If we in the Legal department were to measure our email practices by the standards we advise for the other departments in our organization, would we pass?
Phishing messages continue show up in our email inboxes (if they’ve escaped the spam and antivirus filters). And the seemingly weekly corporate and government hacks demonstrate all too well how much confidential and damaging information can be lost in a security breach.
How can we, as lawyers, respond?
Avoiding document attachments to unsecure emails is a great start. Instead, protect confidential and sensitive information by including a link in an email to documents stored safely in secure places.
We already know how to do this. When our colleagues require it, we learn how to use links to documents instead of attachments to emails. We work in controlled document environments when we conduct due diligence investigations in deal rooms. Some of us send links to documents within our companies to maintain the integrity of versions stored and controlled by a document management system.
Our partners – especially those in the life sciences and financial services industries – already work in this safer way. If they do it, why can’t we?
The bad guys are not reasonable
Some of our colleagues devote their practice to the protection of their company’s data security. Others help defend the organization from the consequences and liabilities of breach.
We lawyers craft standards for liability and professional responsibility based on reasonableness. Rule 1.6 (c) of the American Bar Association’s Model Rules of Professional Conduct states, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” (Emphasis added.)
Are cybercriminals reasonable? Hardly. Data destruction, extortion, exposure — all of these occur regularly during cyber attacks. Keeping documents and information safe in law practice may require radical thinking.
The key element in this equation is the firewall – the protective barrier created by a legal department’s technology. Inside legal departments, we protect documents in secured systems, often restricting access in document management and other systems to those authorized to work on particular matters. Once sent outside the protected environment of the corporate firewall, email messages may be copied, redistributed and exposed through malicious software and other code; however, document-level protection, such as that offered by information rights management (IRM) technology, can help protect content no matter where it travels.
We need tools that capture outgoing email messages with attachments, then encrypt and deposit the attachments in a secure, sharable repository, and convert the attachment into a link.
The recipient must either already have credentials to the repository (user ID and password) or the link can enable the recipient to have access to the repository, with access only to the linked document. Within the repository, the documents themselves should be encrypted. The repository should also offer IRM, which enables access to the documents – whether inside or outside of the repository – to be terminated at any point.
The rules our partners already live by
Unfortunately, attaching documents to email is too easy. Perhaps the rule that governs the work of our colleagues in financial services or life sciences organizations will make us change how we work: “No more attachments.”
For those of us in financial services, compliance with the disclosure limitations from the Financial Industry Regulatory Authority (FINRA) has been enabled through secure email systems, in which documents reside on their servers and emails contain only links. Users must establish and confirm online accounts, and then they can open the linked documents only within the secure system. Document access, use and download are tracked. The same discipline applies to documents shared by the medical world and governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
We should be ahead of the security curve, not behind it
Should we convert every email attachment to a link? If not, how do we choose?
If our organization uses an internal document management system, when do we use that and when do we use an external secure repository? Will there be too much confusion managing both?
Questions to consider… in an area where our partners across the company can teach us a worthwhile lesson.
This blog and its contents is not intended to be legal advice. You should consult a legal professional for individual advice regarding your own situation. The information on this blog is not a substitute for legal advice.