In May 2017, the American Bar Association (ABA) released Formal Opinion 477R, laying out updated guidelines for lawyers to protect sensitive information when shared over email. As cyberattacks become more frequent and destructive, and as data proliferates across a growing number of connected devices, Opinion 477R offers a stricter interpretation on how law firms should view sharing of confidential data.
Though the ABA didn’t mandate that firms use encryption for every communication, it did suggest that more substantial protection may be needed, and firms should periodically reevaluate their overall need for encryption.
The opinion describes how law firms should defend their clients’ data in very abstract and legalistic terms, so we wanted to talk to you in real, concrete terms about what you should be doing. Here are four ways you can comply with ABA recommendations and protect your law firm’s most sensitive data.
Wait, doesn’t my email service already have encryption?
As a matter of fact, it most likely does. If your firm uses a cloud email service like G Suite or Office 365, you do have email encryption, but it probably doesn’t fit your firm’s needs. By default, many cloud email solutions use transport layer security, or TLS, to protect all emailed data. For law firms that communicate sensitive data with people outside the firm, TLS falls short in two ways.
First, TLS only protects data while it travels. The information is unsecured and vulnerable to breaches as it sits in your outbox or after it reaches the recipient. Additionally, TLS only works if both the recipient and the sender have it enabled; otherwise, the message is sent without encryption. Because there’s no guarantee that clients have TLS-enabled email services, relying on TLS can leave your communications vulnerable.
Now let’s talk about what you can do to go beyond just TLS.
Develop and maintain strict policies
While Opinion 477R doesn’t mandate encryption for all emails, it suggests that there is no one-size-fits-all solution to encrypting sensitive communications. When the nature of the information requires a higher degree of security, the ABA writes, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information.
If your firm decides to protect information on a case-by-case basis, enumerate in specific words what types of data need to be encrypted and with what mechanisms. You might decide that client payment information and internal HR materials should always be encrypted, for example, but that reminders about a partner’s surprise party don’t need to be.
(Maybe they do in your firm. Just figure that out before the big day.)
The ABA doesn’t have an exact template for what data your firm should be protecting. But in 2010, the ABA’s publication Law Practice wrote that the Gramm-Leach-Bliley act (which mandates protection of nonpublic personal information, or NPI) can be used as a model for protecting client information.
Under the GLBA, NPI includes:
- Personally Identifiable Information, including:
- Social Security Number
- Information about transactions between clients and your business
- Other information you obtain about clients, including:
- Court records
- Credit scores
Migrate to the cloud
Many cloud-migration holdouts cite security as a key reason for their hesitation. Sixty three percent of lawyers who haven’t moved their firm’s content to the cloud cite security and confidentiality as the primary reason why they haven’t, according to the ABA’s legal technology survey.
But the benefits of using cloud services for email and file hosting often outweigh the risks. The efficiency and cost-saving advantages of adopting cloud computing can’t be overstated, but such services also provide notable security advantages over on-premise solutions: Security holes are patched quickly and policies for data protection can be applied uniformly across your firm’s data.
Turn on two-factor authentication
2FA is an easy way to protect you and your employees from phishing scams and other identity-theft tactics and adds another layer of security shielding your firm from data breaches and leaks. There’s no reason to not turn on 2FA. Here are instructions for Office 365, and instructions for G Suite.
Go big on end-user training
Again, a large number of data breaches are simply a result of human error. No firm is immune, but there are ways to minimize the impact of human error. Even if your firm’s employees know to avoid suspicious emails and only send sensitive data to the proper recipients, getting in-the-weeds on data privacy best practices and enhancing security awareness among users is a proven way of reducing the risk of embarrassing or costly data loss.
These recommendations will put you well on your way to ABA security compliance guidelines in ABA Formal Opinion 477R. Meanwhile, Virtru can offer additional valuable security and control capabilities for organizations looking to comply and exceed these guidelines, with client-side email encryption, custom DLP rules, persistent access controls, and audit capabilities.