In its simplest form, encryption is the process of encoding messages or information in such a way that only authorized parties can read it. To read the message, the authorized party needs to possess the key to unlock or decode the message.
Encryption – A Brief History
Encryption grew out of cryptography, the science of secret communication. Secret communication via ciphers has been around nearly as long as written communication. Julius Caesar is said to have used a simple cipher to send messages to his generals more than 2,000 years ago. A Caesar cipher simply shifts the letters of the alphabet so that, for example, A=B, B=C, and so on. To decode the message in this example, Caesar's generals had to know that the "key" is 1.
While Secretary of State, Thomas Jefferson sometimes communicated with an elaborate mechanical cylinder that could be used to create coded messages. The recipient needed to possess an identical device to decode the message. Perhaps the most well-known example from history is the famous Enigma machine, which the German military used in World War II. The Allies spent years working to decrypt the coded messages and by the end of the war could read more than 90 percent of Enigma messages within 24 to 48 hours.
These examples demonstrate the following: First, the need to protect communication is nothing new. Second, creating an effective cipher system required a lot of time and effort and was often very complicated.
Why Encryption Matters to Lawyers
While the history of encryption is colorful, you might note that you are not trying to secretly cross the Rubicon or plan the D-Day invasion. On the other hand, most lawyers routinely send and maintain confidential information about their clients. Failing to use encryption when appropriate places that information in jeopardy and could have ethical implications.
You need not read very far into the ABA Model Rules to find an example of when encryption might play a role. ABA Model Rule 1.6(c) states:
"A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of the client."
Does this require lawyers to use encryption regularly for all email communication and storage of client information? Probably not, at least for now. On the other hand, publicity about data breaches and the relative ease with which data can be encrypted should cause you to at least consider encryption.
Recently, the State Bar of Texas addressed the issue. In Opinion 648 (2015), it identified several instances in which encrypting email may be appropriate. Regarding email, the opinion says the following:
"In general, considering the present state of technology and email usage, a lawyer may communicate confidential information by email. In some circumstances, however, a lawyer should consider whether the confidentiality of the information will be protected if communicated by email and whether it is prudent to use encrypted email or another form of communication. Examples of such circumstances are:
- Communicating highly sensitive or confidential information via email or unencrypted email connections;
- Sending an email to or from an account that the email sender or recipient shares with others;
- Sending an email to a client when it is possible that a third person (such as a spouse in a divorce case) knows the password to the email account, or to an individual client at that client's work email account, especially if the email relates to a client's employment dispute with his employer (see ABA Comm. on Ethics and Prof'l Responsibility, Formal Op. 11-459 (2011));
- Sending an email from a public computer or a borrowed computer or where the lawyer knows that the emails the lawyer sends are being read on a public or borrowed computer or on an unsecure network;
- Sending an email if the lawyer knows that the email recipient is accessing the email on devices that are potentially accessible to third persons or are not protected by a password; or
- Sending an email if the lawyer is concerned that the NSA or other law enforcement agency may read the lawyer's email communication, with or without a warrant."
Clearly, whether email should be encrypted is a question that is being asked with increasing frequency, most often in the context of highly confidential information or less secure situations.
Email Encryption Tools for Lawyers
Many emails are not all that sensitive or confidential but some certainly are. In these cases, much like Caesar sending courier messages to his generals, you are taking a highly sensitive communication and placing it in danger of interception by someone who you do not want reading it. Also, note how the Texas opinion referenced earlier was specifically about email and the circumstances under which it should be encrypted. The good news is that encrypting email is relatively easy with today's encryption tools. There are many free tools and some very good paid tools.
Jeffrey S. Krause, Marquette 1996, is a partner and senior legal technology consultant at Affinity Consulting Group, Waterford. He consults with law firms and legal departments of all sizes to help them choose and use the right technology.
If you rarely need to send an encrypted email and don't mind a few limitations, consider one of the many free tools. A simple search for free email encryption tools will yield many results including several comparison articles. Most of these services work in a very similar way. Once you log in to the service's website, find and click the link saying something like "Send an Encrypted Email." Fill in the necessary information, which includes the recipient's name, the subject, and the text of the message. If the service allows it, select any necessary attachments and hit send. The recipient receives an email from the service with a link and instructions to download the encrypted email.
Understanding the limitations of free email encryption is crucial. Start with the fact that you are logging in to a website and sending your email from there. In other words, you are submitting the contents of your sensitive email to a third party on the internet. Some of the services have very clear policies about how long they retain the data. Others are not all that clear. Most free tools limit the number of encrypted emails you can send in a month to a relatively low number like 10. Finally, most of the free tools don't actually send from your email address. The recipient receives an email from the encryption service. I have seen emails from these services go to my junk folder or get quarantined by my spam filter. Even when they reach me, my first instinct is to delete them. An email from an unknown sender that asks me to click on a link to download something is high on my list of red flags.
The limitations of free encryption services are too significant for me to use one of them or specifically recommend one. On the other hand, there are some excellent paid encryption tools and one that I highly recommend.
My favorite encryption tool is Citrix ShareFile. ShareFile offers several pricing levels, including $16 per month for a single user, $60 for five users, and $100 for its Enterprise-level product. As its name implies, ShareFile is about sharing files. It offers secure cloud storage and sharing. Email encryption is not its primary feature but ShareFile encrypts as well or better than any other product I have tested.
ShareFile refers to its email encryption as "one click," and it really is that easy. The Outlook plug-in adds a prominent Encryption On/Off toolbar button. Want to encrypt an email? Simply click the button to turn encryption on for the email you are about to send. A dropdown provides specific options such as whether the recipient can authenticate with just his or her name and email address or only after logging into ShareFile. You can also request a notification when the email is read, and set an expiration date. The email recipient receives an email from you informing the recipient of the encrypted email and requesting that he or she log in to ShareFile to view it. Finally, once the person has logged in, the email is displayed.
ShareFile offers a number of additional features. You can revoke access to any encrypted email you have sent. Simply open the email in your Sent Items and click the Revoke link near the top of the page. If you need to send an encrypted email with attachments, the process is the same as sending any other email. Just click the Attach Files button on the Outlook Message toolbar. The attachments are not part of the email. Instead, the recipient will receive a link to download the files from an encrypted location. By the way, this feature is also helpful when you want to send a file that is too large for your email client. You can also request files from someone. In this case, the recipient is prompted to upload files to your secure ShareFile site.
ShareFile is extremely easy to use but don't let that fool you. The steps above use SSL protocols with 128-bit encryption while the email and files are in transit and AES 256-bit encryption when the files are stored on ShareFile's servers.
And you thought email encryption was difficult.
Conclusion
Lawyers have a duty to protect information about their clients and their representation of clients. This duty extends to client data, and encryption protects data. Why aren't you using it? True, it might not be required (at least not yet) and, yes, the science behind encryption is complicated enough to give you a headache. However, the reality is that encryption is readily available, affordable, and very easy to use. Encryption is something that should be in the technology arsenal of every law firm.