Lawyers have been reticent to apply stricter security models to their practices in part because they assume that, as security features increase, convenience decreases, for staff and for clients. A typical example of this line of thinking relates to email encryption: Attorneys realize the importance of locking down sensitive information; but, when they are confronted with a solution requiring that additional steps be added to their current process, it’s often a dealbreaker. ‘Oh, so people I send emails to would have to access a private inbox, with a new password — no one’s going to do that.’
Of course, when it comes to email encryption, there’s no avoiding the additional steps, as the technology now stands — which gives rise to this discussion of horse trading. How much additional work are you willing to ask your clients to do? If the alternative, in keeping with our current example, is to send highly sensitive data via unencrypted email — well, that’s a rather dangerous course: the solution can’t be to do nothing, to bury your head in the sand.
Part of accepting a security upgrade (be it email encryption, the adoption of two-factor authentication, device passwords on top of folder passwords, or something else), is realizing the potential risk involved in standing pat, understanding that process can ease burdens and knowing that there are potential new marketing tactics that can emanate from a better security protocol. You can certainly send unencrypted email if you want; but, what happens if sensitive information falls into the wrong hands, hands that now do not even need to crack an encryption key. Release, use of that information has to be one of the nightmares that keep solo and small firm attorneys up at night. If it happens, you’re dealing with angry client (and by extension, probably the Board of Bar Overseers), potential malpractice claims (especially if you don’t have a cyber insurance policy) and the state government — at a minimum. That potential hassle can’t be worth the avoidance of one or two transactional steps, especially where some of those steps can be automated.
Let’s return to our example of email encryption, to flesh out a point about process. You could send encrypted information via email attachment, sure; but, that’s actually kind of a hassle, too, because you need to do that every time, and that’s a few steps process on its own. If you’ve got multiple documents to encrypt, then you’re talking about adding steps, because you’ll likely want to package those first, before encrypting the whole package. From the standpoint of reducing steps, streamlining that process by using an email encryption system can help. You can develop a code word, or phrase, that will allow you to encrypt messages on the fly (type ‘encrypt’ into the message text); or, you can set up protocols that would trip encryption — for example, if the software discovers a that a social security number is being sent (in the text of the email, or by attachment), the email gets automatically encrypted. Because you can automate the process, there can be no additional steps lumped upon what you already do, after you set up the system parameters. Even so, you may say, your clients need to take extra steps, by logging into a private inbox. Well, sure. That’s true; but, this is where it pays to open the communication lines with your clients. The conversation may look like this: ‘I’m going to send you an encrypted email. It’s so I can make sure your data is kept confidential, because I don’t want your case to be compromised. The first time you get an encrypted email from me (there may be more), you’ll need to create a password and access a secure inbox. If you use a tool like LastPass, which is a password filling program, it will be easier for you to access the private inbox the next time. The private inbox stays the same, new emails will be added from time to time. Let me know if you have any questions, and I’m more than happy to answer them.’ How great is that? Your client feels like you have additional competencies, you had another reason to reach out, you’ve eliminated surprise, you’ve reduced the hassle on their end and you’ve left the door open for further discussion.
That brings us to our last point of discussion, that this is all actually very useful from a marketing perspective. Since this process can be streamlined, it’s not so onerous as you may have thought. (If I told you you could do something similar with respect to your collections, and that you could increase your revenue by 10%, you’d do it in about six seconds, right?) Why not sell that as a peculiar advantage of your law firm, especially where so many other lawyers avoid security on the false pretense that it dilutes service. You can make sure that your potential clients and clients (try communicating this through your fee agreement, as well) are aware of your efforts to better secure their information. Laypersons are well aware of the specter of identity theft, they know about major data breaches; show your lay clients that you are aware of these issues as they relate to the practice of law, and that you’re proactively meeting their unspoken concerns. If most word of mouth referrals are derived from existing clients, give them another way to talk about how good you are at what you do. Figure out ways to make potential clients aware of your position on date security.
In the modern environment, law firms adopting and promoting appropriate security measures probably gain more clients than they lose. Even if new security measure can equal a downturn in productivity for a very slight period of time, overall, the returns are positive. That’s the kind of math that even attorneys can get behind.
This one’s for Heidi, whose return to work I anxiously await. This song seems like something crazy that she would delight in listening to. Even though it came with Windows 7 . . . for real! (That’s probably how it made its way into my collection, actually.)