Ensuring the protection of client data is one of the most important responsibilities of a law firm, or indeed any organization in the legal sector. It’s vital, both legally and ethically, that when a client or customer entrusts you with their sensitive information, you keep it secure and protected. But in the digital world, this is much easier said than done. Many of the digital technologies we rely on for instant communication and collaboration with colleagues and customers are inherently insecure, with a number of vulnerabilities that can be exploited by malicious actors looking to gain access to sensitive data. And this is especially true when it comes to email.
Businesses around the world rely on email to communicate — in the post-pandemic world perhaps more than ever before. But email is inherently insecure, with a staggering 94% of malware delivered via the email channel. So, how can you protect your email communications and make sure that your client data is protected?
The answer is email encryption. With email encryption, you can set rules to guarantee that only your intended recipients can view email content and attachments, and that email data cannot be accessed by any third-parties while in transit. And with sophisticated email encryption providers like Trustifi, you can set up automated data loss protection (DLP) policies that give end users the controls they need to protect client data and secure email access.
In this guide, we’ll give a comprehensive overview of email encryption for legal services. We’ll cover why you need an encryption service and what your legal obligations are to secure client data. We’ll also cover the basics of how encryption works, and the top features you should look for in an encryption solution.
This article is sponsored by Trustifi. Trustifi provide a market-leading encryption solution aimed at small, mid-sized and large organizations. Trustifi enable powerful end-to-end email encryption, with automated DLP, auditing and end user controls, delivered in one easy to use platform. Trustifi is a leading encryption service for law firms looking to secure their emails, without slowing down business.
Why Is An Encryption Service Important?
In the legal sector, trust between your company and your clients is critical. When representing a client, you have an ethical and often legal duty to ensure client data is kept secure. Clients need to know that when they trust you with confidential information, that information will remain confidential.
Email encryption can help you maintain that trust in a number of ways:
Preventing Email Data Leaks
The first and possibly most important use case for encrypting email is stopping the leakage of important data. It’s often thought that, when you send an email, it travels in a straight line from your network, directly to the recipient’s. But this is not the case—instead emails are like pinballs, bouncing from mail server to mail server, and passing through proxy servers, before hitting the recipient’s inbox.
At any point in this journey, anyone could intercept the email and read the information within, including links and attachments. This is a critical point for lawyers, who often have to exchange sensitive emails with clients. These might contain financial information, contracts, medical histories and information related to criminal proceedings—all of which is like gold dust to cybercriminals.
In addition, when you send an email normally, you have no way of knowing that the person who opened that email is the person you thought they were, or if they even received it in the first place.
Encryption ensures that emails are protected “end-to-end”, i.e. at the point of sending and receiving. All email content and attachments are protected and only the intended recipient is able to open encrypted emails, vastly improving the security of email data.
Protecting Against Human Error
The second major risk from emails is not technical—but human. Lawyers often end up with an inbox bursting at the seams, with hundreds of emails coming in every week and more contacts in their directory than anyone could reasonably keep on top of.
Unfortunately, this can often lead to simple human error. It’s easy for emails to be accidentally sent to the wrong person or to select the wrong attachment––even mistakes as simple as replying to an email chain instead of an individual email can cause sensitive client information to become public––with no malicious intent whatsoever.
Human error can also cause more serious damage. Security professionals will tell you that you should never share personal information over email channels––credit card information, social security numbers, and company accounts information should always be sent securely, preferable with checks to ensure that access can be revoked when needed. But we’re all human ––and in the midst of a busy day or important case, corners can be cut and information can be sent via unsafe channels, which can have hugely damaging consequences.
Email encryption helps to mitigate human error in two main ways:
- With the best encryption solutions, data loss protection rules can be configured to automatically encrypt emails containing sensitive information. So, if a user accidentally sends credit card information or medical information via email, it will automatically be secured and encrypted.
- Encryption can also help to protect against misaddressed emails. The best encryption providers, like Trustifi, give senders controls such as reporting into who has opened emails, blocking copy/pasting, preventing email forwarding, and even deleting the sent email from the recipients’ inbox if needed.
Protecting Your Company Reputation
In June 2017, employees of DLA Piper, one of the largest, most highly regarded law firms in the world, woke up to find all of their email networks, computers and their global telephone network were completely offline.
DLA Piper had been hit with a devastating ransomware attack known as EternalBlue, which spread in 20 minutes and was able to effectively encrypt all of DLA Piper’s data. Hundreds of thousands of devices across the 4000+ attorney firm had been affected, and the organization was effectively taken offline, worldwide. Lawyers were unable to access files, and sensitive corporate and client data was at risk of being destroyed or leaked.
It’s not just large global firms that are at risk from attacks like this. According to a recent report from Datto, ransomware is the number one cyber-threat affecting small businesses; and being hit can have a huge impact on your company reputation. It comes back to trust— would you trust your most sensitive data with an organization who had been hit by a devastating data breach?
Encryption helps to prevent cybercriminals from being able to leak or get access to your data — helping to ensure your brand maintains a strong reputation for data security. Some encryption providers, such as Trustifi, also provide inbound email protection, mitigating against email threats like ransomware and phishing – which we’d also recommend to secure sensitive client data.
Protection Against Legal Ramifications And Ensuring Compliance
When it comes to managing digital data, there are a number of legal standards that must be met. Alongside typical data protection regulations like NDA’s, there are geographic specific regulations such as GDPR in Europe, CCPA in California, and a host of other state-specific use cases.
In addition, there are also a number of industry-specific regulations, such as HIPAA for law firms dealing with healthcare-related legal issues and TILA-RESPA for real estate law. These regulations may not specifically call for the use of email encryption, but implementing encryption demonstrates that your organization is taking all steps needed to secure client data.
When it comes to legal regulations, the touchlines are constantly shifting; new regulations are imposed regularly, and old ones are updated to better reflect industry trends. Implementing email encryption allows you to be ahead of the curve and ensure you’re fully compliant with data protection standards.
What Are Your Legal Obligations To Protect Client Data Through Email?
There are several legal regulations that can affect your law firm when it comes to protecting email data. Here are a few, with a breakdown of the standards they require.
The General Data Protection Regulation (GDPR) governs data usage in Europe. GDPR came into effect in 2018 and aims to give people more control over their personal data. Law firms often collect and store personal client data so, if your practice works with EU citizens (including citizens in the UK), you will likely be subject to GDPR. Non-compliance can lead to fines of up to 4% of annual worldwide turnover, or up to €20 million, whichever is greater.
In the United States, there are a growing number of state specific laws and regulations that have similar aims to GDPR, with varying degrees of scope and specificity. You can read a full breakdown of the legislation for each US state using this resource from iAPP. Many of these bills are still in the committee or cross-committee stages, although several high-profile bills have now been passed, such as California’s CCPA act, and New York’s SHIELD act.
Email encryption is not always required by these regulations, but it demonstrates that you’re managing client data responsibly and it gives you an extra layer of protection against data breaches that you could be held liable for. However, there are some industry specific regulations where email encryption is very much a necessity.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) for example, governs the protection of sensitive personal health information (PHI), and applies to organizations in the hospital and healthcare sectors. This regulation stipulates that emails containing protected health information are encrypted when in transfer, so law firms that deal with sensitive private healthcare records will need to implement an email encryption policy when dealing with PHI. These rules were further bolstered by the passing of HITECH in 2009, providing additional provisions for enforcement of HIPAA.
7 Key Features For Law Firms To Look For In An Encryption Solution
Email encryption is a crucial tool for law firms to keep client data protected and ensure they are meeting compliance regulations. But with a huge number of encryption providers out there, finding the right solution to meet your needs can be a challenge.
To help make finding the right encryption service easier, here is our list of the seven most important features that law firms should look for in an email encryption solution:
1. Cloud-Based, End-To-End Email Encryption
There are a couple of different methods of executing email encryption, but we would highly recommend implementing a service that provides secure, cloud-based end-to-end encryption for email.
With end-to-end email encryption, messages are secured at every stage of delivery and cannot be accessed by anyone other than the intended recipient. The crucial difference with end-to-end encryption compared to other encryption methods is that the email remains encrypted even after it has been delivered, when it is sat in the recipient’s inbox. This means if the recipient is hacked or their mailbox is compromised, the email content is still safe and protected.
End-to-end encryption uses public keys. When a message is sent, the sender encrypts the message using the recipient’s public key. The recipient then decrypts the message using a private key known only to them. While this may sound complicated, in practice it’s very simple: when you receive an encrypted email, you may have to log into an account or enter a one-time-passcode, and you will gain full access to the encrypted message with minimal disruption of workflow, but a massive increase in security.
2. Data-Loss Prevention
Human error is a major problem when it comes to email. It’s easy to send sensitive data, private documents and even credit card information to colleagues over email without a thought for the security implications — especially during a busy day or with an approaching deadline.
To mitigate this, email encryption solutions offer data-loss prevention (DLP). DLP policies enforce encryption automatically when certain keywords are detected in email messages and attachments, such as financial information, anything related to healthcare, and any other rules that are configured by admins.
So, if, for example, you attached a document containing healthcare records and sent this to a client, the encryption service would automatically encrypt the email, ensuring the data was kept secure at all stages of delivery. This comes under a category of “outbound email protection” and can also be configured to detect misaddressed emails, and prevent emails from being sent at all if sensitive content is detected.
3. Full Legal Compliance
Email encryption is an important way to meet compliance regulations governing the usage and sending of private personal data. So, if you decide to implement an email encryption solution, it must support full compliance with legal regulations and help you to do the same.
It’s one thing to be compliant, but equally important is proving you have acted in a compliant way. Look for an encryption service that provides:
- Proof of encryption with timestamped delivery
- Reporting of when encrypted emails were sent and when they were opened
- A way to preconfigure email settings so that sensitive data is automatically encrypted
4. Accuracy And Deliverability
In law firms, emails can often be extremely time sensitive, and delays between sending and receiving important information can have extremely serious consequences. Because of this, it’s crucial that encrypted emails are not only delivered to the correct recipient but delivered in a timely way. It’s all well and good sending emails securely but, if the recipient never receives them, or if they are blocked from being delivered, the service is ineffective.
To ensure its effectiveness, we would recommend that you trial your chosen service robustly before making a commitment. If there are any issues in email deliverability or timeliness from either your users or your recipients, it’s likely that the service is not the right fit for your organization.
5. Policy Enforcement
Encryption solutions should provide a range of policies and controls to help you to secure data and meet legal compliance. This includes the ability to set rules governing private email data that should be automatically encrypted and blocking the sending of emails containing sensitive information.
In addition, admins should get detailed reports on the use of encrypted emails across the organization, which can be used to prove compliance with encryption restrictions. Admins should also be able to set policies governing the sharing of encrypted email and giving users the ability to recall emails if needed.
Some law firms may also wish to look for an encryption service that can be “white-labelled”, meaning you can customize encrypted emails with your own logos and company information.
6. End User Email Controls and Ease Of Use
When dealing with complex and time sensitive cases, the last thing your users need is to be fiddling around with encrypting emails or jumping through hoops to try and access encrypted emails that have been sent to them.
It should be extremely easy to encrypt emails from within the email client. It should also be easy for recipients to open and reply to encrypted emails, without having to create an account with the encryption provider or use a third-party website.
In addition, email senders should be able to easily access a variety of extra controls that give them more power over email messages and data, such as the ability for end users to see when emails have been opened, set expiration dates for emails and attachments, and recall emails at any time, preventing the recipient from being able to read the message if the email was sent in error.
7. Ease Of Deployment And Management
An encryption solution must be easy for admins to deploy and manage. It’s important that encryption solutions are easy to roll out, have minimal configuration needs, and don’t require any day-to-day management to work effectively.
We recommend a cloud-based solution that works well with cloud email networks like Office 365, Google Workspace and Exchange. Cloud-based solutions are far easier to deploy and make it much quicker to onboard your users with features like Microsoft’s Active Directory sync.
Trustifi Email Encryption
Trustifi is a leading encryption provider that enables organizations to leverage highly secure and hassle-free email encryption with all the key features we’ve just outlined. Their solution is a strong fit for those in the legal sector as it’s extremely easy to use, both to send and receive encrypted emails, and is fully legally compliant.
Sending And Receiving Encrypted Email
Trustifi’s encryption ensures total confidentiality for email communications by implementing end-to-end AES 256-bit encryption. Encrypted email messages are stored securely by Trustifi and can only be accessed by intended recipients with the correct key. Because decryption keys aren’t stored on the server, Trustifi can never access encrypted email data.
It’s incredibly easy to send and receive encrypted email with Trustifi. They use a secure two-factor authentication method to govern access to encrypted emails. Rather than needing to create an account or use a third-party application, end-users can gain access by entering a PIN code sent via text or using biometric controls like a fingerprint scan.
Sending an encrypted email is as easy as hitting an encrypt button in Outlook or Google Workspace activated by installing Trustifi’s plug-in. Senders have a range of controls over encrypted email, including setting expiration dates, seeing when encrypted emails have been read and recalling emails sent in error. Recipients can easily reply to encrypted emails from directly in their inbox and can also send back encrypted attachments.
Trustifi also features a “Postmark” encryption service, which allows legal documents to be sent and signed totally securely, which is useful for sending contracts and service agreements.
Policies And Reporting
Trustifi provides a range of reports that demonstrate compliance and help to govern email data. Reports show information about email deliverability, when encrypted emails were opened by recipients, and how many times encrypted emails were opened and read. Trustifi tracks email delivery, including sender details, location of recipient, authentication methods and when emails have been replied to.
Trustifi also enables a range of controls and policies for admins. Admins get alerted when users are sending risky emails and can define rules governing when emails are automatically encrypted, based on a range of criteria. This includes looking for information in the email subject line, email message itself and inside email attachments. These policies are highly configurable, with the sender alerted before they send potentially unsafe emails.
Trustifi is fully compliant with HIPAA, GDPR, HITECH and automatically encrypts all private data, ensuring you can have peace-of-mind you are complying with all legal regulations when it comes to governing email data.
Inbound Email Security
Alongside encryption, Trustifi also provides inbound email protection against phishing, ransomware, malicious links and attachments and other email threats. Inbound email traffic is scanned before delivery to ensure harmful content is blocked, before it reaches user inboxes.
This helps to protect against ransomware attacks, such as the attack that affected DLA Piper, and is a great feature that ensures you have multi-layered protection for email in place, alongside encryption itself. Trustifi’s email security platform is easy to configure, highly secure and provides protection for both cloud and on-premises email networks.
Law firms must consider the implications of sending sensitive information and personal data over email, take all precautions necessary to both protect your client and customer data via email, and be able to prove you have done so with audits and reports.
Email encryption can help you do this. The right encryption solution will protect email data and attachments and give end users far more control over email data than otherwise possible. In addition, it’ll help you prove legal compliance and ensure that your business is doing all it can to maintain the integrity of client data.
We recommend Trustifi as a leading encryption service that enables highly secure, hassle-free email encryption. If you’re looking to adopt email encryption for your firm, you can set up a free trial of Trustifi today.
Start A Trial Of Trustifi Email Security