Should You Use Encrypted Email to Protect Sensitive Information?

By Casey C. Sullivan, Esq. on February 20, 2017 | Last updated on March 21, 2019

Concerned with law firm data breaches, more and more in-house lawyers are using encryption to communicate with outside counsel on sensitive matters. The increased focus on email data security comes after a series of reports on law firms being hacked, including, recently, hackers who targeted M&A firms, swiped sensitive information, then made millions on insider trades.

So, should you follow suit?

Yes, Please, Encrypt It

When it comes to protecting your email, encryption can certainly help. Keeping confidential information out of the wrong hands is particularly important given the increased frequency with which hackers are targeting lawyers.

That encryption can come in several forms. The first is encrypting the text of the message itself. For example, encrypting emails in Outlook changes the content of the email "from readable plain text into scrambled cipher text" that only the intended recipient can decode. Other approaches may encrypt the entire email system. Emailers can use one or more methods.

Most major email platforms and programs, like Outlook and Gmail, provide encryption options. Still, implementation is scattershot. The American Lawyer's David Ruiz recently spoke to in-house attorneys and found that the use of encryption was growing, but not uniform. He writes:

Email encryption is a company-by-company issue, predicted by neither company size nor budget. In-house counsel at billion-dollar revenue makers, who did not comment for attribution, said installing email encryption is either not a priority for the legal departments or too cumbersome to install and train a department on its use.

But Is Encryption Enough?

Encryption is a basic step you can take to protect the most sensitive information, but that doesn't mean you'll be fully covered. Metadata may remain unprotected, for example, and end-to-end email encryption can be hard to implement, both because it's difficult for users to understand and because it can limit the user data available to email companies. Google and Yahoo, for example, are both still struggling to develop easy to use end-to-end encryption.

Some have suggested using "communication portals" as controlled alternatives to email. These are basically websites dedicated to sensitive communication. Instead of sending emails back and forth, users log in through a secure portal to exchange messages.

Or, if you really want to be secure, you could follow the advice given to some British attorneys: when it comes to truly sensitive information, skip email altogether. Maybe it's time to find yourself a good courier?

Related Resources:

Copied to clipboard