Today we welcome a guest blawger — the Senior Vice President & General Counsel of Zix Corporation (NASDAQ:ZIXI), Ronald A. Woessner.
Ron knows a thing or two about data encryption. As Zix’s homepage says:
Zix Corporation is the leading provider of services that Connect entities to Protect and Deliver sensitive information. ZixCorp’s hosted Email Encryption Service provides an easy and cost-effective way to ensure customer privacy and regulatory compliance for corporate email. Its PocketScript® e-prescribing service reduces costs and improves patient care by automating the prescription process between payors, doctors, and pharmacies.
So let’s hear from Ron. Here goes:
In 1999, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility ruled that an attorney may transmit confidential client information via unencrypted email over the Internet without violating the Model Rules of Professional Conduct. The basis for the ABA’s decision was that unencrypted email has a reasonable expectation of privacy from a technological and legal standpoint — similar to the expectation of privacy for mail, phone and facsimile communications.
The basis for the ABA’s decision is no longer valid, given what we know today about the inherent privacy and security vulnerabilities of unencrypted email. The ABA should revise its decision.
It is now widely known to information technology professionals that unencrypted email messages are as vulnerable as a postcard to a third party’s prying eyes. In recognition of this, the regulations under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Gramm-Leach-Blilely Financial Modernization Act of 1999 ("GLBA") require that email messages containing personal health information and personal financial information be encrypted. Encryption is required because, according to the regulations, unencrypted "email is not a secure method for sending sensitive data."
The HIPAA and GLBA regulations do not require encryption for regular mail, phone and fax communications. Since encryption is required for email messages but not for these other forms of communication, the federal regulators clearly believe that unencrypted email is less secure than regular mail, phone and fax communications.
Recent court decisions illustrate the legal risk to attorneys that use unencrypted email. In Scott v. Beth Israel Medical Center, Inc., the court held that unencrypted email messages sent by a client to his attorney using his employer’s computer and via the employer’s email system pertaining to the client’s legal claim against the employer were not protected from discovery because the client had no reasonable expectation of privacy.
Admittedly, this particular case involved a situation where the attorney-client communications related to a legal claim against the employer whose email system was being used to transmit the email messages. Nevertheless, the rationale of the decision — that there is no reasonable expectation of privacy in unencrypted email messages transmitted by an employer’s computer network — could be readily extended to any email communication about a personal legal matter that is transmitted or accessed by the client from his or her place of employment during business hours.
Given the foregoing, the ABA should begin requiring the use of encryption for attorney-client communications. Attorneys that do not use encryption for sensitive email communications risk legal malpractice claims. Attorneys that do not use encryption for email communications containing personal information protected by HIPAA or GLBA risk fines and jail time.
Ronald A. Woessner