Everyone sends emails. Some of us send a lot of them. And, why not? It’s convenient, accessible everywhere (for good and ill), and universally readable - iPhone, Android, Mac, or PC; it doesn’t matter.
One of the reasons for this universality is email’s age. Despite its inclusion on our most modern devices - an Apple Watch, for example, email dates to the Internet’s Stone Age. And, like many relatively ancient technologies, we’ve grafted many enhancements to the foundation without successfully addressing fundamental problems.
A key unaddressed vulnerability for lawyers is the known, but largely unacknowledged fact that email is not a private communication. Unless you take specific steps to “privatize” your emails, anyone with a little ingenuity can read them. Rather than traveling through the Internet like letters in sealed envelopes, emails (and their attachments) traverse the Internet like postcards through the mail; readable by anyone with the time, access, and desire to do so. The reasonable rejoinder to that argument is: “What are the odds?” Six years ago, in 2013, the US Postal Service handled roughly 3.5 billion postcards and stamped cards. Statistics for emails estimate that 3.7 billion email accounts existed in 2017, which sent a staggering 269 billion emails per day. Given these numbers, you probably think your odds of having a private or client-confidential email intercepted are pretty low.
But, two important facts distinguish emails from postcards. The first is that intercepting a postcard once it enters the postal system is time-consuming, requires physical access to the postcard, and necessitates interfering with a single unified organization (the Postal Service) that has decades of experience successfully receiving, moving, and distributing physical objects. Email lacks all of these protections. Your email could be intercepted while you work on a coffee shop WiFi network without a VPN or SSL connection to your email provider. It could also be intercepted at any number of waypoints along its journey because, unlike a postcard, a copy of your email resides on every computer or server it bounces through on its journey from sender to recipient. However long that copy of the email resides on that third party server is decided by the document retention policies of that server’s owners; assuming they have such policies. Finally, since we know software has bugs, who is to guess which software on which server has what vulnerabilities.
Where attorney-client communications require attorney-client confidentiality, your best bet is to invest in email encryption. There are several packages available - from roll-your-own solutions like OpenPGP, to Outlook plugins like Protected Trust, to dead-simple tools included with existing subscriptions like Office 365. For purposes of this article, we’re going to focus on the dead-simple tool.
For Office365 email encryption to work, you must have an Office 365 Enterprise E3 (or higher) plan, which start at $20/month per user.
- Once you have this account, which includes all of the Office applications for Mac, PC, smartphones, and tablets, as well as Skype for Business, and 50GB of storage per user, you enable the message encryption feature in the admin console.
- After enabling encryption, email users can choose to encrypt emails on a per-email basis by choosing “Encrypt” from the Options ribbon > Permissions button in Outlook (2013 and 2016 for PC; 2016 for Mac). Additionally, the Office 365 admin console lets you define “rules” (similar to those for sorting email) that will automatically encrypt the message if the rule’s criteria are met; for example, sent to a particular client or the subject contains a particular keyword.
- After making your “encrypt” selection from the ribbon (or using an established keyword), you click send as you normally would, and your work is completed.
- Your recipient receives an email stating that you’ve sent him an encrypted message as well as a time-limited link to your message (and any accompanying attachments). When the recipient clicks to read the message, he is directed to a Microsoft web portal where he can sign in with his Office 365 account, Google account, or a one-time expiring code. From the web, the recipient can interact with the message as though it were unencrypted - read, respond, download attachments, etc. If the recipient is an Office 365 user, he can also interact with the message through his own Outlook (2013 and 2016 for PC; 2016 for Mac; and Outlook mobile on iOS and Android).
While you may need setup assistance from Microsoft (or whoever hosts your Office 365 installation), once configured, Office 365’s email encryption is among the most usable both for senders and recipients, who are often asked to jump through an inordinate number of hoops to read the encrypted messages they receive.
While the ABA does not yet require encryption of attorney-client sensitive emails, I believe attorneys are better erring on the side of caution concerning privileged emails. Especially as the barriers to ease of use crumble, attorneys should do all that is reasonable to protect their clients and themselves. I think it’s reasonable now and you should act. Speaking from practice, I’ve never sent an encrypted email that I later wished I’d sent unencrypted.
 Per an ABA cyber security post on May 14, 2018, the ABA Standing Committee’s Formal Opinion 477 states that Comment 18 to Model Rule 1.6(c) requires a “fact-based analysis” as to whether “particularly strong protective measures, like encryption, are warranted in some circumstances.”
 If you do not have Office 365 E3, or simply would like to hear more about other email encryption methods, let us know and we’ll happily do a dive into the alternatives available.
For help with email or any law office technology issue, you can always reach us at or request a consultation.