In Cybersecurity, Data Management, Insights & Ideas
Encrypting Emails 101

As an attorney, you often engage in privileged conversations. In response, many firms need or have a way to send and received encrypted email. The trouble arises when, depending on your current systems, you want to save this email to you document management (DM) and practice management (PM) software. There are three basic situations that occur. Let’s look at the pros and cons, then discuss how to choose the best option.

Login Encryption

In my experience, the most common type of encrypted email requires the recipient to log in to a web portal to see the message. Once logged in the client can download attachments and respond all while maintaining encryption.

The benefit of this encryption is that you can choose if you wish to encrypt an email. Also, from the sender’s experience, your email app works mostly unchanged. (This may change depending on the solution used)

The drawback is that user needs to remember to encrypt emails one by one. Also, the recipient, depending on their skill with technology, may not be able to figure out how to login to a portal to receive the message.

Saving to PM and DM

When sending, most PM and DM systems can capture these emails. However, when receiving encrypted emails, most firms cannot easily obtain this information into the PM or DM because it’s in a web portal. When this occurs, Attorneys or firm members may need to copy paste text or download the email as a PDF and then manually save to the DM or PM system. These extra steps may require training, are difficult to enforce, and you may skip this due to the extra clicks involved.

Site to Site Encryption

The second option requires establishing a site to site connection and firms discuss this when they talk about GDPR compliance. In this situation two different firms, set up a secure tunnel between their domains. This setup allows someone at FirmDomainA to send encrypted emails someone at FirmDomainB. In this setup, nobody needs to login to any portal. Also, as long as those two domains communicate over email, the messages and attachments are encrypted.

There are a few drawbacks. The first means that your encryption is disabled any time a user sends an email to someone from an outside domain, or you are CCed/BCCed on an email. Also, this needs to be setup per site involving both firms’ IT departments or vendors to collaborate.

The second drawback is the requirement on the Attorney to remember which sites have encrypted traffic and which do not.

(Technically, there is an option to do this person to person, but the result is similar, which is why I’m not covering it in more detail.)

Saving to PM and DM

In this configuration, DM and PM are solutions that are typically unaffected, since your email software (Outlook) is unaffected.

PM and DM Encryption

The second situation occurs when you have a PM system that allows secure communication between firm members and clients. This usually works like the login method described above. However, because this solution is part of the PM system, the PM system automatically captures information. Sounds good right?!

The drawback here is that this system completely bypasses the email client (Outlook in most cases). Many attorneys, lawyers, and other firm members aggressively respond when asked to stop using Outlook.

The other drawback of this occurs when you have separate DM and PM solutions (most are). In this situation, the sending and receiving of attachments difficult due to extra steps involved when saving from an encrypted PM to email to DM.

Conversely, if the DM is used to send encrypted emails, then the PM is also bypassed and steps are added to bill time for that email.

If both systems offer the solution, then we’re back at the old argument of where to save the email. In the PM because it can capture time and other records. Or in the DM because you can make the email text searchable.

Choosing the Best Solution

At this point, I’ve created more questions than answers. For those of you that skipped to the end, you might be disappointed with my response: choosing the best solution depends on many factors.

Why? This is a bit like choosing a flight route. First, pick your destination, then select the path that has the most benefits for you; are you a member of an airline, do you need a direct route, what is your timeline, etc.

I always suggest firms look at existing tools before they purchase new software. But like any package selection process, you need to start at the end first. Of the four options above, which workflow is most desirable? Then think through the details and plan or train accordingly.

If you have questions about this, please comment or contact me. I’d love to discuss and help you find the right solution.

Develop your firm's incident response plan.
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.