Transmitting legal documents over the Internet: how to protect your client and yourself.

• Author: Anderson, John Christopher

INTRODUCTION

[E]lectronic mail has proved itself so useful to the legal profession that it is a question of when, not whether, e-mail will become universal among all lawyers, their clients, and judges.... [C]lients demand it from their outside law firms [however, e-mail] has a Dark Side -- insecurity from hackers -- but encryption technology is expected to solve this problem....(1)

Suppose that Pat is an attorney working in a large, Chicago-based law firm that has a New York branch. One of Pat's clients is a medium-sized manufacturing company that is negotiating a merger deal with a New York-based shipping company. Some complications have arisen and, if the merger is to succeed, the deal must be completed quickly. Pat drafts one of the necessary documents and, rather than sending it by mail or facsimile, he attaches it to an e-mail and sends it to an attorney representing the New York company. A few seconds later, Chris, an attorney in New York, opens the e-mail, reviews the document, and incorporates some proposed changes. Chris makes these changes directly to the electronic document, redlines them, and returns the document to Pat. The entire process is completed in minutes.

As this hypothetical illustrates, e-mail provides numerous benefits over more traditional methods of communication. E-mail is inexpensive and virtually instantaneous, while traditional "snail mail" can take days to reach its destination and overnight shipping services are expensive. E-mail is less costly and troublesome than sending a fax, particularly when one sends a document to multiple recipients. Perhaps e-mail's most advantageous characteristic is that electronic documents can be easily altered without unnecessary retyping.

Law firms have taken notice of e-mail's benefits. The use of email and Internet technology in law firms has exploded over the last ten years, and this trend shows no sign of slowing.(2) In addition to the efficiency e-mail provides, technology-savvy clients look favorably upon firms with electronic mailing capabilities.(3) For example, the president of a consulting firm recently noted that "clients are instructing their law firms that they no longer wish to be billed for delivery services or fax charges and that all communications with the firm should be via ... e-mail."(4)

Similarly, the judiciary has recognized the benefits of Internet technology. For example, in 1997, the U.S. District Court for New Mexico initiated an electronic filing system that allows attorneys to file pleadings, access court dockets and case files, and receive notice of judicial action via the Internet.(5) Attorneys simply access the court's Web page and use a password to log into the court's filing system.(6) The program has enjoyed great success, with attorneys filing over 2800 civil documents in two years.(7) A court official recently announced plans to expand the program and broaden its available services.(8)

Studies indicate that small businesses using the Internet commonly enjoy average revenues of over a million dollars more than those businesses without Internet access.(9) While such studies typically focus on businesses in general, one can safely assume that law firms can similarly increase their revenue potential by taking advantage of Internet technology. Additionally, Internet technology helps many attorneys satisfy their professional responsibilities. For example, attorneys can use computers to manage their calendars, thereby avoiding the liability problems associated with passing statutes of limitation and missed deadlines and court appearances,(10) Further, attorneys can use computer databases to track clients and opposing parties so as to avoid conflicts of interest.(11)

Internet technology is changing the practice of law. Fifteen years ago, the facsimile had a similar impact. The question evolved from "Do you have a fax machine?" to "What is your fax number?"(12) Similarly, today the question is evolving from "Do you have e-mail?" to "What is your e-mail address?"(13) Unfortunately, each technological advancement opens a Pandora's box of legal and ethical issues. Just as the telegraph,(14) teletype,(15) telegram,(16) fax machine,(17) and cellular telephone(18) spawned considerable confusion and litigation, e-mail and Internet technology have raised ethical and evidentiary issues that have yet to be fully settled. This Article addresses those issues. First, Part I of this Article examines email security and reviews numerous instances of e-mail interception and monitoring by employers, private citizens, and governments. Part I also discusses the difficulty in identifying an e-mail sender and notes several examples of e-mail forgery. Next, Part II identifies corresponding ethical and evidentiary concerns that arise from inadequate e-mail security. Then, Part III reviews methods to ensure Internet security, including encryption and digital signatures. This Article concludes that encryption and digital signature technology are simple, inexpensive, and effective measures that can protect attorneys and their clients when communicating via e-mail.

1. THE ISSUES: FACTS BEHIND E-MAIL SECURITY

   Unfortunately, cyberspace, like the real world, is not perfect. With every benefit there is a cost. Among these is the necessity for adequate security. Two security risks are particularly troublesome to attorneys. First, documents sent over the Internet may be intercepted or altered.(19) Because e-mail is transmitted over an "open network," electronic documents travel through countless interconnected computers on their Internet voyage,(20) and the likelihood that their contents may be intercepted is rather high.(21) Second, the actual sender may be an imposter. Attorneys must be able to verify a document sender's identity.(22) If an imposter sends an attorney email requesting a document or information, the unsuspecting attorney might release such information and, in the process, destroy its privileged nature and breach his or her duty of confidentiality.(23) Part I reviews the technology behind e-mail and uses examples of breached security to illustrate the seriousness of these two risks and also discusses law firms' and clients' vulnerability to such attacks.

   1. How E-mail Works

      The Internet is known as the "information superhighway." As the nickname implies, it is an extraordinary tool for accessing information; but it is a poor tool for securing it. As an open network, electronic documents and other data pass through several interconnected networks and computers before reaching their destination.(24) When the sender mails an electronic document, the transmission control protocol (TCP) breaks the document into a stream of small "data packets" and mails each packet individually.(25) Internet routers examine each packet's address and determine the best path for it to follow.(26) The packets then travel through a series of routers, computers and networks.(27) Various factors impact the packets' path, including Internet traffic and the size of the packet.(28) The packets may or may not take different routes and sometimes arrive out of order.(29) Once a packet is sent onto the Internet, it travels from network to network and may have to pass through several firewalls.(30) Firewalls monitor and inspect messages and data passing through it.(31) Each network might have its own firewall that protects the network by preventing Internet hackers from accessing it.(32) E-mail travels over the Internet from network to network through a process called "store-and-forward."(33) When a network mail server receives an e-mail or electronic document, it copies it, stores it on a hard drive, and then attempts to forward it to the next mail server.(34) Theoretically, each network or computer confirms receipt of the packet and deletes the stored copy.(35) Finally, once the mail arrives at its ultimate destination, the Internet protocol (IP) reassembles the message into a readable form.(36)

      At several points along the packets' path, "hackers" or "crackers" can use "packet sniffing" programs to search, intercept, read, alter or prevent them from reaching the recipient.(37) Packet sniffing programs cost pennies and can use key words to search and infiltrate approximately ten billion words of computer-generated messages and files.(38) Typically, hackers place sniffers on electronic commerce sites.(39) Such sites often have valuable or sensitive information such as credit card numbers.(40) After the sniffer intercepts a packet, it copies the information and then sends it along to the intended recipient.(41) Often, the intended parties to the transaction never discover the security breach until the information is used for malicious purposes.(42) Sniffing software is commonly available(43) and capable of capturing information as it passes through a network.(44) Sniffers do not need a password to access computer files containing clients' secrets.(45)

      Additionally, hackers can steal documents not only off the Internet, but off the sender's and recipient's computers as well(46). By monitoring network traffic, packet sniffers allow hackers to observe people's online activities.(47) Hackers can thereby see the user's logon ID and password as the user logs on to the Internet.(48) Hackers have intercepted hundreds of thousands of usernames and passwords over the last few years.(49) If that user is a system administrator or employee, the hacker may be able to access the confidential information of other users as well.(50)

   2. E-mail Interception and Monitoring

      Countless experts have voiced wildly varying opinions about email security. Texas attorney David Hricik authored one of the more frequently cited articles on this topic.(51) Hricik opines that attorneys "worry too much" about Internet security.(52) He explains the technological process by which e-mail works and concludes that "[n]o one, without both my screen name and password, can read mail sent to my...