Commission on Law & Technology


Email Encryption


Leading Practices | Email

Working Group Email
Topic Email Encryption
Date of Publication November 19, 2013
Summary Policies should be created that required email encryption for all messages that contain confidential information or attachments that contain confidential information. The policy should identify the content that must be encrypted. (e.g. medical records, ssn numbers, client financial information; etc.).
Applicable DLRPC (Rules) 1.0

Disclaimer: The purpose of this leading practice is to provide the Delaware Bench & Bar with an understanding of an appropriate manner in which this technology may be used. There may be more appropriate uses; and the leading practice discussed might not be appropriate for a specific purpose. It is up to the individual to use well-reasoned judgment in making that decision. The Commission is not responsible for the consequences of the decision-making process.


Email Encryption


Leading Practices

  1. Create email related policies to protect confidential email and attachments.

    - Policies should be created that required email encryption for all messages that contain confidential information or attachments that contain confidential information.  The policy should identify the content that must be encrypted. (e.g. medical records, ssn numbers, client financial information; etc.)

  2. Employ server based or cloud based solutions for encryption.

    - Server based and cloud solutions can eliminate the need for user intervention at the workstation and can automate enforcement of policies.

  3. Do not forward email containing confidential information to your personal account.

    - Personal online accounts are insecure and may not accept encrypted email or be able to send encrypted email. Depending on the encryption method used, the message may not be encrypted in the mailbox of the online account.

  4. Send highly confidential documents to clients via secure ftp sites or online file sharing.

    -
    Two examples of secure online file sharing are Sharefile and Box.com

  5. Do not send confidential emails via mobile devices that are not included in server based or cloud based solutions.

    -
    Mobile devices can be configured to use multiple email accounts including personal online accounts. Only send confidential email from a mobile device from your firm account and only if your firm employs server or online based encryption solutions.

Optional Practices

  1. Use products that identify confidential information before it leaves the server.

    -
    Products exist that can look for content inside of an email message and determine if encryption is warranted (e.g. SSN patterns, credit card numbers, or healthcare related terms) and automatically encrypt the message before sending.

  2. Password protecting attachments

    -
    Documents that are password protected are essentially encrypted if the user does not have the password.

Practices to be Avoided

  1. Do not use public online email services.

    -
    While many public online services do encrypt email transmissions, the messages stored in the online mailbox are typically not encrypted.

  2. Do not send passwords in the same email with an encrypted file.

    -
    If an attachment requires a password, call the recipient on the phone to give it to them.