I suggested in my last post on cloud lawyering that your corporate email account may well be less confidential than the average chat app. What can you do to make you communications "more secure"?
It depends on what you mean by "secure". Information security (InfoSec) is about more than just confidentiality! Consider a fairly routine email exchange between Lenny the lawyer and Carl the client:
Carl: Hi Lenny. Latest instalment in the ongoing Project Tango saga. Can you please review the attached settlement agreement and let us know your thoughts. Thanks, Carl <attachment: million dollar settlement.docx>
Lenny: Thanks Carl. I've reviewed the agreement you provided. Our advice is more fully set out in the attached, but in summary, it mostly looks good. We think that clauses 5, 7 and 22 are potentially problematic. You should push back on these as per the attached, but the others marked up are very much "nice to haves", not essential. Happy to discuss further. Cheers, Lenny <attachment: million dollar settlement - lenny comments.docx>
Carl: That all looks good, thanks Lenny. We've put your suggested approach to the other side and they've agreed. I understand the settlement funds will hit your trust account in the next day or two. Once they arrive, can you please make payment to our account, 12-3456-7891011-12. This is different to the account you normally use; it specifically relates to Project Tango. Thanks for your help with this one!
Lenny: Thanks Carl. I'll pass that on to our accounts team. I'm glad we were able to finally put Project Tango to bed!
This post considers the other InfoSec risks that apply to this type of entirely routine communication. If you just want the bottom line, feel free to skip to the end.
Privacy and confidentiality
Is the communication secret? As discussed in my last post, probably not. There are a range of additional security measures that can be implemented to make email more confidential, but this relies on both parties implementing compatible measures.
For long-running or complex projects, or for well-established and ongoing relationships between lawyer and client, consider discussing the security measures that each party has implemented and decide whether email is sufficiently confidential or not. If email isn't sufficiently confidential, there are alternative communication tools that might be useful.
At minimum, Lenny should consider refraining from putting actual legal advice in an email (the digital equivalent of a postcard), and instead attaching separate advice. If the communication is not automatically encrypted, Lenny might want to consider separately encrypting the advice (Word's default password protection is pretty secure). Lenny's second email may therefore read instead:
Lenny: Thanks Carl. Our advice is set out in the encrypted document attached. To decrypt, follow the instructions we've previously provided. Happy to discuss further. Cheers, Lenny <attachment: encrypted doc.docx>
While the email contents and metadata are potentially insecure, Lenny has made sure that all substantive legal advice is restricted to the encrypted attachment.
Are the emails from the person they appear to be from? An email's from field is very easy to alter (this process is known as "spoofing"). Email systems can also be hacked to lawyers' detriment. Lenny doesn't really have any idea whether the person on the other end of the email chain is really Carl, and he may have just instructed a million dollars in settlement proceeds to be directed to a completely unknown bank account. And while there are some security measures to make email spoofing harder, there isn't much Lenny can do if Carl's email account is compromised.
The low tech solution is pretty foolproof. Lenny could give Carl a ring to confirm he's received his email with the new settlement instructions. A bewildered response will show that something has gone wrong somewhere. More technical solutions may involve a communication tool that isn't vulnerable to spoofing and is resistant to hacking - for example, something that requires multi-factor authentication to log in.
Is the communication received the same as the communication that was sent? Once sent, it is trivial to alter an email or attachment. Suppose the settlement agreement was signed without altering the problematic clause 5. Lenny points out that he expressly raised clause 5, while Carl responds by pointing out that his version of the email and attachment refer instead to clause 4, with no mention of clause 5. Who altered the email?
It is sometimes possible to determine alterations to digital information through the use of experts with specialised software (and of course, for really basic alterations you can just check the metadata). But ultimately Lenny and Carl each have a copy of a separate digital file that says different things.
Locking a document for editing might go some way towards addressing this issue. Suppose Lenny sent his advice in a locked pdf, rather than an editable document. Carl wouldn't be able to subsequently alter the document, so any alterations must be by Lenny (although even that isn't foolproof).
If integrity is of critical importance, a better option is to use a document sharing tool that incorporates an audit trail of who accessed (and altered) a document and when. Instead of sharing actual separate attachments, you instead share a link to a file hosted somewhere with audit records. You might be familiar with this type of feature from virtual due diligence data rooms used for mergers and acquisitions activity, or digital discovery in litigation. However, most popular document management tools include similar functionality, including corporate solutions like iManage and OpenText and SaaS options like Netdocs, Box.net and Onedrive for Business.
Possession or control
Whoops! Lenny didn't respond to Carl! He accidentally sent the email to the other side in the settlement negotiations! Lenny realises his mistake straight away, and trys to retract the email. When that doesn't work (it almost never does) he sends a grovelling email asking the other side to delete it unread and pointing out that his email signature includes some disclaimer to this effect.
By sending an email, Lenny has lost control of his information. Whoever receives it now has control of it and its content and attachments. There are lots of other ways control can be lost, including Carl misdirecting a response, or one or both of Lenny and Carl's email systems being hacked.
If an email containing legal advice in the body of the email, or an email attaching a document containing legal advice is misdirected, it is gone and there is nothing Lenny can do to regain control other than relying on the goodwill of the recipient. Even if Lenny's email system employs some kind of encryption so it isn't able to be read in transit by third parties, the recipient of an email can (almost) always read it.
The link sharing approach again provides a solution to this problem. If Lenny shares a link to the legal advice on a separate platform with secure log ons, it doesn't actually matter if the email containing that link goes astray. A secure platform means that the recipient should not be able to read the substantive content anyway. But even if Lenny shares a link that isn't secure (i.e. "anyone can access this link"), Lenny still retains control of the document. As soon as Lenny realises he's misdirected the link, he can remove the legal advice or otherwise deactivate the link, ensuring that the legal advice cannot be accessed. Lenny always retains control, even when the information is shared.
Availability refers to the ability to access information when needed. While closely related to possession or control, it isn't identical. Even if you possess a copy of a communication, you might still not be able to access it - for example, it is in an obscure file format that requires special software, it is encrypted, or you are suffering a computer malfunction or server down time.
Obviously if Lenny and Carl are using a cloud-based SaaS platform to communicate, their ability to access their communications is dependent on the ongoing availability of that platform. And these have been known to cease business.
More subtly, suppose Lenny's firm does use a document sharing tool like outlined in some of the preceding sections. All advice from Lenny to Carl is uploaded to Lenny's platform; Carl can securely access the advice at any time. But Carl doesn't have his own copy of the advice under this approach. If Lenny ceases acting for Carl, it may be that Carl's access to the platform is revoked. Lenny's firm may adopt a new platform without access to previous advice. Or Carl may just lose his password when he really needs access.
In these circumstances, Carl should make sure he downloads his own separate copy of the advice. If Carl's organisation has it's own document management system (or a collaborative legal management system), Carl may even require that all his legal advisers use his system, rather than their own, to securely share advice. Given he pays the bills, he is probably in a position to require this.
The bottom line
There are many ways to address the various InfoSec risks. Certainly one option is to adopt an entirely secure document sharing, collaboration and communication tool and remove email from the equation entirely. However, the major advantage of email is its ubiquity - everyone uses it. You don't have issues regarding compatibility between lawyer and client, lawyers' multiple clients, and clients' multiple lawyers.
One method I've found very effective in the context of communication between lawyers and clients looks very similar to the way lawyers work right now:
Carl: Hi Lenny. We've received the latest instalment in the ongoing Project Tango saga. I've uploaded this to our secure collaboration platform. You're usual log on, password and 2FA will enable access to this. Can you please review the attached settlement agreement and let us know your thoughts. Thanks, Carl <link: million dollar settlement.docx>
Lenny: Thanks Carl. I've reviewed the agreement you provided. I've marked up our advice into a new version and uploaded this to your platform. Happy to discuss further. Cheers, Lenny <link: million dollar settlement - lenny comments.docx>
Carl: That all looks good, thanks Lenny. We've put your suggested approach to the other side and they've agreed. I understand the settlement funds will hit your trust account in the next day or two. Once they arrive, can you please make payment to our account, using the settlement instructions listed on the Project Tango page of our collaboration platform. This is different to the account you normally use; it specifically relates to Project Tango. Thanks for your help with this one!
Lenny: Thanks Carl. I'll pass that on to our accounts team. I'm glad we were able to finally put Project Tango to bed!
Email is still a primarily means of communication. But it is only used for "meta" communications - communications about other advice and information. Substantive legal advice, documents, and important matters relating to the project (e.g. settlement instructions) are shared and collaborated on using a platform designed to meet modern InfoSec risks (that is actually used to its full capabilities):
- Information on the platform is secured appropriately to ensure its confidentiality;
- Access to the platform is restricted to those involved in the project with appropriate security measures;
- Access and editing the documents on the platform is subject to continuous monitoring and audit, recording changes and the integrity of documents;
- Only links are shared. In the event that an email was misdirected or an account hacked, access to the substantive documents can be revoked (or is prevented from the outset); and
- All parties remain free to download retain their own copies of information on their existing (hopefully secure) internal systems.
These subtle, but important, changes can provide a far greater degree of security, without requiring lawyers and clients to fundamentally change the way they work.