If there is one thing we should learn from the 1.5 billion email hack at Yahoo, it's that email is not secure.
Many Yahoo users responded by changing their passwords, as the company advised, but it was a bit like closing the barn door after the horse got out. Other subscribers cancelled their accounts, perhaps contributing to the delay in Verizon's negotiations to purchase Yahoo.
In any case, it's a problem that is not going away because hackers and cyber-terrorists are not going away. For lawyers duty-bound to protect client confidentiality, it's even a bigger problem.
Back in the day, many lawyers and bar associations warned against email use at all because of client-confidentiality concerns. It was not until 1999 that the American Bar Association stepped into the fray with an open-email opinion.
"Although earlier state bar ethics opinions on the use of Internet e-mail tended to find a violation of the state analogues of Rule 1.6 because of the susceptibility to interception by unauthorized persons and, therefore, required express client consent to the use of e-mail, more recent opinions reflecting lawyers' greater understanding of the technology involved approve the use of unencrypted Internet e-mail without express client consent," the ABA said in Formal Opinion No. 99-413.
Today, most law firms use proprietary domains with personalized email addresses, but that does not necessarily enhance client confidentiality. This is especially true if clients continue to use non-secure email services, requiring their lawyers to communicate over the same public networks.
Some law firms have banned their attorneys from accessing personal email accounts at work. More should scrutinize their email systems, including the security of their service providers.
While many law firms are using encryption tools to address email security, many lawyers do not have equally secure computer networks or document management systems. They need to do it, and to make sure their systems protect client confidentiality.
A good document management program should offer multiple levels of security to control who can access, read, delete, or edit the document, both internally and externally. The system should also create an audit trail of everything related to a document so the firm can keep track of a document's life-cycle.
At the crossroads of security, lawyers face their biggest risk when they send documents by email. Once the attached document is sent or forwarded to the wrong person or group of people, there is no way to get it back.
A client portal and a secure website for sending and receiving documents can help guard against such privacy risks. As more law firms go to the cloud, they should use a "reasonable standard of care" in protecting client confidentiality by making sure they and their service providers are technically competent.