Skip to content

Cypher Sell: Email Encryption, for the Security of the Well-Traveling Private Data

This article is for informational purposes only. It is not intended to be used in place of professional advice, treatment, or care in any way. Lawyers, law students, judges, and other legal professionals in Massachusetts can find more on scheduling a Free & Confidential appointment with a licensed clinician here.

I know what you’re thinking: Geez, guys, really . . . another post on data privacy. Well, yeah. I mean, remember how we always talk about finding a niche, and marketing the hades out of said niche until it becomes a specialty. Well, now this is happening.

If a regular reader of this blog, you, as I’ve alluded to previously, are aware that the Massachusetts data privacy law became effective on March 1, 2010, such that you (Mr. Business Owner, I am looking at you now, actually) are charged with settled responsibilities respecting the maintenance and disposal of certain statutorily-described information sets. Among other new charges, you must have created a written information security program (a “WISP”), and, under that WISP, you must have determined methods for protecting statutorily-implicated data sets traveling wirelessly. (If you wish more of our take on Massachusetts data privacy, you can find all of our posts on the topic aggregated within our recent coverage of the release of LOMAP’s three-part data privacy series, now available through the Massachusetts Bar Association’s “Lawyers Journal”; that referenced main post is accessible here.) One of the most common, or, at least, one of the most recognizable, ways in which information travels wirelessly is via email. Under the Massachusetts data privacy law, if you are emailing statutorily-covered resident information, that information, or that email (containing that information), must be encrypted. But, how do you go about encrypting email information, messages and attachments? Well, that is the question, isn’t it.

Practically speaking, you can encrypt the data document (containing implicated resident information), then send that encrypted document as an attachment via email, with encrypting the email per se. And, we’ve previously alluded to methods for encrypting documents (for example, by using Microsoft Word, and Adobe Acrobat, and even TrueCrypt–see the informational “Encryption Documentation” (previously released) available at this drop site); but, the encryption of individual documents, or even of document sets, can be time-consuming, and administratively inefficient. If you are looking after a time-saving solution, or for a built-in tool, encryption of your email, generally, may be the most effective option for you and your business.

Attorneys rely on a number of email programs, most popularly, probably, Microsoft Outlook, a traditional Office application; although, many attorneys are moving to web-based email solutions, like the ubiquitous GMail. Whether you use a software application, or a web-based service, there is an email encryption program for you. Tread carefully, however, when you are setting up an email encryption service for your email, whether you are using a built-in program , or applying the service program of a third party vendor. Every email encryption system works off of a private key sort of functionality, meaning that you will assign, or will be assigned, a key, or code, that will unlock emails (whether a series of emails to a recipient, or more generally). It is important that you protect this information, and that you do not inadvertently release that key, or code. The release or disclosure of your key, or code, means that your information, then, is as safe as it once was, meaning, not very. (Of course, you can understand why a key, or code, system is required: the recipient must have a way to access his emails, as against all others. Given the necessity of a key for a lock, there really is no nearly perfect email encryption system, since a key, or code, is always capable of being discovered; however, rather than causing your disgruntlement, this should only steel within you your desire to protect your passwords for secure information as diligently as you endeavor to protect your secure information.)

That general, common (sense) caveat aside, let’s take a look at some specific solutions:

Microsoft Outlook (2003 and 2007), probably the most-used email system by attorneys, features built-in encryption functionality. Setting up encryption within Outlook 2007 will take the technology-savvy attorney roughly two hours, from soup to nuts: or, from determining system requirements to sending your first encrypted email. Here’s how you do it: Select the “Tools” drop down menu, and choose “Trust Center” > “Email Security”. At the “Email Security” dialog box, select the option to encrypt email message content and/or attachments. Outlook 2007 applies a key/code system, as well, for the encoding and decoding of messages; for the Outlook key system, you’ll need to utilize a digital identification certificate. The digital identification certificate must be obtained from a third party. Verisign represents one option for the purchase of a digital identification certificate usable with Outlook; the purchase of a Verisign digital signature runs $20/year. Outlook will require both you and your recipient to utilize digital signatures in email transmission; an encrypted email will not be delivered via Outlook unless the recipient also has a digital signature. When you’re the recipient of an encrypted email, you need only (assuming you have your own digital signature) add the sender (and so download his digital signature information) to your contacts, in order to view the encrypted email, and to exchange emails going forward. Microsoft offers this step-by-step guide for encrypting email messages through Outlook. In January, GMail made https:// encryption standard; that news release, as well as links to other tips for protecting your privacy in GMail, are all available here, via the official GMail Blog. Instructables offers a step-by-step guide for encrypting your GMail account.

Of course, some email systems do not feature built-in encryption. And, you may find what is offered in the way of built-in encryption through your existing program to be not robust enough for you. In either case, you’re looking at grafting on to your email system a third party encryption solution. There are a number of vendors and products in this space, including: ZixCorp, which works within Outlook, and which, when properly configured, allows senders to encrypt messages merely by typing a simple codeword (like: “Encrypt”) into the subject line of an email. Simple. Encrypted messages are held in a secure environment while the r
ecipient is notified that the message is being held; once the recipient’s email address is confirmed, the message is released to the recipient for viewing. ZixCorp is an affordable solution, and presents with ease-of-use. The product is available locally through reseller, Stencrypt, an arm of Catuogno Court Reporting. Reflexion offers a product that is similar to ZixCorp’s solution. BunkerMail offers one-click encryption through Outlook, and through web-based email systems, as well. ArmaCrypt and Windows eCipher also offer products that can be grafted onto web-based email systems. ArmaCrypt adds a toolbar (in Internet Explorer or Mozilla Firefox), through which one-click encryption can be accomplished. MirraMail offers a standalone email system (with one-click encryption for Outlook available through its MirraCrypt program). If you wish a free email encryption system, your wish is granted: HushMail is a web-based email provider that encrypts every email sent through its system. (There is an enterprise edition, which will cost you some money to employ.) There is, however, a not insignificant drawback to the use of HushMail: You can only send HushMail emails to other HushMail users. (Yikes. Yeah, I know as many Hushmail users as you do. Wait, was that Hotmail? No. Yeah, I don’t know anyone who uses HushMail.) Such limitations are not uncommon to freeware programs, though, which such programs are oftentimes more difficult to set up, and to use, than paid programs.

When you are vetting these third party vendors, be those third party vendors email providers, with built-in encryption functionality, or email encryption solution services, you must consider your choice carefully. Think about the utility of the program for the end-user: whether the system will be easy to access for the recipient of your encrypted emails. Consider whether you transmit information that is implicated by the data privacy statute, and how often: that will help you to determine whether you need an email encryption system, or whether it may be easier (and potentially cheaper) for you to encrypt documents piecemeal, as attachments to send. Finally, realize that you must take reasonable steps to ensure, in vetting any third party service providers that will have access to private information implicated by the Massachusetts data privacy statute, that those providers will, in their engagements with your data, comply with the Massachusetts laws on data privacy; this agreement must be memorialized by contract between you and the third party vendor. Third party vendors having access to statutorily-covered resident information would include email service providers (like Microsoft and Google) and email encryption service providers (like Zixcorp and Reflexion). (Sound like it might be a bit difficult to wrangle a contract like that out of Google? Um, Yeah. You may find further, practical suggestions on this head within a prior post at this blog, covering post-effective date matters related to data privacy in Massachusetts; that post is accessible, directly, here.)

For more information on email encryption, you can listen to the latest release of my podcast, the “Legal Toolkit”; in that freshest episode, I interview ZixCorp General Counsel Jim Brashear about all things email encryption.

LOMAP wishes to thank Amanda Senske for her research assistance on the topic of email encryption. Amanda’s foundational research was invaluable to the creation of this blog post.

. . .

Liner Notes

Last week, through a discussion board established at our new Facebook page, I opened up “Liner Notes” for requests. All the requests were for Justin Bieber songs, or for further, irksome Justin Bieber cover songs (like this and like, even more wretchedly, these). I am about as likely to dedicate a “Liner Notes” to Justin Bieber as I am to dedicate one to Miley Cyrus . . . actually, that’s far more likely, even probable . . . anyway. How about: You’d have a better chance of seeing the Pope issue a papal bull recognizing the preeminence of Satan. Yes, That was better. Before you ask, I hate Justin Bieber because he sucks. (Am I turning into Larry David, or something? Are my extremest pet peeves that obviously accessible?)

While I wait for legitimate song requests to come in, let’s get to the real deal: Since we’re blogging about encryption today, let’s keep things thematic (kind of) and cover secret songs. “Secret songs”, alternatively known as “hidden songs”, “ghost tracks” and “easter eggs”, are songs not listed in tracklists, or songs that appear within the tracks of other songs. Finding secret songs was much more fun on cassette tape, where you couldn’t skip to tracks, or fast forward effectively within tracks. But, there goes iTunes, the CD and technology, ruining things again. Stupid technology.

I indicate below: song (with a title of my own, or someone’s else’s, invention, when no title is listed), artist and album (and sometimes preceding song, if the secret song follows the preceding song within the same track), for my favorite secret songs:

Money/Hangnail” by James Taylor (appearing as the last track on “Hourglass”)

All By Myself” by Green Day (appearing as the last track on “Dookie”, after “F.O.D.”)

Subway Ride” by Sheryl Crow (appearing as the last track on “T
he Globe Sessions
”, after “Crash and Burn”)

Treetop Flyer” by Jimmy Buffett (a Stephen Stills cover (here’s the original), appearing as the last track on “Banana Wind”, after “False Echoes (Havana 1921)”, which features James Taylor on backing vocals)

The Escapist” by Coldplay (appearing as the last track on “Viva La Vida or Death and All His Friends”, after “Death and All His Friends”)

Mr. E’s Beautiful Blues” by Eels (truly, “Road Trip” is one of the funniest movies ever, featuring Stifler)(appearing as the last track on “Daisies of the Galaxy”)

You Are My Life” by John Hiatt (appearing as the last track on “Walk On”, after “Friend of Mine”)

The Girl in the Corner” by Lyle Lovett (appearing as the last track on “The Road to Ensenada”, after “The Road to Ensenada”)

Endless, Nameless” by Nirvana (appearing as the last track on “Nevermind”, after “Something In the Way”)

11” by R.E.M. (appearing as the last track on “Green”)

I’m Going Crazy” by The Smashing Pumpkins (appearing as the last track on “Gish”, after “Daydream”)

If you are digging the whole secret song concept as much as I, clearly, am, you can find more results elsewhere. For an alphabetical listing by artist, check out The Easter Egg Archive offers hidden entertainment, beyond music, and across platforms. What’s an Easter Egg, you ask? This is an Easter Egg. No, just kidding. This is. Well, that was, too; but, you get the idea . . .

CATEGORIES: Client Relations | Law Firm Management | Marketing | Risk Management | Technology

Share This

Related Posts

Back To Top