Why Attorneys Need to Implement Email Encryption

Although many firms invest in security for their storage and archiving systems to protect existing documents, too many ignore the great vulnerability that faces their email data, avoiding the implementation of email encryption. In fact, due to the complexity that’s been associated with past encryption solutions, many law firms won’t go near such technology “with a ten foot pole,” according to the ABA’s blog. Not surprisingly, then, a recent ABA Legal Technology Survey Report showed that only 39% of US attorneys utilize email encryption.

Yet security breaches and AI-related email scams are growing exponentially, especially with the recent rise of AI-based generative engines like ChatGPT, which gives cyber criminals with even minimal skills the ability to very effectively infiltrate email transmissions and create ultra-convincing phishing schemes. Rather than distance themselves from reality, law firms need to look more closely at adding encryption to their cybersecurity defenses.

Legal cases by nature involve a slew of confidential and sensitive information regarding plaintiffs, defendants, financial data, estate details, settlement information, etc. Attorneys must trade this information with a near-endless list of third-party business partners and associates that are involved in each proceeding. By definition, client/attorney privilege alone assumes the need for confidentiality, which extends to the privacy of email communications. All these messages need to be protected, not just when they are archived, but when they are in transit across the internet. Yet most firms send hundreds if not thousands of sensitive email transmissions per week across cyberspace with no more protection than any other communication.

An email breach could not only jeopardize a case if confidential details were made public, it could lead to severe fines and financial losses, and can do irrevocable damage to a firm’s reputation. The National Law Review reported that the average cost of data compromises reached $4.24M per breach in 2021. As malicious hackers and AI-powered search tools become more sophisticated, the odds that attorneys will experience a breach of their client’s data become greater. To deter these risks requires not just a simple firewall, but layers of powerful email security.

What’s Email Encryption, and Why Do You Need It?

Using complex algorithms, encryption creates a level of protection around an email transmission that disallows anyone other than the direct recipient from accessing that content, both as it is transmitted through the vulnerability of cyberspace and while it resides on the recipient’s email server. Best-in-class email encryption solutions adhere to the AES 256-bit standard, which is the benchmark required by most Federal offices. Many encryption methods involve multi-factor authentication and credentials.

Depending upon the solution, senders can designate how much time the recipient can take to open the message before it times-out and becomes inaccessible, even to the intended addressee. This practice helps avoid letting sensitive material sit indefinitely on a third party email server, since even the most security-compliant law firm has no control over the level of security on the other person’s network.

Not only does the use of encryption deter hackers from accessing email content, but the sheer act of employing encryption can help attorneys avoid compliance violations. Although firms aren’t required by law to use encryption, updated sections of the ABA Model Rules of Professional Conduct now dictate that attorneys must “understand the benefits and risks of relevant technology.” Other requirements include that firms take “reasonable precautions to prevent client information from unauthorized access, as well as inadvertent or unauthorized disclosure,” as outlined in the ABA’s Law Practice Magazine. The application of email encryption can be used to demonstrate that a firm has taken such precautions, thus satisfying the requirement and leaving them less susceptible to fines.

Email Encryption Best Practices

To get any benefit from e-mail encryption, the system must be easy for companies to deploy and for their employees to use—otherwise, staff members will simply forego it. Difficulty of use, implementation, and management are often named as the top barriers to adoption. Typical encryption solutions have been regarded as confusing and cumbersome, since many require users to log-in to third-party portals or establish account credentials to open and decrypt a message.

Yet technology has made great strides in recent years, and solutions now exist that dramatically simplify this process. Effective systems facilitate government-grade, AES-256 encrypted messages that can be opened with a single click, as easily as an unencrypted email. Similarly, replies can be automatically encrypted without any extra action on the part of the sender. Open rates for messages that can be decrypted in one click tend to be higher than for encrypted emails that involve multi-step processes or separate log-ins.

Sub-par email encryption systems tend to require recipients to go through a series of steps to encrypt their replies. This typically results in personnel abandoning encryption and sending replies back through the internet that include the original sender’s sensitive information, this time unprotected.

Price has been another statistical barrier to widespread adoption of email encryption. Large-tier security vendors often come with costly price tags. And since encryption is often erroneously viewed as a luxury, too many organizations skip the investment—at their own risk.

Firms can lower the investment cost of an encryption solution by selecting a more specialized security vendor, one that addresses a range of high-performance email security capabilities in a single software package. The ability to streamline an organization’s security stack via a competitively priced, modern solution can add value for the attorney’s business, providing superior email protection and a greater range of powerful security features. This approach is also easier to manage since it involves only one vendor, as opposed to dealing with multiple points of contact at different technology providers.

Attorneys should look for a specialized cybersecurity solution that features best-in-class encryption, yet also includes comprehensive inbound and outbound protection by way of anti-virus, anti-malware, data loss protection, smart archiving tools, and other means of threat detection. This will help improve the ROI of an email security technology investment. In addition to encryption, effective solutions should also employ advanced AI-based filters and optical character recognition capabilities to detect even the most stealth and clever AI-powered imposter attacks. AI-based tools can identify keywords, contexts, and patterns within the body of an email that may indicate a breach or a phishing attempt.

Attorneys should also look for powerful archiving features such as eDiscovery and legal hold. Effective solutions include “smart indexing” tools that leverage encryption technology to accommodate a valuable search functionality:  users can instantly share a select range of emails that are part of a specific search without including unrelated, unnecessary data. This way, attorneys can locate a specific email message related to an individual case without dredging up tons of extraneous content in the process, saving time and labor.

Another critical feature is the use of tokenization in encrypted mail, which lets users read through their emails dramatically faster. This process allows users to read the majority of a tokenized email message just as easily they would any other email, while the sensitive portions of that message (such as credit card numbers or healthcare data) are protected. The confidential sections can be decrypted when the user is ready. This is a breakthrough development in email encryption usage.

Advanced solutions even allow system administrators to automate security, setting the system to comply with certain regulations. Those solutions will auto-encrypt messages to assure adherence to the regulations the administrator designates. This takes the burden of deciding what information requires encryption out of the hands of staff members.

All that said, email encryption doesn’t have to be expensive and cumbersome, and use of such technologies can deliver sophisticated benefits. As shrewd hackers continue to evolve their skills, law firms need to accelerate their defenses against these email-based cyberattacks. Modern, cost-effective encryption is an intelligent way to achieve that.

About the Author

Rom Hendler is CEO and co-founder of Trustifi, an award-winning cybersecurity firm featuring email encryption and anti-threat solutions delivered on a software as a service platform. Trustifi is driving the market forward, offering both inbound and outbound email security with AI-powered features to combat the market’s most sophisticated evolving threats. Its unique, proprietary cloud-based storage model is causing businesses to rethink their approach to cybersecurity.