In a very short period of time, e-mail has become a standard method of communicating with colleagues, partners, associates, suppliers and clients. The widespread use of e-mail can be found in all areas of commerce, and the legal profession is one that has embraced this new medium of communication, as unit costs for e-mail help to drive down the firm’s overall communications bills, and any form of cost saving is welcome in today’s competitive marketplace. The speed of transmission and receipt of e-mail is another benefit, and is often the deciding factor for firms considering the implementation of e-mail systems.
E-mail is not without its drawbacks, however. Due to the nature of the technologies behind the medium, it is a less secure form of communication than many of those traditionally used by the Legal profession, including DX, fax, standard and registered post.
“The Internet is an insecure medium. Messages may pass through the hands of unregulated service providers; the networks used by the Internet are vulnerable to hacking” Source: Electronic Mail Guidelines for Solicitors – Law Society of England & Wales – 04/2000
“E-mail is another area fraught with privacy problems. When you send an e-mail to a friend, it will very likely be handled by several different online services before it reaches its final destination. As a result, spying on e-mail is relatively easy to do, and some estimates put the number of intercepted e-mails as high as 10%” Source: Guardian Unlimited – http://www.guardian.co.uk/internetnews/story/0,7369,567118,00.html – Oct 11, 2001
There are a number of ways in which e-mails originating from the practice may be protected, including software encryption, hardware encryption and various methods of controlling and administering access to the e-mails.
Encryption
The safest way to protect your e-mails from prying eyes is to encrypt them. In its most basic form, encryption involves taking the individual characters of a message and replacing them with alternative characters. Children often play games and solve puzzles using encryption, where letters have a permanent substitute (eg. For A substitute B; for B substitute C, and so on). This is the fundamental principle of all encryption technologies, though clearly this example would provide an inappropriate level of protection – as it is easy to decrypt. The advent of computers heralded the dawn of a new encryption age. It is now possible to protect messages with such a high degree of encryption that it is all but impossible for an individual cracker to decrypt.
There are many different levels of encryption, and a practice should think twice about accepting encryption levels below 128-bit (the higher the number, the greater the protection). 128-bit encryption is the level used by most banks to store our financial details online, and is currently widely-regarded as being pretty much impenetrable. This level of encryption was developed in the USA, and was considered by the US Government to be such a threat to national security that when it was first developed, that technology companies were not allowed to export it for use in other countries. Eventually the government relented, and allowed export by firms that had valid arms export licenses! Higher levels of encryption are now available, but firms should weigh up the (currently minimal) benefit of higher protection against the longer decryption times required for significantly higher levels of protection. An encryption level of greater than 256 bits is effectively uncrackable, either by individual hackers or government agencies. Such is the protection offered by strong encryption, governments are introducing legislation such as RIPA 2000 giving them the power to demand an encryption key from an individual or firm.
Encryption and The Law Society
In April 2000 the Law Society published and distributed a document entitled “Electronic Mail – Guidance for Solicitors”. In view of the fact that in its basic form, the “The Internet is an insecure medium”, the Law Society recommended that “Firms should not include confidential information in non-encrypted e-mail without the informed consent of clients, whether corporate or individual. In the case of individual clients, solicitors are advised to ensure that their clients fully appreciate the risks being described above”. This is sound advice, and though it was given over two years ago, it is advice that many law firms are choosing to ignore.
E-mail Control
In addition to the protection offered by encryption technologies, firms may wish to consider the additional benefits offered by controlled e-mail systems. When an e-mail is sent in the traditional way (odd to think of a technology as young as e-mail as having “traditions”) you relinquish control over what happens to the content of that e-mail the instant it leaves your practice. The e-mail may be copied, printed, forwarded to unauthorised personnel, or simply ignored. You don’t necessarily know that it was even received by the recipient (although if you have addressed it correctly, and the recipient’s own e-mail systems are working correctly, the chances of it not reaching them are minimal). You should not rely on the “request receipt” option available in Microsoft Outlook and other popular e-mail packages, as the recipient can choose not to send a receipt. There are a number of e-mail control systems available that will give you added comfort that your important communications have been received and viewed by your chosen recipient, and you may be given the opportunity to place additional restrictions on the actions the recipient may take with the e-mail, including added security measures. For instance, you may be able to disallow the recipient from forwarding your e-mail to others, or from viewing the content outside a specified timeframe, or from opening the e-mail more than a predetermined number of times. You may even be given the option of password-protecting the e-mail, which can give an extra level of security to the e-mail in addition to whatever encryption technologies you employ. The ability to have complete confidence that your e-mail has been received and opened (and when, and how often) is a must for many firms who no longer have to accept the claim that “I didn’t receive your e-mail”.
What additional software/hardware does the sender require?
This varies from system to system. Some systems require no additional software or hardware, but operate through a standard web-browser already available on the sender’s machine. In these systems the sender is usually accessing a separate mail system installed on the supplier’s servers, under an ASP agreement. The advantage of such a system is that secure e-mail can be sent from anywhere, but the disadvantage is that the sender has to run two different e-mail systems – one for unencrypted, one for encrypted – and this may complicate matters for firms sending a large number of e-mails.
Some systems require the installation of a separate e-mail application. Other systems may require a simple “plug-in” to the sender’s existing e-mail software (such as Outlook, GroupWise, or Lotus Notes/Domino). The main advantage of such a system is that training requirements for users are kept to a minimum as users are not required to learn additional skills.
In terms of hardware, there is often a choice – many suppliers offer their systems as an ASP service (one that is controlled and managed by the supplier for an annual fee) or as a standard software licence (where the e-mail security/control software is installed on the practice’s own server/s and managed by internal IT staff). The advantage of the ASP service is that internal IT management is kept to a bare minimum, and the practice does not need to invest in additional hardware. The licensed software route is usually more cost-effective for larger numbers of users, but does usually require a greater investment in hardware (a dedicated secure mail-server is sometimes necessary, complete with effective backup and archiving systems) and training for IT support teams. Both routes are valid choices, and the best choice for your practice will be determined by a number of factors including cost (based on number of users, additional hardware requirements, training and support fees), training requirements (for IT support staff) and skillsets available inhouse (again, IT support staff).
Does the recipient need to do anything?
Some e-mail encryption technologies and control systems do require some effort by the recipient. The recipient may be required to install a “decryption key” on their systems, or to install some proprietary software from your supplier or, in some cases, even a piece of hardware which confirms their identity. Other systems may require the recipient to open a form of e-mail security account with the software vendor (or with the law firm itself) the first time they receive a secure e-mail, and to log into this account every time they receive an encrypted communication. Some systems may not require the recipient to do anything other than view their e-mail in the normal fashion, perhaps after entering a password to grant access.
Is Electronic Mail more trouble than it is worth?
Absolutely not! The advantages offered by the speed and minimal costs of sending an e-mail more than outweigh the insecurity of the medium in its basic form. As long as firms have sensible security measures and policies in place, there is no reason for e-mail not to become a valid and valuable method of communicating important and sensitive information with clients, colleagues, suppliers and partners. E-mails can be sent and received within seconds; compare the costs of clicking the “send” button with sending a multi-page document by fax, DX, registered post, or even standard post. E-mail is here to stay, and is already the default method of communication for many firms. Just as we would never consider sending sensitive information in the post without sealing the envelope, we should take care of our data when we send it electronically.
Send that e-mail – just don’t forget to seal the envelope!
The Law Society guidelines referred to in this article were initially published in 2000 and are reprinted here by kind permission of the Law Society. The guidelines are currently being reviewed to bring them up to date with developments in legislation and technology – the revised guidelines will be published on the Law Society Web site (www.lawsociety.org.uk) in the course of 2002.