Use Encryption Responsibly

Without question, as attorneys we need to take reasonable steps to keep our data secure. This is because much of the data that we have includes information that we are obligated to keep confidential. Because of this, I recommend that if you are keeping client information on a laptop, that you use whole disk encryption on the device.

Further, I recommend that people really think about the information that they are sending out and question whether email is the best way to send the information. In reality, there is some information that might be so confidential, that it should be transmitted from trusted individual to trusted individual.

That all being said, there are also steps that you can take protect information when sending it via email. For example, it is relatively simply to use Adobe Acrobat to encrypt a file or to control what the recipient does with the file.

However, this is a decision that requires the exercise of discretion. You should not simply encrypt every file that you send out. For example, I was recently involved in a real estate transaction in which, because of the listing agreement signed by my clients, I was obligated to use a title company that I do not normally use.

When the title company sent me the title commitment, they sent it via email. From my perspective, this was great. However, they sent it in an encrypted PDF. I completely fail to understand why, however.

When you think about it, the information that is contained within the title commitment is the information that is publicly available at the recorder’s office. Quite simply, by definition, there is not going to be any confidential information in the title commitment.

However, the thing that made this whole situation really ridiculous is that, in the email in which they sent me the encrypted file, the subject line read: “Password is XXXX.”

Yes, that is correct, they sent me an encrypted file containing only publicly available information and they included the password for that file as the subject of the same email.

This is like the perfect storm of applying security where it is not needed and doing so in a manner that is completely insecure and completely defeats any possible security.