Sending highly confidential or personal information via unencrypted email is like sending a postcard. There are many places that postcard goes before it reaches its recipient – and can be read by anyone along the way. Regular email is sent via plain text, and if you watch Google’s “Story of Send” you can see how many touch points a Gmail message has from the time you hit “send” to the time it gets to your recipient. Email can be intercepted by sniffers or read while saved on remote servers. And that is just the beginning.
Your “deleted” messages are likely sitting on at least two backup servers, messages can be modified in transit, and your email address can be spoofed to send malware messages that appear to be from you. Despite all of this in 1999 the ABA issued a formal opinion (99-413) that states
A lawyer may transmit information relating to the representation of a client by unencrypted e-mail sent over the Internet without violating the Model Rules of Professional Conduct (1998) because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint.
Most people didn’t read further to note that the opinion stated in conclusion that:
when the lawyer reasonably believes that confidential client information being transmitted is so highly sensitive that extraordinary measures to protect the transmission are warranted, the lawyer should consult the client as to whether another mode of transmission.
In the 14 years since this opinion was issued much has changed. Data breach notification laws are on the books in the US and Canada, the ABA has issued Formal Opinion 11-459 “Duty to Protect the Confidentiality of Email Communication with One’s Client” and jurisdictions all over North America have issued guidance on “cloud” computing. So, why are lawyers not increasingly using email encryption? One simple reason – it is too complicated.
Traditional email encryption often requires either a public key/private key setup and is often applied at the server or gateway level. The end user – your client – must be party to this system and possibly install software or other meet other requirements. For large firms with corporate clients this is not an unusual setup. However, for solo or small firms who are working with consumer clients there are much easier on-the-fly email encryption tools that can be used to send individual emails vial encryption with very little disruption or technical setup.
Following are three easy email encryption tools I’ve tested.
Send (www.sendinc.com) is one such tool. Email sent via Send is encrypted in transit, in storage, and only can be decrypted by the recipient once she has a (free) Send account. First you will need to create a username and password. Then you can use the free plugin for MS Outlook, or you can go to the Send website to send an encrypted email. Compose your email and (in MS Outlook) click “Send Secure” instead of the regular “send” button. Once you’ve sent the message your client (or the recipient) will receive an email with a link. Clicking on the link will prompt the recipient to create his/her own username and password. Once that is accomplished the recipient can open the link and read the message. The recipient can also send a secure reply. This product is free for senders and recipients, but with a few caveats. It is free for limited use – 20 recipients per day. Another drawback (or benefit) to the free account for the sender is that the email expires in 7 days for the recipient, who would need to use the “save as PDF” option to keep a copy of the email. Also, HTML will be stripped from messages send via a free account, so the recipient only receives plain text. The Pro account, at $5 for a single user per month, increases message size, has unlimited message retention (but with self-destruct dates that can be set by the sender), and other perks.
Another, similar tool is called Enlocked (www.enlocked.com) . Enlocked offers more options to generate an encrypted email than Send, with extensions for Chrome, Firefox and Safari for web-based email like Gmail or Yahoo, an Outlook plugin and apps for your Android or iPhone. If those options don’t have you covered you can use their website. The free plan lets you send only 10 secure messages per month, though for $10 per month you can send up to 100. All plans provide unlimited free reading of secured email. Like Send the recipient will need to create a username and password to access the message, at which point it will decrypt automatically. Enlocked points out that they only have access to the email when it is encrypted or decrypted on their servers, then it is deleted from their servers entirely. With Enlocked you can see if someone has read your secured message by looking at your sent mail and clicking on “who read my message?”
If having an audit trail along with encryption, including registered e-receipts, time stamps and more appeals then check out RPost’s SecuREmail (www.rpost.com) service which bundles email encryption with their proof of delivery service and now even electronic signatures. Rpost’s SecuREMail works with Outlook, Apple, Android, BlackBerry, webmail, LotusNotes and more. RPost’s tools are not free, with a cost of about $129 per year for a solo. Once installed SecuREmail adds a button to MS Outlook much like Enlocked and Send. However, click on the button to realize there are lot of options to consider in addition to encryption. You can add “side notes” for cc or bcc recipients, invoke an eContract, and send large attachments via LargeMail transfer service. You can also automatically convert attachments to PDF, password protect the PDF, add a client/matter number, and authenticate the email with a digital seal. All these options can be set as a standard default configuration, or invoked when necessary. As you can tell, it will behoove you to get a little training with the representatives at RPost to make sure you are getting the most out of this sophisticated tool.
The user experience itself differs from the other two products mentioned. If you do not predefine a password with your client/recipient then the user will receive an email with a system generated password, then another email with a PDF attachment. The PDF attachment contains the text of the encrypted email you sent and the user will need to have the password from the previous email to open it. The recipient opens the PDF and can click on “secure reply – click here” to respond via the same encryption process. Fortunately all these emails to the recipient have clear instructions, but it would probably be best to establish a password with a client in advance for ease of use. Also, between all the read receipts, instructions, email attachments, the system generates quite a number of emails. You can adjust your settings to reduce the messages.
Obviously these are but a few of the options available, and you should examine your work flow and habits, what platform and programs you use to send email, and test a few options with your staff or an unsuspecting family member to make sure everything works the way you expect it to. That said, the above email encryption options are easy to use for the sender and recipient, and offer a much better level of security, privacy, and confidentiality than an unencrypted email.