

1. Create and discuss a policy on the use, purpose and scope of e-mails.

An impactful e-mail policy that achieves those goals is illustrated by the introductory language for a firm's policy:

The purpose of this e-mail policy is to ensure the proper use of e-mail system and make users aware of what deems as acceptable and unacceptable use of its e-mail system. This policy outlines the minimum requirements for use of e-mail within Network.
This policy should cover all appropriate use of any e-mail sent from our e-mail address and applies to all employees, vendors, and agents operating on our behalf.

2. Deploy encryption for e-mails and attachments.

Encryption is used to protect the e-mail content from being read by other entities, other than the intended recipients. Most full-featured e-mail clients (like Apple Mail, Microsoft Outlook or Mozilla Thunderbird) provide native support for S/MIME secure e-mail (digital signing and message encryption using certificates).

However, encryption can be difficult for users. Security and compliance managers can automate the process by using encryption services that automate encryption. Instead of relying on voluntary cooperation, automated encryption, based on defined policies, takes the decision and the process out of the users' hands. e-Mails are routed through a “gateway” or “service” that has been configured to ensure compliance with regulatory and security policies. e-Mails can be automatically encrypted and sent.

3. Invest in confidential communication platforms.

In addition to encryption, the handling of critical client confidential data and documents must be electronically safeguarded. The same audit capabilities used in the transmission of e-mails should also be extended to the handling of data itself. Collaboration with clients and colleagues cannot, and need not, occur at the expense of security. Collaboration can be both fluid and robust, and still remain in accordance with national data protection laws and other confidentiality requirements. It is possible to fulfill all these requirements, without compromise, by investing in confidential communication platforms, such as secure electronic datarooms. This approach allows all digital files ' whether e-mails or documents ' to remain fully protected, at all times.

Conclusion

With cyber-attacks making regular headlines and news of governmental figures turning to personal e-mail to manage work-related tasks, legal professionals should be aware of the danger that lurks before pressing “send.” After all, there is nothing more valuable to a firm and its clientele than its sensitive information. That is why hackers want in on your e-mail.

William O'Brien is an attorney and the chief operating officer of Brainloop, a national provider of secure solutions for enterprise-wide storage and exchange of confidential information. Bill is also former speaker of the New Hampshire House of Representatives.

Each day, law firms are entrusted with valuable and sensitive client information. Moreover, attorneys create and handle documents that require strict confidentiality to avoid loss of evidentiary privileges. In today's digital workplace, many of these files are exchanged via e-mail. While e-mail allows for convenience, speed and portability, each attorney using e-mail must ask before sending: “Am I putting my client's confidentiality needs and expectations, as well as my ethical obligations, at risk?”

Now more than ever, data security ' whether when exchanging documents via e-mail, storing them in the cloud, or using other forms of digital collaboration ' must be at the forefront of law firms' priorities. Law firms and individual attorneys are becoming top targets for hackers, which is no surprise based on the volume of intellectual property and financial information handled by lawyers. Opportunities for data breaches abound and they occur among law firms more often than is publicized. Consider, for example, that the New York Times Dealbook published a piece on Citigroup's finding that major U.S. law firms are frequently experiencing data breaches, but they are rarely disclosing this publically to avoid loss of clientele and damage to their reputation.

The Outlook on e-Mail: Best Practices for a More Secure Firm

Unfortunately, most e-mail service providers offer no or precious little security at all. Consequently, everything you send or receive ' usernames, passwords, e-mail content, attachments, identities of senders and recipients ' is susceptible to being viewed by unwanted third parties.

To better secure sensitive information ' to mitigate the risk of e-mail ' law firms must implement electronic communications best practices throughout the firm ' from senior partners all the way to temporary part-timers. Best practices to reduce the risk of data theft via e-mail exchange include:

1. Create and discuss a policy on the use, purpose and scope of e-mails.

An impactful e-mail policy that achieves those goals is illustrated by the introductory language for a firm's policy:

The purpose of this e-mail policy is to ensure the proper use of e-mail system and make users aware of what deems as acceptable and unacceptable use of its e-mail system. This policy outlines the minimum requirements for use of e-mail within Network.
This policy should cover all appropriate use of any e-mail sent from our e-mail address and applies to all employees, vendors, and agents operating on our behalf.

2. Deploy encryption for e-mails and attachments.

Encryption is used to protect the e-mail content from being read by other entities, other than the intended recipients. Most full-featured e-mail clients (like Apple Mail, Microsoft Outlook or Mozilla Thunderbird) provide native support for S/MIME secure e-mail (digital signing and message encryption using certificates).

However, encryption can be difficult for users. Security and compliance managers can automate the process by using encryption services that automate encryption. Instead of relying on voluntary cooperation, automated encryption, based on defined policies, takes the decision and the process out of the users' hands. e-Mails are routed through a “gateway” or “service” that has been configured to ensure compliance with regulatory and security policies. e-Mails can be automatically encrypted and sent.

3. Invest in confidential communication platforms.

In addition to encryption, the handling of critical client confidential data and documents must be electronically safeguarded. The same audit capabilities used in the transmission of e-mails should also be extended to the handling of data itself. Collaboration with clients and colleagues cannot, and need not, occur at the expense of security. Collaboration can be both fluid and robust, and still remain in accordance with national data protection laws and other confidentiality requirements. It is possible to fulfill all these requirements, without compromise, by investing in confidential communication platforms, such as secure electronic datarooms. This approach allows all digital files ' whether e-mails or documents ' to remain fully protected, at all times.

Conclusion

With cyber-attacks making regular headlines and news of governmental figures turning to personal e-mail to manage work-related tasks, legal professionals should be aware of the danger that lurks before pressing “send.” After all, there is nothing more valuable to a firm and its clientele than its sensitive information. That is why hackers want in on your e-mail.

William O'Brien is an attorney and the chief operating officer of Brainloop, a national provider of secure solutions for enterprise-wide storage and exchange of confidential information. Bill is also former speaker of the New Hampshire House of Representatives.

Read These Next
COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

How Secure Is the AI System Your Law Firm Is Using? Image

What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

Generative AI and the 2024 Elections: Risks, Realities, and Lessons for Businesses Image

GenAI's ability to produce highly sophisticated and convincing content at a fraction of the previous cost has raised fears that it could amplify misinformation. The dissemination of fake audio, images and text could reshape how voters perceive candidates and parties. Businesses, too, face challenges in managing their reputations and navigating this new terrain of manipulated content.