Email was never built with security in mind. Consequently its weaknesses where exchanging confidential or sensitive information are significant.
The problems associated with the sending of emails have become so great that, were this a new technology seeking adoption for the first time it would probably be dismissed as being inherently unsuitable for use in legal practice.
However, because this is a technology which has developed over the years and whose problems and vulnerabilities have arisen incrementally, we do not have the luxury of rejecting it. We simply have to make the most of it.
Whilst it is true that many of the risks which firms face come from cleverly engineered exploits and viruses, it is also true that many arise simply because not enough thought is put into the act of sending, opening or processing an email. Our day-to-day habits with email and the ease with which it can be impersonated or intercepted presents a massive opportunity to fraudsters and cyber criminals.
Thus, whilst firms must take steps to prevent themselves from being hacked by, for example, putting in place firewalls and anti-virus software, they must also take steps to ensure that the people working there do not become the weakest link in the security chain.
This can only really be achieved by means of rigorously applied policies and procedures, training and the provision of information to educate partners and staff in what to do and not to do.
The information Commissioners Office (ICO) provide very clear guidance around the risks for the exchange of sensitive and confidential information by email. They also note the difficulties that can be encountered adopting encrypted email.
The SRA’s position
“Solicitors are obliged under the Code of Conduct to maintain effective systems and controls to mitigate risks to client confidentiality, client money, and to overall compliance with our regulatory arrangements. As such, there may also be legal and regulatory consequences for the solicitor or law firm after a breach of confidentiality or loss of client money.”
“we do expect firms to take proportionate steps to protect themselves and their clients’ money and information from cybercrime attacks while retaining the advantages of advanced IT.”
The SRA stop short of banning the use of email for exchanging confidential or sensitive information – indeed, they don’t go as far as the Institute of Chartered Accountants England and Wales (ICAEW) which describes this practice as “ill advised”.
The SRA advice around the use of email is to:
- avoid distributing files by email attachments
- avoid opening unsolicited email attachments
- do not open electronic information in a place where members of the public can view your password or the documentation being opened
Email is the primary tool of choice for cyber-criminals. For all of the reasons set out above it creates unnecessary risks for clients and professionals alike.
For simple messages such as confirming meeting dates it is absolutely fine – but for anything that involves client information, client confidentiality or any requests for confidential or sensitive information it is easily compromised.
In their report “The Cyber Threat to the UK Legal Sector”, government body the National Cyber Security Centre they highlight email as the ideal method of attack. In the report they highlight that the frequency of email based scams had increased by 300% – with the SRA themselves detailing 110 scams against law firms so far in 2018. These are just the known scams, they point out that there are many more that go unreported.
Based on the risks, based on advice from regulatory and professional bodies and based on our knowledge of the threats – our advice is to avoid email for the delivery or exchange of sensitive or confidential information.