Colorado Supreme Court

Office of Attorney Regulation Counsel

Promoting Professionalism. Protecting the Public.

Padlock Your Email

Guarding your client’s confidentiality means protecting emails that may contain their information.


Winter 2015

When’s the last time you sent an email that contained confidential information? Do you know if that email was protected from prying eyes?

If not, it’s time to protect yourself.

As stewards of some of their clients’ most guarded information, attorneys must take digital security seriously. To get a sense of the frequency of attempted intrusions, consider that the Office of Attorney Regulation Counsel’s networks detect 800-plus attempts to burrow into its system each day. And while not directly addressing email security, the American Bar Association is nudging attorneys toward understanding technology. In a comment to the most recent Mode Rule 1.1, the ABA said that competence means keeping abreast of changes in the legal practice “including the benefits and risks associated with relevant technology.”

In this first installment of Tech Talk, we’ll do a quick rundown on three easy ways to protect yourself and your clients when communicating over email. How exactly an email can be read by others is process we’ll get into below. But in a word, email security is all about encryption. There are three basic options to protect yourself and your clients:

1.      Use a secure email service. There are numerous email providers that offer protection on everything you send. Depending on your usage, these services can start as low as $5 a month.

2.      Use an encryption program for individual attachments. Search online for “encryption programs,” and you’ll find numerous options. Once the program is downloaded, you can encrypt documents that you attach to an email. Be aware, however, that these programs only protect the attachment. They DO NOT encrypt any content in the body of the email.

3.      3. Use a cloud storage service. This may be the simplest method. If you want to share a confidential document, upload it to any number of cloud-based services (think: Google Drive, Dropbox, etc.). Then you can share that file without exposing it through email. All files shared through these services are encrypted and thus safe from unwanted interception.

To back up a bit, let’s get a basic understanding of how email works and why it is vulnerable. The internet is a collection of hosts that store data and servers that move that data around. A host such as your office computer may send information to its nearest router — say a wireless router in the corner of your office — which then forwards the information to a server. From there, it’s sent across the internet in search of its destination. The email often gets routed through numerous servers during its journey, sometimes through other countries, before landing in your recipient’s email server. From there, it’s retrieved when your recipient opens their inbox.

If an email isn’t protected, its contents are exposed during each exchange between internet servers, kind of like a letter could be read by a worker at any postal facility along a letter’s route. Encryption protects against this. It’s like locking a letter in a safe and then mailing the safe.

(A brief sidenote: While encrypting email messages ensures its safe passage across the internet, someone could always gain access to your inbox by guessing your password. In the next Tech Talk, we’ll discuss why strong passwords are vital and how to create one.)

The likelihood of someone stealing your client’s data from an email may be small, but it only has to happen once to create a big headache. As a general rule of thumb, if you wouldn’t send a piece of your own information through an unsecured email, don’t send your client’s.

If you have additional questions please consult your email service provider or your chosen technology professional.

Brett Corporon is the Director of Technology for the Office of Attorney Regulation Counsel. James Carlson is the Information Resources Coordinator for the Office of Attorney Regulation Counsel.