Last month, on May 11, 2017, the ABA’s ethics committee published revised guidance regarding an attorney’s duty to protect sensitive client material in light of the high volume of recent high-profile hacks. As early as 2013, the ABA Cybersecurity Handbook emphasized that hacks and data loss are not a matter of “if,” but “when,” and the ABA recently reexamined this fact in light of an attorney’s core duties. According to the revised guidance, encryption is often necessary to protect sensitive client emails and files, and often requires a client’s informed consent should an attorney forego such protection.
The stakes are high for attorneys – in addition to risking loss of client trust, failure to take reasonable efforts to comply with this guidance could result in sanctions (or even disbarment). But the dizzying array of encryption technologies can be difficult to understand even by technical users… and encryption itself was always difficult to use, until the recent launch of PreVeil.
In this article, we aim to provide practical tips to equip attorneys to comply with the ABA’s new guidance. The use of encryption affects three core duties owed to clients:
- Duty of Competence: Being aware of the benefits and risks associated with available email and file sharing technologies – both those your firm currently uses and others that are available to clients. This basic awareness is essential to fulfilling the next two duties.
- Duty of Confidentiality: The new guidance states that “it is not always reasonable to rely on the use of unencrypted email.” While there is no bright line rule, attorneys must take “reasonable efforts” to secure client emails and data, based upon several factors.
- Duty to Communicate: When sensitive information is being transmitted, the lawyer has an obligation to inform clients of the risks involved (e.g., likelihood and implications of being hacked), as well as available options to secure the information.
I. Encryption and the Duty of Competence: Understand the security of your firm’s email/file sharing encryption systems
In today’s world where new hacks are in the news daily, it is clear that email is not always secure. To practice competently in today’s environment, lawyers must understand how data is being stored and accessed. To familiarize yourself with the level of protection provided by your current email/file sharing technology (as well as those available for client use), we’ve summarized three key questions you should ask your firm’s IT staff and/or external solution vendors:
Question 1: Are emails/files encrypted end-to-end, or just encrypted while “in motion” or “at rest”?
The vast majority of emails today that are ostensibly described as “encrypted” are actually only encrypted in transit. This prevents attackers from gleaning the contents of your communication by watching Internet traffic. However, your data is left completely unprotected on the server, and when hackers inevitably get access to the server they can read everything (for example, what happened in the 2016 Democratic National Committee hack). Furthermore, if you are using a cloud vendor such as Google, Office 365, Box, or DropBox – you should be aware that these vendors actively scan (and in some cases read) your emails/documents while unencrypted on the server.
Encryption-at-rest means that data is also encrypted on storage media and/or cloud servers when not being used. Encryption-at-rest could prevent an attacker from accessing information on physical disks that were stolen from a data center, which is a rare occurrence. However, the server can still “see” user information as it’s decrypted during use, which severely limits your protection – an attacker needs only to attack the server because the server can still access the raw unencrypted data.
This brings us to the gold standard (which we recommend) – true end-to-end encryption – in which data is encrypted on the sender’s device, stays encrypted during transit, and is only ever decrypted on the recipient’s device (it is never decrypted on a central server or in transit).
Question 2: Does the system depend on passwords to authenticate users, or does it use cryptographic keys? Where are they stored?
Passwords are inherently insecure. Billions of compromised passwords are available for sale on the dark web. Yet requiring employees to frequently change their passwords leads them to pick simple passwords that hackers can easily crack. The vast majority of email solutions on the market rely on passwords.
Cryptographic keys are much more secure and impossible to guess, eliminating many of the vulnerabilities associated with password-based systems. When users create a new account, they receive a secret key (a random ~77 digit number) which is impossible to guess – this happens behind the scenes, so users don’t ever need to remember (or change) this cryptographic key.
It also matters where Passwords and Keys are stored – If they’re stored centrally, a simple attack on the server can compromise all of your organization’s passwords or keys. For example, just last week OneLogin suffered a major breach, in which hackers were able to gain access to centrally stored keys and decrypt the sensitive data of enterprises that used OneLogin’s cloud-based solution. Conversely, systems like PreVeil only store keys on users’ local devices (laptops, iPhones, etc) – therefore, even if PreVeil’s servers are compromised, attackers will not be able to gain access to your data.
Question 3: What protections are in place to prevent against a central IT Admin (or other “super-users”) from compromising the entire organization?
IT Administrators usually have vast “super user” privileges and are very attractive targets to hackers because they hold the keys to the kingdom. For example, the 2014 Sony Pictures hack was particularly extensive because “an array of sensitive information—including user names and passwords for IT administrators—was kept in unprotected spreadsheets and Word files with names like ‘Computer Passwords.’” Similarly, in the 2016 DNC election hack, super-user accounts were exploited to steal and leak thousands of sensitive internal communications.
We strongly recommend asking your IT team (and external vendors) what precautions are in place to mitigate the risk associated with these “super-users”. Separating duties among IT admins and mandating vacations can help reduce the risk of insider threats, but these actions do not protect against the “super-users” being hacked. Even better, use a solution like PreVeil’s Approval Groups™ to neutralize the threat of rogue “super user” accounts altogether by cryptographically distributing privileged access authority across multiple designated admins.
II. Encryption and the Duty to Communicate: Inform your clients of risks and available options
When a lawyer transmits highly sensitive/confidential client information, they have a duty to inform clients of cyber security risks and alternative options. Lawyer and client should decide together whether a more secure approach such as encryption is warranted. Here are some discussion topics a lawyer might want to cover when communicating this to his or her clients:
- Law firms are inherently attractive targets to hackers, both because their systems contain a concentration of highly sensitive information from many clients, and because these systems may be less secure than those some clients have in place.
- A hack will occur. It is only a matter of time. No one can build walls high enough to prevent a hack.
- Inexpensive and easy-to-use end-to-end encrypted email and file sharing solutions exist, and can be deployed in minutes. With these systems, client information is protected even when hacked, as the encrypted files will appear as complete gibberish.
III. Encryption and the Duty of Confidentiality: With easy-to-use, inexpensive encryption platforms readily available and easy to deploy, the standard of data sensitivity requiring encryption is much lower.
Attorneys must take a “reasonable” approach to securing client information, based on three factors: (i) the likelihood of disclosure; (ii) the cost/difficulty of adding additional safeguards; and (iii) the level of sensitivity associated with the information.
Without end-to-end encryption, the likelihood of inadvertent disclosure of client emails/files is inevitable (or at least very high).
Until recently, end-to-end encryption was difficult to deploy and use and costly to implement. However, PreVeil is disrupting this paradigm. Its new cloud-based end-to-end encrypted email and file sharing platforms can be up and running in minutes, seamlessly integrating into your Outlook, Apple Mail, iPhone, and web browser, with large file sharing possible directly through Windows File Explorer and Mac Finder. There is a free tier for basic use, and competitive pricing when you need the full set of enterprise features.
Given the inevitability of hacks and the existence of these inexpensive and easy-to-use encryption platforms like PreVeil, the standard for the final factor, the level of sensitivity for which encryption is required, is extremely low. Thus, it less reasonable for lawyers to skip end-to-end encryption, even for marginally sensitive client information.
Closing thoughts: PreVeil’s end-to-end encryption platform is a great way for lawyers to maintain client trust and comply with the ABA’s new encryption guidelines. Preveil’s platform includes:
- End-to-End Encrypted Email: Keep your existing email address. Use PreVeil with Outlook on Windows and Mac Mail, or access your PreVeil email through your browser or the PreVeil app for iOS.
- Encrypted File Sharing: Synchronize files across all your devices. Share files and set access permissions. Works with Mac Finder and Windows File Explorer, and the PreVeil app for iOS. All files are protected with end-to-end encryption.
- No Passwords: Your data is secured by something much better – encryption keys that belong only to you. Your “private key” is your gateway to the PreVeil system. It’s stored only on your devices and is not accessible anywhere else.
- Approval Groups™: Patent-pending technology that ensures privileged activities are only enabled after receiving cryptographic approval from a group of predetermined admins.
In a world of inevitable hacks and complicated technologies, the stakes are high for attorneys. Fortunately, easy-to-use solutions like PreVeil finally make end-to-end encryption accessible and inexpensive, thereby enabling attorneys to protect sensitive (and even everyday) client information… even when there is a hack.
Nick Holda is an encrypted communication evangelist and advisor at PreVeil – the application for end-to-end encrypted email, file sharing and storage for people and organizations that want to protect their data even when hacked. Prior to PreVeil, Nick was a Project Leader in The Boston Consulting Group’s high-tech practice, where he worked directly with senior executives from the world’s largest enterprise technology companies to bring secure public and hybrid cloud solutions to market. Prior to BCG, Nick was a Vice President at AlixPartners LLP, a global business turnaround advisory firm. Nick holds an MBA from MIT Sloan School of Management and a BBA in Finance from McCombs School of Business at University of Texas Austin. https://www.linkedin.com/in/nickholda/