The most consequential type of data leak may be the often openly colorful private correspondence between lawyer and client. This correspondence, if exposed, may be revealing as it contains attorney-client advice, dialog regarding strategies, financial, and legal consideration, as well as documents.
Lawyers are afforded a special protection for this sensitive client communications – attorney-client privilege. Attorney–client privilege is legal concept that protects certain communications between a client and his or her attorney, arguably, whether or not email encryption is used.
What happens when this type of correspondence is exposed outside of the purview of the legal process?
The “Panama Papers” exposed how once this information is leaked, it becomes fair game for private sector and government investigators and adversaries to build actions around. Tech Essentials discussed this in depth in our earlier article declaring the new era of mega leaks may obsolete attorney-client privilege.
We now see the fallout. Street protestors have pressured political leaders to resign after revealing insights from exposed Panama Papers attorney-client correspondence. Hundreds of investigators worldwide have seized on this opportunity to change leaders in business and government positions. The consequences of the Panama Papers include lawsuits, protests and the resignation of two prime ministers, including Pakistan Prime Minister Nawaz Sharif who recently resigned after a Panama Papers corruption ruling. Mossack Fonseca, the law firm with the leaker also dismissed 250 employees.
The most shocking aspect of the Panama Papers story is the leak itself and the cause of this leak: human error. Attorneys charged with safeguarding client information allowed an inside source, a whistleblower, to send millions of documents to a German news agency repeatedly over the course of several years. The source delivered thousands of gigabytes of encrypted files using various file transfer services and no one noticed.
Human error is the greatest threat to data security. We often think of human error in terms of lax password protection or losing a company laptop. But it also includes a failure to:
- monitor data usage and prevent data tampering
- track employee data access and prevent data removal
- identify high risk employees likely to steal information, either for financial gain or to promote a social cause (hacktivism).
Data leaks can be inspired by anger, revenge or hacktivism. But plain greed is also a strong motivator. An inside source can sell corporate data to a criminal network for thousands or even millions of dollars.
How should businesses safely communicate about sensitive client matters? Tech Essentials suggests trust no one, and use “Outbox-to-Inbox” email encryption rather than “network-level” or “policy-based gateway” encryption. This is critical when sending data about mergers and acquisitions, corporate litigation strategy, private client wealth management, or matters that one would like to shield from their IT staff or the IT staff at the recipient (including the recipient’s email provider or email archive vendor). The sender is more protected if their message remains encrypted while it sits in the recipients’ inbox.
Tech Essentials recommends considering different levels of encryption depending on whether encrypting for “compliance” to protect from common threats of Internet criminals attempting to read email in transit (where network-level encryption may suffice), or encrypting to protect “strategic secrets” in which you should want to ensure the message and attachments remain encrypted inside the recipient’s inbox. RMail permits users to toggle between these two versions of email privacy, depending on their needs.