The article originally appeared in Legaltech News: Here

Security is a funny thing.  For it to work, you have to do it all of the time.  Wearing a seatbelt half the time isn’t a good strategy.  Wearing the seatbelt every time is.

Sending scanned images of inbound, daily mail via email attachments is a ‘scan-to-email’ method that was never intended to be a secure, permanent operation. This was only a temporary solution conjured in response to the pandemic crisis. So why are law firms still doing it this way? The only answer is that nothing bad has happened- yet.

But something bad will happen because it’s not secure.  We don’t have our seatbelts on. Sending scanned images of paper mail as email attachments creates these risks:

• Lack of governance. When documents are sent as email attachments, the exchange occurs outside of the document management system (DMS), the technology intended to secure and govern them, multiplying risk exposure across the firm.
• Cybersecurity risk. Along with the rise of remote work, cybersecurity threats have increased by 3x. Email attachments expose the firm to these risks.
• Conflicts, PII and more. When an email message goes to the wrong recipient or an attachment contains personally identifiable information (PII), firms are exposed to conflicts or significant regulatory fines resulting from lack of compliance with GDPR, CCPA and other regulations.

Security and governance of their information is the number one issue keeping clients awake at night. Firms must take the right steps to secure client information from the moment it arrives. Firms that do not secure client information from the moment of arrival are at risk of an event no one wants. In short, we need to wear our seatbelts all the time.

Lack of Governance

At the most basic level, when a law firm mailroom delivers a confidential file via email attachment, the firm has no control over the document and cannot govern or secure it. Scanned mail delivered as a PDF email attachment often goes to more than one person, so the exposure is multiplied, then subject to the behavior of all receiving parties. Recipients can open attachments on their desktop, circumventing conflicts, or confidentiality, share the file with other attorneys, staff, or external entities outside the confines of the firm’s information governance policies.

And during this process, sending a document by email attachment means the file exists on the Exchange Server, not the DMS. It may then be stored in multiple locations on multiple devices including local computers, network folders, other recipients’ mobile or desktop inboxes, other mail servers and more.

 Cybersecurity Risk

Email is the #1 attack vector for cyber criminals. Users are attacked at the inbox, and the organization is attacked at the email server. Building a permanent daily mail scanning operation on top of this exposure zone is unwise, and unnecessary.

Another risk factor is wrong recipient error. Organizations with over 1,000 employees send approximately 800 misdirected emails every year. That is a rate of more than two emails per day, making it the most common type of error to cause a breach.

The System of Record is the DMS

Wrong recipient occurs most often as a result of an erroneous auto-fill in the send field – but wrong recipient is not the only risk caused by an unintended auto-fill in the send field.

The other negative consequence is unintended conflicts risk.  Email is not a technology that can check for conflicts nor build ethical walls to ensure that only the intended parties of a communication have access to that communication.

The technology for this is the document management system (DMS).

Client information arriving by postal mail needs to be scanned directly to the firm’s document management system (DMS) and be available to users only by a link to the DMS. Simply put, the DMS is the technology of choice for 98% of all law firms to protect and govern sensitive client information and why it is regarded the firm’s “system of record.”

For instance, a wrong recipient “may” occur when receiving an email with a link to the DMS, but the recipient wouldn’t be able to open the link if they were not assigned access.  That’s security.

Not only does DMS secure and govern client information but it is also the technology that helps firms comply with regulations such as The European Union’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) at scale. These regulations mandate, among other requirements, that firms be able to classify, track and, if requested, delete personal data held anywhere by the firm. This is effectively impossible with scan-to-email.

This is what it means to build a best practice solution and not an expedient solution.

 Ethical Obligations

Direct-to-DMS delivery of digital mail is not just a good idea, but potentially an ethical duty of a law firm. Several of the ABA Model Rules are particularly related to safeguarding client data, including competence (Model Rule 1.1), communication (Model Rule 1.4), confidentiality of information (Model Rule 1.6), and supervision (Model Rules 5.1, 5.2, and 5.3).

What do these duties require? When using technology, they require that we employ reasonable measures to safeguard the confidentiality of client information, that we communicate with clients about our use of technology and get informed consent from clients where appropriate, and that we supervise subordinate attorneys, law firm personnel, and service providers to ensure compliance with these duties. In comparison to the capabilities of how a DMS protects client information, email is not a reasonable measure.

Conclusion

Security of client information isn’t a part time job.  We’ve got to wear the seatbelt at all times and, unfortunately, the way many digital mailrooms now operate expose the firm to a multitude of risks.  We don’t need to wait for the unfortunate event to happen – firms can act on this today and install the right technology that integrates digital mail with the DMS.