An overview of e-mail security
With the amazing growth of electronic mail, law firms have become vulnerable in at least five areas to security concerns
by DANA H. SHULTZ
As use of electronic mail has taken off, firms -- often unknowingly -- have exposed themselves to dramatically increased security risks. Here are the five major threats and an overview of how each should be approached.
E-mail on firms' internal systems and commercial services such as America On-line and CompuServe usually is tightly controlled. Internet messages, in contrast, can be monitored and copied fairly easily.
On its way from the sender's computer to the recipient's, a typical Internet message will reside on many intermediate systems. Each stop is an opportunity for interception. This is of particular concern for lawyers and law firms because of their obligation to maintain the confidentiality of client information.
The most effective way to prevent interception is to encrypt (electronically scramble) information sent via e-mail. And the most-effective readily-available encryption technology is PGP (Pretty Good Privacy).
Offered commercially in the United States and Canada by ViaCrypt (Phoenix, 602/944-0773, http://www.viacrypt.com), PGP is a "public key" encryption technology. Every PGP user has two unique, mathematically linked keys (strings of characters) that are used to encrypt and decrypt messages.
One is a public key, which is made available to other e-mail users. The other is a corresponding private key, which is kept secret. When User A sends a message to User B, User A encrypts the message with User B's public key. That way, only User B -- the only person with the corresponding private key -- can decrypt and read the message.
Forgery is the flip side of interception. Instead of a legitimate message being intercepted by a malicious recipient, forgery involves presenting a spurious message to an unsuspecting recipient.
PGP can help here, too, through a process known as authentication. Continuing the example presented above, assume that User B wants to confirm that the encrypted information came from User A. User B presents User A's public key to the PGP software. If PGP reports that the public key matches the private key used to encrypt the information, then User B can be confident that User A, rather than a forger, sent the information.
At one time, diskettes were the primary medium for transmitting computer viruses. But with viruses now infecting both executable programs and word processing documents, and the increasing exchange of both types of files via the Internet, on-line transmission of viruses has become a major problem.
Highly effective anti-virus software is available from vendors such as McAfee Associates (Santa Clara, 1-800/866-6585, http://www.mcafee.com) and Symantec (Cupertino, 1- 800/441-7234, http://www.symantec.com). For maximum protection, these products need to be used consistently on both servers' and users' PCs.
What do Borland International, Atlantic Richfield and the Los Angeles Police Department have in common? Each was subjected to legal liability based, in part, on messages created on an internal e-mail system.
Many employees -- to their employers' detriment -- say in e-mail things they never would say in a formal memorandum. But despite their informality, e-mail messages are just as discoverable, and just as admissible, as memos.
By implementing an aggressive "records retention" (actually, records destruction) policy, firms can make sure that potentially embarrassing messages are deleted. Some firms go even further, making sure that e-mail messages are not backed up with other network data so there will be no nasty surprises if back-up tapes are produced in litigation.
The best hardware and software are useless if people do not use them properly -- for example, by sending a document to the wrong recipient. Like any other application, e-mail requires that the system be buttressed in two ways.
First, there must be procedures that tell users, step-by-step, how to create and send e-mail messages. Second, users must receive training in the software and the procedures -- up-front and on an ongoing basis -- to make sure problems are minimized.
A future column will provide detailed recommendations for securing e-mail.
Dana H. Shultz, an Oakland-based lawyer, certified management consultant and speaker, may be reached by e-mail at firstname.lastname@example.org and on the World Wide Web at http://seamless.com/ds/.