Sending highly confidential or personal information
via unencrypted email is like sending a postcard. There are many places
that postcard goes before it reaches its recipient – and can be read by
anyone along the way. Regular email is sent via plain text, and if you
watch Google’s “Story of Send” you
can see how many touch points a Gmail message has from the time you hit
“send” to the time it gets to your recipient. Email can be intercepted
by sniffers or read while saved on remote servers. And that is just the
beginning.
Your “deleted” messages are likely sitting on at least two backup
servers, messages can be modified in transit, and your email address can
be spoofed to send malware messages that appear to be from you. Despite
all of this in 1999 the ABA issued a formal opinion (99-413) that
statesA lawyer may transmit information relating to the representation of a client by unencrypted e-mail sent over the Internet without violating the Model Rules of Professional Conduct (1998) because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint.Most people didn’t read further to note that the opinion stated in conclusion that:
when the lawyer reasonably believes that confidential client information being transmitted is so highly sensitive that extraordinary measures to protect the transmission are warranted, the lawyer should consult the client as to whether another mode of transmission.In the 14 years since this opinion was issued much has changed. Data breach notification laws are on the books in the US and Canada, the ABA has issued Formal Opinion 11-459 “Duty to Protect the Confidentiality of Email Communication with One’s Client” and jurisdictions all over North America have issued guidance on “cloud” computing. So, why are lawyers not increasingly using email encryption? One simple reason – it is too complicated.
Traditional email encryption often requires either a public key/private key setup and is often applied at the server or gateway level. The end user – your client – must be party to this system and possibly install software or other meet other requirements. For large firms with corporate clients this is not an unusual setup. However, for solo or small firms who are working with consumer clients there are much easier on-the-fly email encryption tools that can be used to send individual emails vial encryption with very little disruption or technical setup.
Following are three easy email encryption tools I’ve tested.
Send (www.sendinc.com)
is one such tool. Email sent via Send is encrypted in transit, in
storage, and only can be decrypted by the recipient once she has a
(free) Send account. First you will need to create a username and
password. Then you can use the free plugin for MS Outlook, or you can go
to the Send website to send an encrypted email. Compose your email and
(in MS Outlook) click “Send Secure” instead of the regular “send”
button. Once you’ve sent the message your client (or the recipient) will
receive an email with a link. Clicking on the link will prompt the
recipient to create his/her own username and password. Once that is
accomplished the recipient can open the link and read the message. The
recipient can also send a secure reply. This product is free for senders
and recipients, but with a few caveats. It is free for limited use – 20
recipients per day. Another drawback (or benefit) to the free account
for the sender is that the email expires in 7 days for the recipient,
who would need to use the “save as PDF” option to keep a copy of the
email. Also, HTML will be stripped from messages send via a free
account, so the recipient only receives plain text. The Pro account, at
$5 for a single user per month, increases message size, has unlimited
message retention (but with self-destruct dates that can be set by the
sender), and other perks.
Another, similar tool is called Enlocked (www.enlocked.com)
. Enlocked offers more options to generate an encrypted email than
Send, with extensions for Chrome, Firefox and Safari for web-based email
like Gmail or Yahoo, an Outlook plugin and apps for your Android or
iPhone. If those options don’t have you covered you can use their
website. The free plan lets you send only 10 secure messages per month,
though for $10 per month you can send up to 100. All plans provide
unlimited free reading of secured email. Like Send the recipient will
need to create a username and password to access the message, at which
point it will decrypt automatically. Enlocked points out that they only
have access to the email when it is encrypted or decrypted on their
servers, then it is deleted from their servers entirely. With Enlocked
you can see if someone has read your secured message by looking at your
sent mail and clicking on “who read my message?”
If having an audit trail along with
encryption, including registered e-receipts, time stamps and more
appeals then check out RPost’s SecuREmail (www.rpost.com)
service which bundles email encryption with their proof of delivery
service and now even electronic signatures. Rpost’s SecuREMail works
with Outlook, Apple, Android, BlackBerry, webmail, LotusNotes and more.
RPost’s tools are not free, with a cost of about $129 per year for a
solo. Once installed SecuREmail adds a button to MS Outlook much like
Enlocked and Send. However, click on the button to realize there are lot
of options to consider in addition to encryption. You can add “side
notes” for cc or bcc recipients, invoke an eContract, and send large
attachments via LargeMail transfer service. You can also automatically
convert attachments to PDF, password protect the PDF, add a
client/matter number, and authenticate the email with a digital seal.
All these options can be set as a standard default configuration, or
invoked when necessary. As you can tell, it will behoove you to get a
little training with the representatives at RPost to make sure you are
getting the most out of this sophisticated tool.
The user experience itself differs from
the other two products mentioned. If you do not predefine a password
with your client/recipient then the user will receive an email with a
system generated password, then another email with a PDF attachment. The
PDF attachment contains the text of the encrypted email you sent and
the user will need to have the password from the previous email to open
it. The recipient opens the PDF and can click on “secure reply – click
here” to respond via the same encryption process. Fortunately all these
emails to the recipient have clear instructions, but it would probably
be best to establish a password with a client in advance for ease of
use. Also, between all the read receipts, instructions, email
attachments, the system generates quite a number of emails. You can
adjust your settings to reduce the messages.
Obviously these are but a few of the options available, and you
should examine your work flow and habits, what platform and programs you
use to send email, and test a few options with your staff or an
unsuspecting family member to make sure everything works the way you
expect it to. That said, the above email encryption options are easy to
use for the sender and recipient, and offer a much better level of
security, privacy, and confidentiality than an unencrypted email.
No comments:
Post a Comment