The days when a lawyer could send an unencrypted email without worry, remain blissfully ignorant about encrypting a laptop, or use the same easily remembered password for all accounts and devices are over. I believe most lawyers know this, at least at a gut level; but far too many still seem to be confused about what steps they should be taking. If you see yourself as a card carrying member of the “what the heck am I supposed to do” group, perhaps I can help.
Let’s start with email. It isn’t secure. The best description I’ve ever heard about how anyone should view email was this. “Email is like sending a postcard written in pencil. Slap a little postage on it, drop it in the mailbox and it’s good to go.” Think about that and then think about your ethical obligation to preserve and maintain client confidences. Still want to email confidential information to a client using a free Gmail account? Yes, I know most attorneys have long since moved away from the use of free email accounts for work, which is a good thing; but how many of your clients are using one to communicate with you? Still want to hit reply and type away? Hopefully not!
Encrypted email is on the horizon for all of us and a day-to-day reality already for some. For example, certain clients in the financial and healthcare sectors are beginning to demand that outside counsel use encrypted email. Say no and lose a client. That said, the use of encrypted email day-to-day isn’t ethically mandated at this point; but I personally believe that’s coming, if for no other reason than more and more clients are going to insist upon it. Until that time, however, there’s an easier solution.
When using email to send confidential information, place the confidence in a Word document or PDF file, password protect that document and attach it to the email. Now the attachment is encrypted even though the email itself is not. There are various other security settings that can be selected as part of this process and those vary depending upon the application in use. Learn what they do and how to use them. Now, one side note. Never put the password to the attachment in the text of the email itself. You’ll need to find another avenue to pass that information along and that’s just the way it is. Provide the password that will be used during the course of representation during intake or perhaps a text message or quick call will take care of it. Also understand that if the password is ever lost or forgotten, you won’t be able to recover the contents of the document so don’t get casual with this.
Time to discuss mobile devices, backup storage media, and placing documents in the cloud. I’m going to skip all the “put the fear of God in you” stories and ask in return that you put aside all the excuses. I believe you know what you should be doing. It’s just a matter of making the decision to actually do it.
Smartphone encryption is pretty easy. On newer smartphones, encryption is often a matter of changing one setting. On the iPhone, enable the complex password setting, and for Android phones, enable encryption in settings. This basic step doesn’t necessarily encrypt everything on your phone so I would strongly suggest you review the security instructions of the device manufacturer and carrier, which means you need to go further than reviewing the quick start guide. The information you need to know is not there. And yes, I do understand this means you have another password to remember; but if your phone is lost or stolen and a client is harmed in some way as a result, they are not going to be sympathetic once they learn the phone wasn’t encrypted because you didn’t want to have to remember a password. After all, would you if you were in their shoes? I doubt it.
Tablets and laptops can be a bit more difficult to set up but most of these computers have full disk encryption functionality built-in. It’s just a matter of turning it on. However, if you don’t consider yourself tech savvy this is the one time I would advise you to get a little help from your IT support so that it’s done correctly. Once setup, it’s easy as long as you never forget the password. Even better, these built-in encryption programs can often be used to encrypt backup drives. This is what I do for my personal back-ups. Takes me all of 5 seconds to decrypt a drive and run the next backup. There are also a number of third-party products (e.g. Backup Exec or BounceBack) and cloud based solutions (e.g. Mozy or Carbonite) that are just as effective. If you do decide to go with a cloud-based vendor, make certain that you select the password because you don’t want the vendor to have the ability to decrypt your data.
While placing documents in the cloud is convenient, it also brings about privacy and security concerns which, again, can be easily addressed through encryption. The condition, however, is you must be in control of the decryption key, not the cloud service provider. If you don’t control the decryption key, you don’t control your data. It’s as simple as that. Some cloud service providers, for example Box, provide for end user controlled encryption. If your cloud service provider does not, you must take the time to encrypt your documents before placing them in the cloud. Products such as BoxCryptor or Sookasa can get you there.
Obviously the challenge with all the above and, truth be told, the success of the effort relies upon the use of complex passwords that are never used twice and there’s a relatively easy solution to this problem as well. Use a password manager such as Dashlane, RoboForm or LastPass. All you need to do is remember one complex password or passphrase and the password manager does the rest.
I’m well aware that I’ve focused on encryption only in this post and acknowledge that there are all kinds of other steps one can and should be taking. I elected not to share all the other tips because encryption is the ultimate level of protection should something bad happen. Systems and devices can be lost or stolen, and worse yet, hacked in all kinds of ways. Encryption is your failsafe should something bad ever happen. Think about it this way. Your clients expect that you will protect data about them just like you expect your credit card carrier, your medical provider, your bank, or your insurance company to protect information they have about you. You read the headlines, learn from the missteps of others. Stop with the excuses and just do it.