Email security is the single biggest threat to client confidentiality, yet no-one seems to be doing much about it. Why not? Legal professionals routinely handle just about the most sensitive information imaginable, and our clients and regulators expect nothing more than absolute discretion.
In my previous career as a solicitor, and current role as compliance adviser, I have seen countless instances of confidential documents being sent unencrypted to clients and third parties. It’s so run-of-the-mill that nobody thinks anything of it. In a post-Snowden world everybody should be more attuned to the risks of communicating online.
Does any of this sound familiar?
- Sending a client’s medical records to an expert or counsel for review…
- Forwarding a witness statement to a client or third party for signature, and giving instructions on how to scan and return…
- Whizzing entire court bundles to counsel for a last minute hearing…
- Dispatching a draft SPA to a client involving the sale of their business, before the employees have been told…
These are just examples that I remember being guilty of in practice. (Don’t judge!)
Let’s go back a few steps. What exactly is the problem?
It comes down to data protection and professional obligations, as well as commercial considerations.
The Data Protection Act requires you to protect your clients’ personal information, and to take particular care when handling sensitive material (including medical records). The DPA carries heavy penalties (£500k at the top end), and offenders are often named and shamed. Last year, the Information Commissioner’s Office highlighted the risk of data breaches in the legal profession. Worryingly, it received little attention.
The SRA requires you to keep the affairs of clients confidential. The SRA and SDT between them have almost limitless fining and punishment powers. You don’t want to wake the beast.
Your clients are not going to thank you for being at fault for their data being compromised because you saw fit to send it willy nilly across the internet. And next time you are pitching for work you may just get an awkward question or two.
There is of course also the risk of opening yourself up to professional negligence claims.
Ok, there’s a problem. What is the solution?
The ICO suggests lawyers think before pressing ‘Send’:
“When sending personal information by email consider whether the information needs to be encrypted or password protected. Avoid the pitfalls of auto-complete by double checking to make sure the email address you are sending the information to is correct.”
As far as I can see (and I am by no means an IT expert), there are five approaches you could take to address the problem firm-wide:
- Send all email unencrypted with a disclaimer in the footer, along the lines (“this email is confidential, and if you are not the intended recipient you should disregard it and destroy it…” blah blah). This seems to be what most firms do. Frankly, it’s not good enough. According to LexisNexis:
“Relying on a mere statement of confidentiality when sharing privileged communications by email is a weak measure–and further it might protect the law firm but affords very little protection for the client.”
- Send unencrypted email, but with all confidential documents contained in password-protected files (.pdf, .docx etc.). This is probably a better way to go about protecting individual documents, but I can imagine a lot of clients not reading the memo about the password. Which will of course prompt a phone call about not being able to open files, and no doubt will result in a conversation about the thing you were trying to save time explaining by email. It might work, but IT people would probably describe it as ‘clunky’.
- Make all outgoing mail encrypted. Basically this means the email will look like gibberish until ‘unlocked’ by the recipient. The trouble is, the recipient has to have the encryption key, and so have the same issue as above. You are also going to have to talk Partner A and client Jones (you know who they are) through the steps for setting this up through Outlook (which you can definitely do) or a third party provider. At the very least it’s a training session for both.
- Use a secure platform where you and a client/third party can share confidential information by logging on. Some case management systems have this functionality built in, and I know of a certain company that specialises in the exchange of documents has their own platform. No doubt there are countless other solutions out there. This to me seems like the most sensible solution but could involve a significant investment in IT or subscription costs. There’s also the issue of who owns the client data, what happens to that data if the company folds, their servers get hacked etc.
- Go back to sending letters. Let’s not fool ourselves, the post isn’t exactly secure.
The bottom line
Email is a critical business tool. But the data security risk is a huge, profession-wide and largely unaddressed issue. We are routinely risking our clients’ confidential data. Unless we do something about it, there will be high profile cases of data protection breaches, scandals, fines and disciplinary action – it’s just a matter of time.
We cannot wait for clients or the regulators to demand that we change. They will not, unless and until there is a huge problem. Clients won’t worry until there is something to worry about. They have their own concerns, and trust us not to play fast and loose with their information. As for the regulator…well to be fair OFR puts the onus on the compliance officers to deal with all risks – including data protection and confidentiality. But the SRA is so bogged down in imminent threats (client account scams, ‘bogus’ firms) that the trusty old email seems way off their radar for the time being.
I would be really interested to hear from people who have come across any decent, low cost, simple solutions that the profession could embrace.