Commission on Law & Technology


Email Security


Leading Practices | Email

Working Group Email
Topic Email Security
Date of Publication November 15, 2013
Summary It is important for Delaware lawyers and supporting personnel to understand the importance of Email communication. According to the Buntin Group ad agency and Survey sampling International, Email is the most frequently used form of communication followed by Facebook. Email; being the number one form of communication means that there is no shortage on the number of vendors, services and software that can be used to transmit and receive messages. This also means that it is a heavily targeted and can be a successful means to deliver malware, viruses and tools to implement Trojans, phishing schemes among others intended to do harm. While it may not be expected for lawyers to be experts in security and understand the specifics on email communication; lawyers should make a conscience effort to secure and show care of data that is transmitted through this medium.
Applicable DLRPC (Rules) 1.0

Disclaimer: The purpose of this leading practice is to provide the Delaware Bench & Bar with an understanding of an appropriate manner in which this technology may be used. There may be more appropriate uses; and the leading practice discussed might not be appropriate for a specific purpose. It is up to the individual to use well-reasoned judgment in making that decision. The Commission is not responsible for the consequences of the decision-making process.


Email Security


It is important for Delaware lawyers and supporting personnel to understand the importance of Email communication. According to the Buntin Group ad agency and Survey sampling International, Email is the most frequently used form of communication followed by Facebook. Email; being the number one form of communication means that there is no shortage on the number of vendors, services and software that can be used to transmit and receive messages. This also means that it is a heavily targeted and can be a successful means to deliver malware, viruses and tools to implement Trojans, phishing schemes among others intended to do harm. While it may not be expected for lawyers to be experts in security and understand the specifics on email communication; lawyers should make a conscience effort to secure and show care of data that is transmitted through this medium.

To assure the protection, integrity, confidentiality of privileged information lawyers and staff should consider and take the following precautions when it comes to using Email.

  1. Password. Passwords should always be used to access and secure data. Passwords should contain both alpha and numeric characters and use both upper and lower case. The more complex you can make the password the better and this should never be shared.

  2. Opening and accessing on shared locations. The location in which the service is being used along with to whom the hardware belongs. This is important because once data leaves the device you have little to no say on what path the data travels to reach its destination. You may also be unaware of software installed intended to capture or report on information gathered. In traveling, connecting to shared resources can very well entail sharing a connection with someone who has the intentions of searching for data.

  3. Multiple access points and devices. Access over multiple devices should be password protected with a remote way for information to be removed/wiped in any event that necessitates the removal of such information.

  4. Offline Storage Access. Many applications allow storage of email data and attachments to occur outside of the client/server environment. It should be reviewed that this storage is protected and does not occur on insecure devices or unexpected locations.

  5. Delegating Access. Delegating access to information should be performed as most restrictive to least restrictive. It should be known who has been granted access and checked to ensure that only what is needed has been granted. Access should be removed as soon as no longer needed.

  6. Threat Protection. Anti-virus, Anti-spam, Anti-spyware, -malware, -phishing, should be installed and configured to scan and protect both entry and exit points. Software should be updated with definitions to ensure scans will look for new threats.

  7. Content Security. Metadata. Attachments. If email is being used to transmit documents, care should be taken to review and ensure privileged information that is not intended to be shared is not included. Using tools such as metadata scrubbers/cleaners sending in different file formats along with reviewing before sending can aid in this area.

  8. Compliance. Review and be familiar with data compliance such as PCI, DSS, State privacy laws, HIPAA and Gramm-Leach-Bliley Act where applicable.

  9. Preservation. Backup.

  10. Encryption.

  11. Noncommercial email services.