We get it. Our clients’ days are filled with pharmacokinetic testing, enrolling global clinical trials and pursuing financing and strategic transactions. Email encryption and Transport Layer Security (TLS) probably don’t rank at the top of their agendas. Faber Daeufer & Itrato’s team of lawyers and contracts specialists are well-known for providing our clients an extraordinary approach to counseling on all of the contracts and transactions that support scientific development and propel growth. But more recently, as we’ve made substantial investments in improving our own cybersecurity, we’ve become proactive in helping our clients address cybersecurity threats when we recognize that their security measures should be improved.
As a law firm, Faber is required by professional responsibility rules to take reasonable security measures to protect confidential client data. This responsibility extends to the security of electronic communications and protections against third party access to confidential information. In a 2017 formal opinion, the American Bar Association (ABA) stated that “A lawyer generally may transmit information relating to the representation of a client over the internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access.”
Security was not a high priority in the early days of e-mail, and it used to be common for hackers to “sniff” the contents of e-mail messages as they passed over the public Internet. Today, e-mail servers can use the TLS protocol to encrypt the messages during transmission, making them unreadable to electronic eavesdroppers. TLS is transparent to human senders and recipients, requiring no extra steps to encrypt or decrypt the messages. As David Schrag, our full-time Director of Information Technology puts it, “For us, using a low-cost, low-impact technology to improve security wasn’t just reasonable – it was a no-brainer.”
However, encryption depends on both the sender and recipient email servers to be configured properly. Even though our firm’s email servers are configured for TLS, not all client and third-party e-mail servers have TLS enabled. In addition, even when servers have TLS turned on, they may be using untrusted security certificates, which can defeat the encryption attempts. Fortunately, the issue is often solved with an easy fix that can generally be handled in-house. “It may be as simple as obtaining a new security certificate,” David explains, “but it's generally the kind of thing that most IT professionals could fix in about an hour.”
Always thinking and caring about our clients first
At Faber, we recognized the value in talking with our clients about the importance of encrypting our e-mail communication with them whenever possible. We also realized that our clients would be at risk in their email communication with other important scientific and business partners. We decided that we should act. We identified which of our clients’ servers were rejecting our attempts to use TLS, told our clients what we found, shared all of the technical information we had gathered, and offered our assistance
At the beginning of this program, nearly 10% of our active clients were not accepting TLS communication. After we contacted them, we saw quick action. One client wrote to us:
“Really appreciate you taking the time and effort to alert us about this. I did follow up with our IT responsible – turns out we have TLS for mails going out but not, as you made us aware of, TLS on mails coming in. This has been recognized as a deficiency and will be implanted in our systems asap.”
Now, according to David, we see very few client servers rejecting our attempts to transfer encrypted messages, but we will keep trying until we hit 0% and we’ll be particularly mindful about our email communications with new clients. (If we realize that a client’s server does not have TLS enabled, we may require that some email communication with our client – particularly where we may be communication about very sensitive information – be done through a separate secure service.) And, we’re working on many other cybersecurity initiatives, including other opportunities to help our clients protect themselves from increasingly frequent and complex IT security attacks.
As managing principal, Joe Faber consistently thinks about expanding and strengthening our connections with our clients. “We believe sincerely that our success is directly aligned with our clients’ success,” he explains. “That’s why we continually strive to get closer with our clients and build relationships where we and our clients feel a real partnership, and each try to have the other’s back.”
If you are unsure about your organization’s ability to accept encrypted e-mail, take a moment to check your system at checktls.com. Current Faber clients are also welcome to call their primary contact at the firm with any questions about our efforts to keep your confidential information secure.