Data Security – It’s Time to Stop Making Excuses

(Updated May 19, 2023)

The days when an attorney could send an unencrypted email without worry, remain blissfully ignorant about encrypting a laptop, or use the same easily remembered password for all accounts and devices are long since over. I believe most attorneys know this, at least at a gut level; but far too many still seem to be confused about what steps they should be taking. If you see yourself as a card-carrying member of the “what the heck am I supposed to do” group, perhaps I can help.

Let’s start with email. It isn’t secure. The best description I’ve ever heard about how anyone should view email was this. “Email is like sending a postcard written in pencil. Slap a little postage on it, drop it in the mailbox and it’s good to go.” Think about that and then think about your ethical obligation to preserve and maintain client confidences. Still want to email confidential information to a client using a free Gmail account? Yes, I know most attorneys have long since moved away from the use of free email accounts for work, which is a good thing; but how many of your clients are using one to communicate with you? Still want to hit reply and type away? Hopefully not!

Encrypted email is on the horizon for all of us and a day-to-day reality already for some. For example, certain clients in the financial and healthcare sectors require that outside counsel use encrypted email. Say no and lose a client. That said, the use of encrypted email day-to-day isn’t yet ethically mandated; but I personally believe that’s coming, if for no other reason than more and more clients are going to insist upon it. Until that time, however, there’s an easier solution.

When using email to send confidential information, place the confidence in a Word document or PDF file, password protect that document and attach it to the email. Now the attachment is encrypted even though the email itself is not. There are various other security settings that can be selected as part of this process and those vary depending upon the application in use. Learn what they do and how to use them. One side note. Never put the password to the attachment in the text of the email itself. You’ll need to find another avenue to pass that information along and that’s just the way it is. Provide the password that will be used during the course of representation during intake or perhaps a text message or quick call will take care of it. Also understand that if the password is ever lost or forgotten, you won’t be able to recover the contents of the document so don’t get casual with this.

Better yet, an even easier and more secure solution would be to communicate with your clients through a client portal. This will allow you to securely share documents, messages, bills, and the like with all your clients. In short, once you or a client adds a message or shares a document via the secure platform, the other will receive an email notification that a secure message is waiting for them on the portal; and here’s the good news. Most cloud-based law practice management programs come with a client portal, which makes this a no brainier in my mind.

Now, time to discuss mobile devices, backup storage media, and placing documents in the cloud. I’m going to skip all the “put the fear of God in you” stories and ask in return that you put aside all the excuses. You know what you should be doing. It’s just a matter of making the decision to actually do it.

Smartphone encryption is pretty easy. On newer smartphones, encryption is usually enabled by default as long as you set up a password. This basic step doesn’t necessarily encrypt everything on your phone so I would strongly suggest you review the security instructions of the device manufacturer and carrier, which means you need to go further than reviewing the quick start guide. The information you need to know is not there. And yes, I do understand this means you have another password to remember; but if your phone is lost or stolen and a client is harmed in some way as a result, they are not going to be sympathetic once they learn the phone wasn’t encrypted because you didn’t want to have to remember a password. After all, would you if you were in their shoes? I doubt it.

Tablets and laptops can be a bit more difficult to set up but most of these computers have full disk encryption functionality built in. It’s just a matter of turning it on. However, if you don’t consider yourself tech savvy this is the one time, I would advise you to get a little help from your IT support so that it’s done correctly. Once set up, it’s easy as long as you never forget the password. Even better, these built-in encryption programs can often be used to encrypt backup drives. This is what I do for my personal back-ups. Takes me all of 5 seconds to decrypt a drive and run the next backup. There are also a number of third-party products (e.g. Backup Exec or BounceBack) and cloud-based solutions (e.g. Carbonite) that are just as effective. If you do decide to go with a cloud-based vendor, make certain that you select the password because you don’t want the vendor to have the ability to decrypt your data.

While placing documents in the cloud is convenient, it also brings about privacy and security concerns which can be easily addressed through encryption, which is usually enabled by default. However, there is one condition. You must be in control of the decryption key, not the cloud service provider. If you don’t control the decryption key, you don’t control your data. It’s as simple as that.

Obviously, the challenge with all the above and, truth be told, the success of the effort relies upon the use of complex passwords. The problem is in trying to remember all the unique complex passwords one needs to gain access to multiple devices and accounts. Fortunately, there’s a relatively easy solution to this problem as well. Use a password manager such as Dashlane, RoboForm, NordPass, or Keeper. All you need to do is remember one complex password or passphrase and the password manager will do the rest.

I’m well aware that I’ve focused only on encryption in this article. There are all kinds of other steps one can and should be taking. I elected not to share all the other tips because encryption is the ultimate level of protection should something bad happen. Systems and devices can be lost or stolen, and worse yet, hacked in all kinds of ways. Encryption is your failsafe should something bad ever happen. Think about it this way. Your clients expect that you will protect data about them just like you expect your credit card carrier, your medical provider, your bank, or your insurance company to protect information they have about you. You read the headlines, learn from the missteps of others. Stop with the excuses and just do it.