Do You Encrypt Your Email?

by Cindy Wolf on May 23, 2012

Please answer this one question!

Hint: If you think you need to ask IT, the answer is no.

A few weeks ago, I got into a bit of a tiff with another writer about whether lawyers should be encrypting their email with clients to meet their ethical obligations. The writer works for Zix Corporation, an encryption service company, and his article was published by Attorney at Work, which often publishes articles about new technologies provided by vendors. But this article wasn’t clearly pitching Zix’s services; it was cautionary tale about the security requirements lawyers should be using to meet ethical requirements. A colleague even called the article to my attention because she was concerned that she wasn’t encrypting her email – she missed the author’s bio at the end.

While the Zix article posits that lawyers risk ethical violations by sending unencrypted email, my reading of the few related ethics opinions doesn’t go so far. In fact, while two states, California and North Carolina, bring up that encryption might be something lawyers should consider using, they fall very short of stating that unencrypted email is dangerously insecure and that lawyers must encrypt. In fact, the ABA hasn’t changed its opinion from 1999, which is that there is a reasonable expectation of privacy in unencrypted email, if used properly.

On the other hand, ILTSO, the International Legal Technical Standards Organization, has definite opinions on technical security and they not only say that encryption is required for client data being communicated through the public Internet, but they recommend encryption bit thresholds, verification by unexpired third party certificates, and making sure that encryption is truly end-to-end.

Then I went to a recent CLE program put on by a prominent Denver law firm entitled “Privilege and Preservation in the Corporate Setting; Practical Tips for Avoiding Communication Pitfalls in the Digital Age.” Fantastic, I thought. I’ll find out what the latest law really is on this subject. When it became clear that the speaker wasn’t going to address encryption in her talk, I asked the question: “Should email be encrypted to preserve the attorney-client privilege?” I didn’t mean to throw the speaker, but I did. She said she didn’t know of any court using it to declare whether a communication was privileged but didn’t believe a court would invalidate the privilege because a lawyer failed to encrypt an email (and I would trust Zix to point out those cases if there were any). Then I asked whether she knew if many lawyers encrypted their email and she didn’t.

But, I would still like to know! I invite you to comment. Please answer the following questions:

  1. Do you regularly send or receive encrypted email in your client communications?
  2. If you do not, have you considered it, and why did you decide not to?

Promise: If you say no, I will not send your contact data to any ethical committees or encryption providers.

Cindy Wolf is a Colorado lawyer with more than 25 years’ experience representing large and small domestic and multinational companies. Her expertise is in commercial contracting, with an emphasis on technology licensing and the Internet.


Brenda Speer May 23, 2012 at 10:47 am

I do not encrypt email. However, I do use a secure email service and drop box (www.BitWeld.com — a Colorado company!) to send and received sensitive communications and documents to and from clients.

Rick Daily May 23, 2012 at 11:04 am

I have one client who insists on encrypted email. His computer has been hacked more than once, and he assumes that someone will try again. I find it cumbersome and annoying, although I suspect that my difficulties will disappear as I send more and more encrypted emails. It would be useful to look at this issue more rigorously; I’d be happy to contribute.

Barb Cashman May 23, 2012 at 11:25 am

Great post Cindy, very thought provoking. I don’t encrypt emails, and my intake form does ask whether the client is okay with communicating via email. My cloud-based practice management software offers the capability of it, but haven’t had to use it yet.

David Harrison May 24, 2012 at 4:45 pm

I do not encrypt my email, nor do I put the ‘disclaimer’ at the bottom that many lawyers do (i.e. “If this email is not meant for you don’t read it, just delete it and let me know”) on the assumption that such a disclaimer is really useless (especially at the END of an email). I assume email communications are like letters in an envelope – they have to be opened to be read and opening one that is not yours is inappropriate, maybe even criminal – and we never marked the front of envelopes with a ‘don’t open this if it is not to you’. I don’t see why email should be treated differently, but am interested in others thoughts on this.

BobChristensen May 30, 2012 at 5:58 am

Unencrypted email is more like a postcard than a letter in an envelope.
It is available for reading to any and all who either stumble across it or who harvest it. I am amazed at the number of attorneys who use Gmail with complete disregard for the fact that Google is routinely sifting the content of messages looking for ways to “refine its marketing message.”
The financial services sector is far ahead of lawyers in this regard. Every financial institution worth a dime has switched over to encrypted, browser-based communication in order to protect customers’ information (and avoid the damages that breaches inevitably create). Heck, even the cable company uses communications systems more secure than nearly every law firm.
All it will take are a few cases with financial consequences; then insurance companies will be requiring their lawyer-customers to have and use secure communications.

Comments on this entry are closed.

Previous post:

Next post: