1. Knowledge Base
  2. Cybersecurity
  3. Lex Mundi Core Standards and Recommended Practices

The Importance of Email Encryption

 

Mobile device and application management:

Mobile device management (MDM) is "a type of security software used by an IT department to monitor, manage and secure employees' mobile devices that are deployed across multiple mobile service providers and across multiple mobile operating systems being used in the organization."

Source:  http://www.webopedia.com/TERM/M/mobile_device_management.html

Mobile application management (MAM) "provides granular controls at the application level that enable administrators to manage and secure app data. MAM differs from mobile device management (MDM), which focuses on controlling the entire device and requires that users enroll their device and install a service agent."

Source: https://en.wikipedia.org/wiki/Mobile_application_management 

For more see, Brian Madden: http://www.brianmadden.com/opinion/What-is-MDM-MAM-and-MIM-And-whats-the-difference

Thanks to Parveen Sharma for suggesting this addition and providing Madden's blog post.

Encrypted email system:

Email encryption is encryption of email messages to protect the content from being read by other entities than the intended recipients. Email encryption may also include authentication.

Email is prone to disclosure of information. Most emails are currently transmitted in the clear (not encrypted). By means of some available tools, persons other than the designated recipients can read the email contents.[1] Email encryption has been used by journalists and regular users to protect privacy.[2]

Email encryption can rely on public-key cryptography, in which users can each publish a public key that others can use to encrypt messages to them, while keeping secret a private key they can use to decrypt such messages or to digitally encrypt and sign messages they send."

Source: https://en.wikipedia.org/wiki/Email_encryption

For information click here.

Email Tracking:

How does it work?

A line of code [is embedded] in the body of an email, usually in a 1x1 pixel image, so tiny it's invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. 

Source: https://www.wired.com/story/how-email-open-tracking-quietly-took-over-the-web/

What is revealed by email trackers?

  • When and how often the message was opened
  • How long someone reviewed it 
  • Whether the attached files were opened including detailed engagement heatmaps
    • Bananatag software does this in Gmail
  • Whether the email was forwarded and to whom
  • Location of the user when they opened the email
    • Depends on whether email system uses proxy server which is common
  • Device fingerprint

Source: Email Tracking: The Problem Hiding in Plain Sight by MARK GRAZMAN in Peer to Peer: ILTA’s Quarterly Magazine Fall 2019 

What are lawyers doing with trackers?

To see . . .

  • If someone forwards an email to an insurance firm. If they do, I know a settlement is coming and I negotiate much harder
  • If the email was opened / forwarded . . . to get a judgement of willful patent infringement
  • Which expert witnesses might be involved

Source: Email Tracking: The Problem Hiding in Plain Sight by Mark Grazman; Peer to Peer: ILTA’s Quarterly Magazine; Fall 2019 

Who is doing it? How prevalent is it?

According to OMC's data, a full 19 percent of all “conversational” email is now tracked.

Source: https://www.wired.com/story/how-email-open-tracking-quietly-took-over-the-web/

Percentage of inbound emails tracked - at or above 70% of delivered emails . . . at least 84 of the AmLaw 100 had tracked emails leaving [the firm]

Source: Email Tracking: The Problem Hiding in Plain Sight by Mark Grazman; Peer to Peer: ILTA’s Quarterly Magazine; Fall 2019 

survey of over 500 general counsel . . . 68% of lawyers would like to know if documents that they sent through email had been forwarded

Source: https://www.docex.com/lawyers-like-to-know-if-documents-forwarded/

Legal and professional conduct issues

  • US: May violate federal or state Communications Privacy Act, 18 U.S. §2511. “Interception and disclosure of wire, oral, or other electronic communications are prohibited.”
  • GDPR: All depends on the nature of the consent provided 
  • US State Bars:
    • New York - Opinion 749: “Lawyers may not ethically use available technology to surreptitiously examine and trace email.” The opinion also states that email tracking violates code DR1-102 (A)(4) prohibiting lawyers from engaging in conduct “involving dishonesty, fraud, deceit or misrepresentation."
    • Alaska - Opinion No 2016-1: “Sending ‘bugged’ emails…with embedded tracking devices constitutes an impermissible infringement on the lawyer’s ability to preserve a client’s confidences or secrets.”
    • Pennsylvania - Opinion 2017-300: “…the use of a web bug which opposing counsel cannot determine is present violates Rules 4.4 (Respect for Rights of Third Persons) and Rule 8.4 (Misconduct).” Read receipts are allowed because there is clear notification and consent, unlike email tracking. 
    • Illinois - Professional Conduct and Advisory Opinion No. 18-01: The opinion concurs with the definition of misconduct in both the New York and Alaska opinions in terms of email tracking invading the client-lawyer relationship, but goes further saying: “Other opportunities for intrusion into the representation of a client could arise from the monitoring of the email communications between the receiving lawyer and others involved in the representation…”

Source: Email Tracking: The Problem Hiding in Plain Sight by MARK GRAZMAN in Peer to Peer: ILTA’s Quarterly Magazine Fall 2019  

Professional conduct

If your email was only opened once, and never re-opened, you know your opponent is not interested. If it is opened on numerous occasions, then you know your opponent is interested. Is this an advantage? Should you have it? What can you do with it? Is data of this type discoverable? Is this type of data protected by solicitor/client privilege? If you have this information, does it change your tactics at the negotiation table? And if it does change your tactics, is this “influence”?

The use of this type of software is not only relevant to issues of conflict of interest, it relates to ensuring you maintain your clients’ information as confidential, issues of solicitor/client privilege, issues of due diligence and disclosure. Privacy is extremely difficult to achieve with the racing ahead of technology, but practitioners have a continuing obligation, no matter the environment, to comply with their ethical obligations, and maintain their relationship with their client. The ABA in a recent opinion recognised that the existence of complex and sophisticated software, and cyber threats, has changed the landscape in which practitioners work.

Source: CONFLICT OF INTEREST: THE IMPACT OF DIGITAL & GLOBAL LEGAL PRACTICE by DESLIE BILLICH, OFFICE OF THE LEGAL PROFESSION CONDUCT COMMISSIONER

Law Society Bulletin, Law Society of South Australia

https://www.yumpu.com/en/document/read/62645776/lsb-may-2019-web

How do you stop someone using it on you?

  • Enable “Ask before displaying external images” option (see below for Outlook screenshot and link to how to do this in other email systems)
  • Uses a security system that prevents the images from being loaded
  • Webmail: Use any advertising blocking browser extensions (e.g. AdBlock)
  • Download and scan any attachments before sending on

Outlook - how to "ask before displaying external images"

Source and for more email systems: https://www.pcmag.com/how-to/how-to-disable-email-image-loading

What software can your firm use to do it?

Document distribution software can manage the distribution of sensitive documents with multiple sets of policies; this will ensure sensitive documents are being shared appropriately, in full compliance, no matter who the sender(s) or recipient(s) are. Example (no endorsement): https://www.docex.com/why-docex/

As an individual you can use these tools:

  • SalesHandy
  • ContactMonkey
  • Hubspot
  • Bananatag
  • Cirrus Insight

Source (and for other email systems): https://www.saleshandy.com/blog/best-email-tracking-tools/