Management Assistance Program on www.OKbar.org

E-mail Issues for Lawyers Today

Email.

Just seeing the word can make us cringe. It brings images of overflowing inboxes and strangers sending you unsolicited, time-consuming crap. Of all of the technological changes we have had to digest, email seems to be both one that will be with us for some time and one that is often challenging for users. Hopefully there will be continuing improvements. Certainly billionaire status awaits anyone who can fix everything that’s wrong with email.

I hope that the U.S. Postal Service can survive its current crisis. But we’re never going back to postal delivery for so much of our day-to-day communication. There’s simply no way the USPS will ever handle “Are you free for lunch today?” – and there are more email attachments sent daily than the entire population of the United States could carry as couriers.1

This month we will briefly discuss several interesting questions regarding lawyer’s use of email. Be warned in advance that for many of these issues there will be no definitive answer.

Question 1

I’ve heard Google scans all of my email. Is it OK to use GMail or another free email service for attorney-client email?

There has been a lot of discussion about free email services. Some say that free web-based email services should never be used for any secure or confidential information. Others say that big online providers are likely to have better security than many law firms with no dedicated IT staff.

Lawyers have to decide this issue for themselves, but here’s a thumbnail sketch of the issues with using Gmail for sensitive emails.

Even though we had been warned in advance that it was the case, most of us thought it was a bit creepy as Gmail displayed advertisements off to one side that were based on the contents of the email we were reading or typing. Google assured us that no human being read our email and that machines generated the context sensitive ads. No record was kept of the ads displayed unless you clicked on one of them and Google then billed the advertiser. But could we believe that?

In 2008, New York State Bar Association Committee on Professional Ethics looked at this and believed Google. The committee issued Opinion #820, which stated:

“A lawyer may use an email service provider that conducts computer scans of emails to generate computer advertising, where the emails are not reviewed by or provided to human beings other than the sender and recipient.”

This is often referred to as the New York Gmail Opinion. But it refers to protecting confidentiality, not to security.

First of all, your online security is primarily up to you. There’s more risk of compromise from your end than your service provider’s end. But the huge service providers also present huge tempting targets for hackers. Every few months, some major online service provider reports some security breach3, whether major or minor.

So because of these incidents, everyone using web-based email (not just lawyers) is going to have to strongly consider upgrading security practices. If you are using Gmail to communicate with clients, upgrading to two-step verification should be on this week’s to-do list. Simply put, setting up the two-step verification means that in addition to logging in with your user name and password, you also have to enter a code that is sent to your mobile phone either by voice message or text message. This may sound like an unacceptable pain to deal with, except for the fact you can have the computers you regularly use remember the code for thirty days. So it may be a pain a dozen times each year, but the payoff is that even if a hacker cracks into Google or cons someone into revealing your user name or password, the hacker still cannot get into your account without access to your mobile phone or authorized computer.

For more detailed instructions, visit Google’s page on “Getting started with two-step verification.”4 Many other online service providers have this security service, and others will be rushing to roll them out. After a recent breach caused some Dropbox users to receive spam due to accounts compromised via third party websites, Dropbox promises two-step verification “in a few weeks” along with other enhanced security features.5

The time has come for lawyers to use two-step verification for web services containing sensitive information whenever they can.

However, two-step verification is not something one should do thoughtlessly. A very interesting article “How I lost Access to my Google Account for Weeks Thanks To Two-Step Verification”6 was recently published. The author notes that a “perfect storm” of several events combined to create the problem and still endorses the idea of two-step verification, but reading this post will help you make certain that it doesn’t go wrong for you.

Lawyers who are committed to using Gmail should really take a hard look at Google Apps for Business.7 For a relatively modest $50 per user per year, you get many increased security features, along with a huge number of business tools. Among the more significant of these is having a customized email address (such as your law firm’s domain name) rather than using gmail.com.

Many laptop or tablet users regularly use free Wi-Fi hot spots, but using unsecured Wi-Fi networks carries a risk. You should avoid them when possible and when you do use them, change the passwords for services you accessed using them soon afterwards. Use long, complex passwords that contain letters and/or number and symbols are required these days. (See sidebar on password keepers.)

In particular with Gmail, you should update your secondary email address and your security question (see sidebar), and provide a mobile phone for SMS-based account recovery. This will help you recover your account if you ever lose access to it.

If you travel a lot and need Internet access in different locations, it is important to remember that the mobile access provided by the cell phone carrier services are more secure than Wi-Fi. You can pay a monthly fee for a portable hotspot, with brand names like MiFi, or tether your computer to your smart phone (options and costs vary depending on your type of phone and carrier) or just respond to emails using your smart phone or 3G-connected iPad or tablet.

In other web-based email news, Microsoft is replacing Hotmail with Outlook.com.8  For those who are wondering how the new Outlook.com compares with Gmail, Lifehacker.com has done a feature-by-feature comparison.9

In short, web-based email isn’t perfect and the employees at some free web-based email services may be more focused on what makes a profit than on the latest in security. I know some speakers at ABA TECHSHOW™ have been quoted as saying lawyers should not use Gmail. But, read on, as email generally is far from perfect and secure regardless of what “flavor” of email provider you are using.

Question 2

Should I be concerned with the email service my client uses to communicate with me?

This one is relatively easy. Yes.

Since email exists on both the sender and recipient’s email, it is just as important for both “ends” of the “conversation” to be secure. So everything noted above also applies to the client, plus there are additional issues.

The most significant of these issues is the client who uses his or her work email as their personal account. Most every business now has in its handbook that all email in the system is not private and it belongs to the employer, with full right to the employer to read and review it at any time. A recent California case held that an employee suing her employer could not claim attorney-client privilege with email correspondence with her lawyer made using company computers.10 Since the waiver of privilege is so significant, most lawyers will advise their clients never to communicate with them using their employer’s computers or employer’s email account.

There are also other potential issues with client email, including whether the password to the client’s email account is or ever has been shared with another. The bottom line is that every lawyer has to have a discussion with their client if email communication between them is anticipated. And if you give your client a business card that includes your email address, that means probably almost every client.

Question 3

So should I just make my client set up a special email to correspond only with me?

That question actually struck me as a bit extreme when I first heard it. It might be required where the client only had a business email account or shared his or her primary email’s password with friends or roommates. But in every case, that would be a bit extreme and complicated. If you are representing a business, your contact at the business probably has as much a challenge dealing with email as the rest of us. The idea that they should set up separate email accounts to deal with you would be seen as unworkable and silly, particularly since the new email account would, by corporate policy, likely need to be set up by their IT department and reside on their same server.

I certainly had heard of clients who set up separate new email accounts for corresponding with their lawyer, primarily to avoid using their employer’s e-mail. But setting up an entirely new account (and remembering to check it) seemed challenging to me.

But Oklahoma City attorney Donelle Ratheal, speaking at the 2012 OBA Solo & Small Firm Conference, made several good points in favor of a new email account for clients to use with their lawyer. Ratheal practices in the area of family law, which does have some unique aspects, as we all appreciate.

“The new trend is to request complete copies of all computer files, and all email messages to/from the client and third parties.  Then the client, or the attorney, must review the historical email messages to avoid disclosure of privileged information. If the client has a designated email account between the client and the attorney, then it is easy to distinguish it from other email accounts,” Ms. Ratheal said. “An objection to that particular account because it was exclusively created for privileged communications is then simple.  Otherwise, a judge may have to do an in camera review of email messages and approve the deletion/redaction of privileged communications.”   

She also says that this setup makes it easier to have a three-way email conversation between the client, the attorney and a witness, usually an expert witness, without concerns that the communications would be forced into disclosure through discovery. The designated email account also preserves the "work product" issue if drafts, proposed exhibits, or the client's chronology, are attached to email messages.

Another idea that Ms. Ratheal mentioned was a possible argument that changing the password on an email account that both parties have historically used could give rise to an argument that the account itself was a joint account and the privilege no longer applies, like having an attorney/client discussion in a restaurant, where third parties can hear you. Plus there is always the chance that the divorcing spouse has the login information to the account, and the client has forgotten sharing that information. Obviously, a divorcing spouse or former spouse accessing the client's email account and reading communications between lawyer and client could be a very bad thing. So in the contested family law context especially, this simple step makes a great deal of sense.

“It's akin to when we recommend to a client to open up a P.O. Box for all future mail, so the divorcing spouse does not access the client's mail, including attorney client communications,” Ms. Ratheal added.

Question 4

Should Lawyers Use Encrypted Email?

This exact question11 was recently asked by my colleague Erik Mazzone12 in a blog post. Encryption is the coding of information in such a way that it cannot be read by others who do not have the key to unlock it. Of course, there are various strengths of encryption methods that make it more or less secure and the study of encryption is an entire professional discipline. Encryption tools are available but not widely used. Studies have referenced several social factors as to why that is the case.13

This is one of several today’s paradoxes of email.

  1. The use of email today is a virtual requirement in modern business operations. Those in business cannot have everyone else in business using one method of communications that is instantaneous, essentially free and extremely efficient14while you struggle with some version of tin cans connected by string.
  2. Unencrypted email is not secure.
  3. Lawyers have an obligation to keep secure the confidential information of their clients, but they also have an obligation to communicate with their clients in a way that the client can use and understand the communication.
  4. Many others who have an obligation to keep information secret regularly use email ranging from ministers to employees dealing with confidential corporate information.
  5. Email still works. People sent email and attachments to others who receive them. When confidential information is actually exposed because of email, it is generally because one of the authorized users made a mistake or a judgment error.15
  6. Legal ethics opinions allow lawyers to use unencrypted email to communicate with clients. After all, it is a federal crime to hack someone’s email.16
  7. If you ask most clients if they want to correspond by encrypted email, the wide-spread belief is that they will decline, and it is their confidential information that is potentially impacted.

It’s an interesting academic question. Reasonable people could disagree.

On the pro-encrypted email side of a debate, one might hear arguments like. “There’s no reason we shouldn’t do this as inexpensive encryption tools are readily available. Client confidences are deserving of the highest protection. A lawyer would never, ever want to violate attorney-client privilege.”

While, on the anti-encrypted email side we might hear: “There are few reported email breaches. There’s a greater danger that the client wouldn’t receive (or open) an important communication than there is someone will intercept it.  No one wants to mess with encryption and a lot of clients couldn’t handle dealing with it. Most of my emails to clients do not contain confidential information. And, to repeat: There is a federal law against hacking email! If my office gets burglarized, am I required to hire a security guard to protect my client’s confidential information in my office? Plus, my clients do not want to have to deal with it either.”

Whether you read two preceding paragraphs and think pro, con or “looks like a coin flip,” may depend more on your beliefs and risk-tolerance than any truth or falsity of the statements.

As to the question of whether a lawyer should use encryption, Erik Mazzone and I will both aid your analysis with a resounding “it depends.”

Even though the current email system is theoretically, and in fact, not secure, as a practical matter there is a certain level of security just because of the massive amount of emails sent each day. If your email setup is secure and that of your client is as well, then it is very unlikely to be intercepted along the way. But if a client was targeted and information was compromised, one would hate to have to rely on the “needle in a haystack” defense.

Client confidences should be inviolate and protected. That goes without saying. Yet some risk-benefit analysis must take place. There is a difference between emails between you and your client about a brief that is to be filed next week (which communications the trial judge would never allow to be considered even if they were inadvertently disclosed), a corporate secret that your client’s competitors would be dying to get or compromising photos of a celebrity client that would surely go viral on the Internet within minutes of disclosure. A proposed change to the comment to ABA Model Rules of Professional Conduct Rule 1.6 about the lawyer’s efforts to prevent disclosure states:

“Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use)….”17

So while most people are not going to bother with encryption at present, lawyers probably need to have a basic understanding of the process and when it may be important to encrypt an email or an attachment to an email. In my tips programs this year, I have mentioned TrueCrypt18, a free open source tool for encrypting a hard drive or flash drive. That would not work for email or email attachments, but Erik Mazzone mentioned in his blog post that he is testing Enlocked19 (still in beta) and also includes links to an article with more information on the subject.

Most of us who follow such things predict that we will see an increase in secure online document repositories as a part of future client services. Then the insecure email to the client would just say “Something new for you to read and respond to in the repository. Click on this link and log with the user name and password we have previously provided to you.” Already we are seeing the cloud-based practice management systems include these repositories as a part of the basic package.

CONCLUSION

Email seems to have a lot of staying power. So look for it to be with us for a while.

But email is not secure. It wasn’t designed to be. An email goes through many servers in its travels and is likely stored in more places by Internet Service Providers than most people would guess.

Some things should only be emailed if encrypted. Some should not be emailed at all.

Online Security Tip

Make up false answers to standard security questions. Most will remember how Vice-Presidential candidate Sarah Palin’s web mail account was hacked because she chose “Where you fell in love” as her security question and it was well documented that she met her husband in high school. How about deciding that your mother’s maiden name was 405MOMS!! and your favorite pet’s name was BBBrrr9935? You can write them down somewhere if you are worried you will forget. Then go change the answers to the security questions to all of the online accounts you value.

Password Managers 
Password Managers are becoming an essential tool. An Internet user needs long, complex passwords that cannot be guessed or compromised by brute force attacks. Everyone should use a different password for each important web site or service. But it is a real challenge to remember many different complex passwords. The simple solution is a software tool to remember all of your passwords. Once you log into it with a long, complex passwords that you do have to remember, the password manager remembers all of the rest.

Most of the legal technology experts seem to favor LastPass, but KeePass does really well in online polls. Both of these are free, although if you want to use LastPass with a mobile device then there is a $1 per month charge.  Lifehacker has a feature on these products.

The major products include:

  1. KeePass (Free) 
  2. LastPass (Free) 
  3. 1Password ($49.99) 
  4. Roboform  ($29.95) 
  5. Kaspersky Password Manager 4 ($24.95) 

Footnotes:

  1. Some of the most compelling statistics are simply made up. Don’t you agree?
  2. http://tinyurl.com/mtxm7b  or http://www.nysba.org/AM/Template.cfm?
    Section=Ethics_Opinions&TEMPLATE=/CM/ContentDisplay.cfm&CONTENTID=13652
  3. Dropbox July, 2012 http://blog.dropbox.com/index.php/security-update-new-features/ 
    The Gizmodo Twitter account was apparently hacked through old-fashioned social 
    engineering, i.e., talking an Apple tech support person out of the information.
    http://tinyurl.com/bv9292h or http://news.cnet.com/8301-1009_3-57486990-83
    /journalist-blames-apple-tech-for-allowing-icloud-hack/
  4. Google’s page on Getting started with 2-step verification: http://tinyurl.com/772aory orhttps://support.google.com/accounts/bin/answer.py?hl=en&answer=
    180744&topic=1056283&rd=1
  5. http://blog.dropbox.com/index.php/security-update-new-features/
  6. How I lost Access to my Google Account for Weeks Thanks To Two-Step Verification http://librarianbyday.net/2012/08/08/how-i-lost-access-to-my-google-account-for-
    weeks-thanks-to-two-step-verification/
  7. http://www.google.com/enterprise/apps/business/benefits.html
  8. http://lifehacker.com/5928102/outlook-is-a-completely-new-feature+filled-webmail-
    service-from-microsoft
  9. http://lifehacker.com/5931621
  10. Holmes v. Petrovich Development Co., LLC, No. C059133 (Cal. Ct. App. Jan. 13, 2011)
    See also Wired Magazine, Work E-Mail Not Protected by Attorney-Client Privilege, Court Says,
    January 18, 2011. 
    http://www.wired.com/threatlevel/2011/01/email-attorney-client-privilege/
  11. http://www.lawpracticematters.com/home/2012/07/27/should-lawyers-use-encrypted-email.html
  12. Erik Mazzone is the Director of the Center for Practice Management for the 
    North Carolina Bar Association. He is a former ABA TECHSHOW planning board 
    member and well-regarded blogger. He also writes on small law issues for Technolawyer.
  13. Gaw, et. al. Secrecy, Flagging, and Paranoia: Adoption Criteria in Encrypted E-Mail http://www.cs.princeton.edu/~sgaw/publications/01Feb-Activists-sgaw-CHI2006.pdf
  14. OK, sure, there are well-documented and well-remembered e-mail failures, but you
    usually receive what people send you via e-mail and when you don’t, you either find
    it in your spam filter or ask them to resend it to you.
  15. Or someone got into litigation and e-discovery exposed it. Or you work for a university 
    that has a huge scandal and it invites a former FBI Director Freeh to do an investigation
    and review everyone’s e-mail. Or there was a law enforcement investigation.
  16. The Electronic Communications Privacy Act of 1986 (Pub.L. 99-508, 100 Stat. 1848, enacted
    October 21, 1986, codified at 18 U.S.C. §§ 2510–2522)
  17. ABA House of Delegates materials August 6, 2012 
    http://www.abanow.org/2012/06/2012am105a/
  18. http://www.truecrypt.org/
  19. http://www.enlocked.com/Home.html

Originally published in the Oklahoma Bar Journal -- August 11, 2012 -- Vol. 83, No. 20