Last night, the CBC reported on foreign hackers who launched a massive attack on Canadian government computers last fall, also broke into the data systems of prominent Bay Street law firms to get insider information on an attempted $38-billion corporate takeover of Potash Corporation of Saskatchewan. No surprise, statements issued by the legal firms were predictable and generic. But what struck me was that the issued statements included something that goes like this: “We take our obligations of confidentiality to our clients very seriously”. Following on to my blog entry in November, it sure doesn’t feel that way. The medium most used by law firms to communicate with their clients is email. I have and continue to use lawyers extensively for personal and corporate representation, including employment lawyers for the HR side of my life. Not once has a law firm ever used email encryption or secure email to communicate with me. Not only does the body of the email contain sensitive strategy conversations, but there are also numerous draft documents that are transferred back and forth as unsecured email file attachments. Now I will concede that the information I am dealing with, such as personal family law matters or employee terminations are likely not as sexy or hack-worthy as the Potash deal. But how do I know that this information is not being intercepted and reviewed? Who is going to fess up if this happens? It may be happening all the time and I just don’t know about it – and never will. Email is a much easier target for attacks then any client file saved behind a legal firm’s firewall. Email leaves the relative safety of the legal firm and travels into the world ‘wild’ web through various passages and nodes before it gets to its final destination. It can be intercepted at any time through its zig zagged and stopped-over journeys through cyberspace. What we do trust is the technology used for internet banking to communicate and process the ultimate in high-risk and sensitive transactions because the protocol used to transfer information is as safe as we can get it. The transmission is protected by an end-to-end SSL pipe that cannot be intercepted. When we see that additional ‘s’ in https:// in our browser, we are assured that it’s SSL protected – such as when we access internet banking or process a credit card transaction on line. Without that ‘s’, the information submitted is simply not secure. It seems to make sense that we (clients) should be expecting law firms (and government) to begin taking client confidentiality as seriously as banks do, by adopting the same type of security technology used by banking to secure email communication with clients. After all, whose responsibility is it to safeguard my (the client) confidential and ultra-sensitive information – the law firm or the client? Addressing compliance and the law is also clear in echoing my feelings about this important topic. It’s unequivocally the legal firm’s responsibility. It really feels like it’s time for legal firms to put the ‘confidential’ back into ’priviledged and confidential’ for their clients. Technology exists to help them do just that. Join the discussion. Agree or disagree? Ariane Laird works with Email2. Email2 provides straightforward secure email encryption solutions and data leak prevention for government and law firms that uses the same security technology as internet banking. Email2 enables professional services organizations to securely send, receive, track and automate delivery of confidential email and large attachments outside the organization – without requiring staff or recipients to change their existing email.
I have communicated with my lawyer over email for years. Every time I hit ‘send’ or open an email from my lawyer, I have always felt uncomfortable and vulnerable about the lack of security surrounding the exchange. The sensitive information and super-confidential details included in the body of the email often include financial information and legal strategy discussions. Not to mention the email attachments which often include copies of financial statements or draft responses to opposing counsel. This private information which is intended to be classified as ‘privileged and confidential’ can easily be cyber-attacked and intercepted. My legal counsel exchanges confidential information with both me and opposing counsel. The communication exchange methods include unsecured fax which can also easily be intercepted. Faxes are paper-based and are often printed in public office spaces. I have never insisted on a secure email solution from my attorney because I naively felt that if there was a straightforward solution available, the law firm would undoubtedly have adopted it by now. After all, the responsibility for ensuring that confidential legal email exchanges remain secure lies with the legal firm, not the client. But a recent situation with my legal firm has zapped me out of complacency and into insisting that my lawyer adopt an email encryption solution to secure my email transactions and records. In this particular situation, my attorney and I were involved in hot negotiations with another party and working on a 10 page proposal to be presented to opposing counsel. As the client and active participant, I literally spent at least 15 hours working on the proposal to ensure it was positioned perfectly. To accomplish this, my attorney and I emailed 10 versions of the draft proposal back and forth as email attachments. When it was finalized, I gave my lawyer the green light to send the proposal to opposing counsel. Unfortunately, the wrong version of the proposal was faxed to opposing counsel by the legal firm’s receptionist. It was void of important changes in strategy and points included in the final version of the proposal. Because it was sent by fax, there was no way to retract the proposal. Re-sending the correct version of the proposal to opposing council would only have served to highlight the changes in the document and divulge the evolving strategy. There was nothing I could do except deal with my frustration. The following ‘fix’ may appear biased. But this is a true account of my unfortunate experience, and email2’s secure email is truly the ideal solution to address the discomforts outlined in this blog post. Firstly, email2’s secure email would ensure that my private email exchanges (and attachments) with my lawyer are as secure as internet banking. Secondly, email2 would be able to repair the erroneous send of the older version proposal. Had the legal firm adopted email2’s encrypted email solution, the message and file attachment could have instantly been recalled – even if opposing counsel had opened and read the email and attached proposal. The email and attached wrong version proposal would have instantly been fully recalled (pulled) from opposing counsel’s inbox, and the correct version would have been re-emailed. Third, I have also been in a position where the legal firm does not hear back from opposing counsel for weeks, and we’re never sure if opposing counsel has received or read the proposal. They simply go dark. Are they away? On vacation? With email2, my lawyer would have access to message tracking capabilities and instant visibility into what happens to an email after it’s sent. Was the message and attachment received? Read? Printed? Deleted? Saved? email2 also provides functionality to prevent opposing counsel from forwarding, saving or printing the email and attachment for full control of confidential exchanges. email2 does not require my legal firm or me (the client) to change their existing email – including my use of Outlook, Blackberry, or Yahoo. So there should be no reason why clients can’t insist that their legal firm of choice adopt a solution that provides secure email and controls. Join the discussion. Tell us your stories about unsecured communication with your legal firm. Ariane Laird recently joined email2. email2 enables professional services organizations to securely send, receive, track and automate delivery of confidential email and large attachments outside the organization – without requiring staff or recipients to change their existing email.