The importance of encrypting emails containing personal client data
Aug 4, 2023
Ensuring emails containing client data and results from drug and alcohol testing are encrypted seems like a no-brainer - but not all labs and family law practices are the same. In his latest exclusive, family law blogger John Bolch discusses why it should matter (and that the lab you use is accredited, certificated and compliant)...
When I gave up practising in 2009 email was of course a thing, but most communication was still done by paper (post or document exchange). I remember in particular the daily ritual of opening and sorting the mail first thing in the morning.
But things have changed somewhat since then. Email is now the standard method of document transfer.
But email brings with it hidden risks. Take, for example, the following true story.
It is a few days before Xmas 2018 and Sally Flood is looking forward to completing the purchase of an investment property for her children, using money she had inherited from her late father.
She receives an email from her solicitor requesting her to transfer funds for the purchase to their bank account. She complies, and transfers a total of £95,000.
But the email was not from her solicitors, and the bank account belonged to criminals.
Ms Flood spends the next year trying to recover the money, and was then still left £35,000 out of pocket.
The scam happened because the criminals hacked into the solicitor’s email system. It is not known how they did this, but the most likely scenario was that an employee at the firm fell for a phishing scam and disclosed account details to the scammers.
This payment diversion fraud, as it is called, is perhaps one of the greatest dangers when a solicitor’s email has been hacked, but it is far from the only danger.
These days a great deal of personal client information is transferred by email. And, pertinent to this site, communications between drug and alcohol testers and instructing solicitors are a prime example.
What if those communications were to fall into the wrong hands? The possible consequences, apart from acute embarrassment for the solicitors, hardly bear thinking about.
And these issues can arise even where there is no criminal wrongdoing. What if, for example, an email is sent to the wrong address by mistake? It happens all the time.
So what is the answer?
My limited IT knowledge suggests that there is probably no complete answer, but one of the best responses to the threat is recommended in guidance from the Information Commissioner’s Office (‘ICO’).
The guidance points out that the UK General Data Protection Regulation (‘GDPR’) requires organisations to implement appropriate technical and organisational measures to ensure they process personal data securely.
And Article 32 of the UK GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of the organisation’s processing activities.
Encryption, says the ICO, is a widely-available measure with relatively low costs of implementation, and a large variety of solutions available.
With specific reference to data transfer, for example via email, the guidance states:
“Encrypting personal data whilst it is being transferred provides effective protection against interception by a third party.
“You should use encrypted communications channels when transmitting any personal data over an untrusted network.”
Well for non IT experts (including myself) the simple answer is that the email message is scrambled when sent, so that it is completely unintelligible when received.
In order to read the message the recipient will have to input a private key, or password, that matches the key used to encrypt the message. Obviously, only the intended recipient will have the key, meaning that criminals, or anyone who received the email in error, will not be able to read it.
Encryption may involve a minor inconvenience, but the benefits, including potentially to a firm’s insurance premiums, must surely make it essential.
And anyone who has got this far may be thinking: “Hang on, what about the drug and alcohol tester – shouldn’t they be using encryption as well?” Yes, they should. And Cansford do – for further information, see this post from 2020.
Video credit: https://www.pexels.com-taryn-elliott-6183192 (2160p)