Last weekend, I posted about the New York Times report that U.S. law firm Mayer Brown exposed confidential communications with a client by using email. The report alleged that the emails were intercepted by an Australian intelligence agency.
The legal news media reported yesterday about a “carefully worded” statement released by Mayer Brown in response to the allegations. In an article titled Mayer Brown Balks at Idea It Was Spied on by U.S. Ally It Once Advised, The Am Law Daily quoted the firm as saying:
Media reports indicate that some attorney-client communications related to Mayer Brown’s representation of the government of Indonesia may have been intercepted through electronic surveillance of Indonesia’s communications by the government of Australia. There is no indication, either in the media reports or from our internal systems and controls, that the alleged surveillance occurred at the firm. Nor has there been any suggestion that Mayer Brown was in any way the subject of the alleged scrutiny. Mayer Brown takes data protection and privacy very seriously, and we invest significant resources to keep client information secure.
The article noted the contrast between the firm’s “somewhat more empathetic” official statement and the casual remarks by the firm’s lawyers as quoted in the NYT article, which I described in my earlier post. I’d characterize it as less than forthright. It’s certainly not a denial that the emails were intercepted.
John Simek of Sensei Enterprises noted in the article that he would take he would take little comfort in the firm’s contention that no surveillance occurred “at the firm.” That’s because the firms “internal systems and controls” have no way of detecting if an email was intercepted once it reaches the public internet. As Mr. Simek notes:
“You have no idea where the communications may have been intercepted.”
Exactly! In this post from October 2012, titled State Bars Have Their Heads in the Cloud, I pointed out that that email is a Cloud-based service that has greater risks than other Cloud services:
Unencrypted email actually raises more security concerns than those other Cloud services. Once email leaves their firms’ networks, lawyers cannot know or control the locations of the multiple servers through which the data might be routed, whether and for how long the data is stored on those servers, how the data is secured by the various service providers, the ability of third parties to access the data, or the terms and conditions of all of the relevant email service participants.
Lawyers should take the same reasonable, proactive steps to protect the content of email that State Bars are insisting they take to protect other content that is stored or transmitted via the Cloud. In the case of email, that includes using content encryption. For more on that topic, see my post titled “Reasonable” Steps to Prevent Disclosure over on the ZixCorp Insights blog.