How are legal firms dealing with encrypted emails safely?

4 min read.

News Article
22 August 2017

BOLD LEGAL GROUP (BLG) is a network of professionals working in or with the legal sector, which provides a forum for keeping fully informed on changes that will have an impact on the way the sector works and how law firms advise their clients and manage their operations effectively. Unlike other legal networks, BLG members work together, they share experiences, problems, solutions and successes.

How to Deal with Encrypted Emails Safely? 

Recently one member wrote in with a query on how to handle Encrypted Emails safely:

“We have noticed that we are receiving a slowly increasing number of encrypted or secure emails from banks and recently other firms, which ask us to click on a link to access the email or document.

Our concern is they never have any details of who they relate to in the initial email so we can’t check if they are for a genuine matter, or even call the sender to check as there is no information on who to actually contact or any reference whatsoever (and without any case details it’s often impossible to find out who actually sent it if we call a generic number for the firm) so an easy way of anyone unscrupulous to get something installed on an unsuspecting firms system.

And often when we do get to the document, you wonder was it really necessary to have gone to all that trouble. How are other firms dealing with these?” BLG Member

Mike Batters, Technical Director of Legal IT Consultancy, NETprotocol provides some valuable advice:

Encrypted e-mails are increasingly becoming industry standard for securing sensitive data in transit.  There are two distinct questions here though:

Firstly the question of protecting your organisation from malware / ransomware is very valid and there are a number of ways of addressing this.  Typically e-mail should still come from a known organisation and the e-mail address should still be recognisable, even if the content is encrypted.  When clicking the link, users should ensure there are no certificate warnings in the browser and that the site they have been taken to still relates to either the law firm or a well known email security provider such as Proofpoint or MIMEcast.  Furthermore, good quality inbound e-mail security and web security solutions should easily detect the difference between legitimate & bogus encrypted e-mails and discard the latter.

It is often a configurable setup and to aid recipients, most secure e-mail solutions enable the sender and subject line to be retained as their original text, to give the recipient some indication of the content.

To address the question of necessity for encryption; as the sender of an email, there is a responsibility to protect personal information i.e. financial, medical etc. As e-mails can be intercepted in transit it is important to protect this as much as possible.  Furthermore, secure e-mail systems also give the recipient a safe means of providing similar sensitive information in their response, for example, if the original e-mail is a request for banking details, that content may not need protecting – but the process means the response requires a secured manner. There are numerous e-mail systems which only provide basic or crude means of selecting which messages should and shouldn’t be encrypted, or the sending firm may have been poorly advised or over-cautious on their encryption policies. Often recipients drive feedback in such cases, which does prompt a change of policy, technology or both.

If anyone has more detailed questions on how to handle Encrypted Emails safely, please contact Mike Batters at NETprotocol on the details below. We are happy to run a web-based “surgery” session for those interested.