denotes premium content | Nov 22 2008 Feature
posted 27 May 2008 in Volume 11 Issue 1
Many law firms show an inadequate approach towards e-mail encryption.
Despite the risks to which e-mail is exposed in the course of transmission, most law firms are content to take the risk of interception of their e-mail by hackers.
A recent survey of 201 partners and non partners of law firms across the UK explored attitudes and behaviour towards e-mail confidentiality.
It highlighted a widespread and mistaken belief that existing anti-virus and spam prevention solutions provide sufficient email protection and that, as a result, the possibility of interception was being overlooked.
The survey also found that although e-mail is one of the least secure methods of communication, more than half of a law firm's e-mail carries confidential information; and that, despite recommendations in the Law Society's e-mail security guidelines, fewer than 10% of UK law firms encrypt e-mail.
There should now be a more widespread awareness of the provisions of the Data Protection Act 1998 and particularly, one of the eight principles that requires data (including data in e-mail) to be held securely.
A brief examination of any electronic file will reveal that without realizing it, a good deal of sensitive information is conveyed electronically without any form of protection from third party interference.
What's the solution?
Encryption is seen as the most secure way to protect electronic data. The Information Commissioner, following the HMRC disc fiasco and the MoD's lost laptops, made it clear that organisations should encrypt electronic information if it leaves an organsiations secure environment. The Law Society recommends that firms adopt automatic email encryption, and the FSA also state that best practice is to ensure that all forms of electronic communication are secure, including email.
One of the issues, however, has been the availability of an easy to use and affordable service. Secure-mail ( www.securecoms.com ) solves these problems.
Secure-mail is designed for small to medium sized firms where access to IT knowledge may be limited. The service works through a small device which is called the Secure-mail hub. This sits between the firms email server and internet router. It takes a few minutes to install, doesn't require any software configuration and is free to try.
Once installed, emails pass through the hub and if they're going to a recipient with the corresponding service, they'll be encrypted. If the email is going to a non Secure-mail user, the email will pass through unencrypted.
It's simple to create interoperability between a firm and its clients. Once a firm has the hub, their clients and contacts have two options to be able to receive and send encrypted email: they can either install the secure-mail hub at their end or download a free piece of software, called Secure-mail:lite, onto their desktop.
Firms looking at managing risk have yet to fully incorporate the known risks of sending unprotected information over the internet. In the past, the defence that there's no easy solution to the problem may have been acceptable. Now that there's a way to solve the problem, it would be hard to justify to clients why their electronic information is not given the same level of protection as all other confidential information retained by their firm.
