By Alan Gahtan - January 27, 1997
The growing use of Internet e-mail gateways in law firms and corporate law departments has lead to a number of new vulnerabilities that need to be considered and addressed.
The most commonly thought of vulnerability is the risk of interception. Unlike e-mail that is sent through an organization’s internal system and is tightly controlled, e-mail sent through the Internet must pass through a number of intermediate systems. Each stop is an opportunity for interception.
As well, most corporate users or law firms typically use proprietary e-mail programs such as Microsoft Mail, Lotus ccMail or Novell’s GroupWise. These programs usually store e-mail in a proprietary file format which can not be easily viewed. A system administrator may be able to reset a user’s password and gain access to a particular mailbox but this cannot usually be done without the user’s knowledge.
In contrast, mail messages on the Internet are almost always sent in a plain ASCII text format and can be easily read by anyone who has access to the mail directories of a particular system. They are also susceptible to being scanned or filtered by automatic programs looking for certain key words.
The most effective way to prevent interception of e-mail transmitted through an open system such as the Internet is to use encryption. Unfortunately, both formal or defacto standards are still lacking.
Some technically literate users on the Internet use a program called PGP (Pretty Good Privacy) to encrypt or digitally sign their messages. Unfortunately, while PGP is easily integrated with e-mail programs designed for use on the Internet, such as Eudora, integration with corporate e-mail programs is lacking or weak. A message encrypted using PGP can still be received by a user of a corporate or law firm e-mail system and then decrypted using PGP, although the process is not automatic.
Another related risk is that of forgery. A message could be made to appear as if it was coming from a certain party without that party’s knowledge or consent. Most Internet e-mail programs, and even the e-mail modules in Web browsers, allow users to specify and easily change information that will be inserted into the "from" field of an e-mail message. Such flexibility, and the associated potential for forgery, is not generally available to individual users in corporate e-mail programs.
The exchange of e-mail through the Internet increases the number of parties that an e-mail user can potentially communicate with. It also increases the risk that such a user will receive a file containing a computer virus which can then infect a law department or law firm’s computer system.
Computer viruses were always a risk. However, in the past users could be educated to use virus checking programs for scanning any executable program files they received. The new risk is from virus-like code that has been designed to take advantage of vulnerabilities inherent in auto-run macro facilities of programs such as Microsoft Word or Excel. This means that viruses can now hide inside a word processing or spreadsheet document.
Therefore, before loading any contract or other document received through e-mail into a program that supports the use of auto-run macros, lawyers must take appropriate steps to ensure that they do not contain a hidden virus. Ideally, such documents should also be loaded into a file viewer instead of the word processing or spreadsheet program. For example, Microsoft provides a free standalone viewer that can be used to display or print Microsoft Word documents even by users who do not own Microsoft Word.
The growing use of e-mail may also increase the risk to a corporation or law firm that a damaging or embarrassing message will be recovered during a discovery request. Many people say things in e-mail they would not consider writing in a formal memo. Without an aggressive records retention policy, many such messages may remain available and susceptible to a discovery request for a long time.
Even after e-mail messages are apparently deleted, copies may still exist on backup tapes. Even if such messages do not contain any damaging or embarrassing information, the cost of reviewing such electronic copies in order to properly comply with a discovery request can be enormous. Some organizations therefore purposely do not backup e-mail messages with their other data.
Internet e-mail provides invaluable flexibility to exchange communications and documents between clients, in-house counsel, government agencies and lawyers in private practice. However, users must be adequately educated to the risks involved in order to reduce the new vulnerabilities faced by law firms and in-house law departments.
Related Sources: Canadian Legal Resources | Cyberlaw Encyclopedia | Entrepreneur Resources | Canadian Technology | Precedents | Alan Gahtan
© 2005 Alan M. Gahtan. All Rights
Reserved | Use is subject to these Legal
Terms
Disclaimer: Not all materials may be applicable in your jurisdiction. Not intended to be a
substitute for professional advice. No implied endorsement of, or affiliation with, any
linked sites. Path to individual pages may change - please link to home page only.
Linking Info