Who Is Responsible for Email Messaging Security—Law Firm or Client?

http://www.messagingnews.com/story/who-is-responsible-email-messaging-security-law-firm-or-client With severe consequences for non-compliance, email messaging security can no longer be ignored; more and more organizations and people contend, it is now a “must have.” But the challenge is that email was not designed to support the gamut of today’s business requirements. Until recently the only way to achieve messaging security was to send a decryption key to the recipient and then send an encrypted message that could be opened with the key. This has proven so cumbersome that in most cases even if the protocol has been adopted by the company, it is seldom, if ever, used. Currently, over 40 states have data breach legislation in place, including Federal initiatives like HIPAA and Sarbanes Oxley, that covers the Healthcare and Finance industry respectively. In 2010, we witnessed one of the first HIPAA lawsuits involving the Connecticut Attorney General and Health Net Inc., which settled at a cost of $250,000 to the company. It is likely that there will be many more data security breach cases, as smaller sized businesses are finding it difficult to address the problem on a low budget. Law firms in particular are taking a closer look at securing their communication, especially when dealing with clients that are covered by the new data breach laws. The importance of email security becomes more significant for external legal representation. In particular, the security implications associated with the exchange of legal confidential information is often the most sensitive in nature. Cloud computing has surged in recent years in the corporate IT space and emerged in the legal industry. It lends itself nicely to open and quick-to-deploy applications without the need to invest in new infrastructure. Given the security needs, the growing legal risks, and a preponderance of small- to mid-sized firms, legal firms are certainly in the forefront of companies needing a quick solution at a low-cost and minimal interruption to their operations. There are also additional advantages of using cloud-based solutions: Considering the growing number of employees working remotely, including those who work away from the office, periodically, on client sites, exposure increases materially and email messaging security on laptops becomes even more imperative. Consistent, rules-based monitoring of the content and ensuring that any exchange of confidential information complies with data breach laws are fundamental. A cloud-based solution makes this possible. It is easy to include an audit trail clearly identifying who has sent or received such confidential information. This is a lawful requirement for many industries, and can often be used as evidence in data breach court cases. The International Legal Technology Standards Organization, a new nonprofit organization, is dedicated to helping lawyers better understand the practical and ethical implications of technology for their law practice environments. The ILTSO has recently released a set of standards that law firms can use to evaluate their internal security standards and assist them in the process of choosing a reliable “cloud-based” secure messaging vendor. As it specifically relates to CLOUD transmissions, the ILTSO states that whenever client data is transmitted across the Internet, it must be encrypted at every point. By default, Internet-based transmissions are typically sent unencrypted (in plain text). It is imperative that client data is only communicated online through encrypted channels. Since encryption is only as strong as the weakest link in the chain, end-to-end encryption should be required. ILTSO concludes by stating that unencrypted movement of data “packets” across the Internet presents an unacceptable risk to client data. So now the question: Does the responsibility for a secure communication channel lie with the Law firm or the client that ‘owns’ the confidential information? My answer: The responsibility should lie with the law firm, offering proper messaging security to all its clients to reduce possible punitive damages to their clients. Especially today, when there are low cost solutions that can be quickly implemented and that work securely.