When is it Ethically Responsible to Use Email—And When is it Not?
Attorneys have to make reasonable efforts to maintain the confidentiality of client information. In a 2014 LexisNexis survey, nearly 90% of legal professionals answered that their firms use email to communicate with clients, and 81% reported they would find it consequential if shared files were acquired by someone other than their client.
Phil Zimmerman, arguably the world’s foremost expert on email security, says: “Email that uses standard Internet protocols cannot have the same security guarantees that real-time communication has. There are far too many leaks of information and metadata intrinsically in the email protocols themselves. Email as we know it … cannot be secure.”
A potential ethical dilemma arises from a simple engineering fact—email was never designed for confidential communications. Consider the following:
• Email systems are common targets of hackers. How common is it to have to change email passwords because your account has been hacked?
• Email allows anonymous users and is routed through multiple servers across multiple domains, making it impossible to know if and by whom email is intercepted – or even who is on the other end of the line.
• Email systems store and transmit messages and attachments in unencrypted form. This means email messages and attachments can be intercepted by your email service provider or taken from lost or stolen devices.
• There is no expectation of privacy when using public email systems such as Gmail®, and likely never will be. Their livelihood depends on being able to read your email. If one party uses public email, the other party’s email security measures (if there are any) are rendered moot.
• Email providers can be hacked, and per established third party doctrine, providers can be legally compelled to divulge your email content. Even if the email provider encrypts your email, they can decrypt it whenever it serves their advertising or compliance interests.
• Encryption tools can be added to email, but they are typically expensive and complicated. Most only encrypt some data, some of the time. Attorneys have no control over whether inbound emails are encrypted or whether outbound emails are stored encrypted once received.
• Metadata (who, when, where, and subject information) cannot be scrubbed from email.
It is technologically impossible to know if emailed client information remains confidential, and it is safe to assume that emails can be read without you or your client’s knowledge. Thus, the ethical question: When is it ethically responsible to use email, and when is it not?
Attorneys are charged with determining how client information should be sent and received based on the sensitivity of the information, the likelihood of disclosure (which given email’s vulnerabilities is entirely unknowable), and the cost and difficulty of implementing safeguards. When information is highly sensitive and email is too risky, the attorney and client need an alternative that:
• Automatically and individually encrypts every message when it is created and files when they are attached,
• Does not enable the service provider to ever be in possession of the encryption keys or passwords, so the provider cannot disclose usable data even if their servers are compromised or they are legally compelled to divulge attorney-client data,
• Disallows anonymous use,
• Is easy for lawyers and clients to install, and has little or no learning curve because it looks and works like email,
• Is inexpensive.
Sound too good to be true? Fortunately, new technologies are now available that meet these requirements.
Need an alternative to email for those times when electronic client communication has to be confidential? Visit us at http://www.absio.com/law.
This content is advertising.
