Email security is a large and thorny issue and one that law firms have generally avoided. For someone sending up to a hundred or even more emails a day, even minimal extra steps to secure/encrypt email and attachments are seen as “too much work.”
Given the dramatic increase in hacking and government spying, as well as recent court rulings to the effect that non-secured sharing of documents voids attorney-client privilege, this is bound to change as corporate clients in particular insist that their emails be properly secured.
Two of the most popular security steps that are relatively non-intrusive are metadata cleaning and sending emails (especially very large emails) as a link to a secure site. What does this mean and what does it entail?
Metadata is information in and about a document that you may or may not want the recipient to see. This can include track changes, hidden text or comments, the authors of various comments, the origin of the document, the authors of revisions (and how much time they spent). It can also include proprietary macros, footers, and field text info (paragraph numbering, table of contents and similar functions).
Some of this is information that you may want or need to keep, such as track changes if the recipient is collaborating on the document. Also, be aware that if you clean “metadata” from PDF files that are being used in conjunction with electronic signature software (DocuSign, eSign, etc.), it may prevent the electronic signatures from working.
The need for metadata cleaning becomes abundantly clear from a real-life example that happened to one of my clients several years ago. They received a document from opposing counsel in a corporate deal they were negotiating. The Word document contained hidden text and comments, but when opened (at that time with Word Perfect) all the comments popped up immediately, including one that said, in essence: “Jim, do you think we can get away with this sort of language?” Obviously my client called the other side and said: “Now, you don’t really think we’re going to agree to that sort of language do you?” Game over.
However, a firm needs to establish a definite policy concerning metadata cleaning, because there is bound to be blow-back from attorneys and staff that even minimal extra steps are “too much work” or “slow down my computer.” So a firm needs to have a thorough discussion and get definite buy-in before trying to implement such a policy.
Sending Emails via a Link
A second element in email security is to send email attachments via a link, not directly attached to the email. This places the attachment in a secure, encrypted repository from which the recipient can download the attachment. This may also become necessary if you are sending very large emails that exceed the maximum size allowed by Outlook (50 MB).
An additional advantage of using a product like Workshare or Sharefile to send attachments via link is that it gives you substantially greater control than just attaching an email or putting it in Dropbox for sharing. When you send an attachment via a link with Workshare you can also define what rights the recipient has. Do they have to log in to the site, or is it wide open? Can they share the document with someone else? Can they download it, print it, edit it, copy it, etc.?
In short, you have considerably more control over the document than you would otherwise have. In many cases, this may not be necessary, but it is the sort of issue that when you need the functionality, you REALLY need it.
Risk and Ethical Analysis
The issue of email security has to involve a risk analysis that turns normal considerations about default settings on their head. The “normal” rule if that if you perform a given operation one way 80% of the time, then that should be the default, and for the other 20% of the time users will have to change the settings.
With email risks, however, a firm needs to take potential damage into account. You may not need to use added security such as metadata cleaning 80% of the time. However, the potential risks in users not properly using the metadata cleaner the 20% of the time are sufficiently great (see the above example), that priorities may need to be reversed in order to protect the firm from major damage, potentially even large monetary damage.
From the point of view of an attorney’s ethical duty to protect the confidentiality of client documents, it is significant that in a recent court decision (Harleysville Insurance v. Holding Funeral Home), the judge ruled that uploading files to the web (Box in this case) without either a password, forcing users to log in, or otherwise securing them voided attorney-client privilege on the documents. In was, the judge said, “the cyber world equivalent of leaving its [plaintiff’s] claims file on a bench in the public square and telling its counsel where they could find it. It is hard to imag[in]e an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web.”
Although this is the first published decision to taken this sort of position, it is becoming apparent that similar standards will be increasingly applied in the future.