Tag Archives: stored communications act

3 Ways to Protect Sensitive Messages

“Delete this email if you are not the intended recipient.”

That and similar language theoretically sounds imposing but essentially does nothing to protect sensitive data from any nefarious actors who view it (though they may get a good chuckle before reading the email).

Yet almost 90% of attorneys surveyed by LexisNexis for a study it published in May 2014 on law firm security acknowledged using email to communicate with clients and privileged third parties. The vast majority of attorneys surveyed also acknowledged the increasingly important role of various file sharing services and the inherent risk that someone other than a client or privileged third party could gain access to shared documents. Yet only 22% use encrypted email, and 13% use secure file sharing sites, while 77% of firms rely on the effectively worthless “confidentiality statements” within the body of emails.

Technology Basics

To explain the right approach, I need to start with some technology basics.

How does email actually work?

By its nature, email is not a terribly secure way to share information. When you send an email, it goes through a powerful, centralized computer called a server on its way to a corresponding email server associated with the recipient’s computer or mobile device. The email passes through any number of servers along the way, like a flat stone skipping across a pond. If that email isn’t encrypted, anyone with access to any one of those servers can read it.

What is encryption?

Encryption is the use of an algorithm to scramble normal data into an indecipherable mishmash of letters, numbers and symbols (referred to as “ciphertext”). An encryption key (essentially a long string of characters) is used to scramble the text, pictures, videos, etc. into the ciphertext. Depending on how the encryption is set up, either the same key (symmetrical encryption) or a different key (asymmetrical encryption) is used to decrypt the data back into its original state (called “plaintext”). Under most privacy and data breach notification laws, encrypted data is considered secure and typically doesn’t have to be reported as a data breach if it’s lost or stolen (so long as the decryption key isn’t taken, as well).

Three Methods to Secure Email

1) Encrypted email. Properly encrypted email messages should be converted to ciphertext before leaving the sender’s computer or mobile device and stay encrypted until they are delivered to the recipient (remaining indecipherable as they pass through each server along the way). This approach is referred to as end-to-end encryption.

Until fairly recently, email encryption has been a somewhat technical and cumbersome process, often requiring both sender and recipient to use matching encryption programs and carefully manage their own encryption keys. Now, there are plenty of encrypted email offerings from larger commercial companies, as well as a number of new and interesting email encryption services that have become available in the wake of disclosures made by Edward Snowden.

When choosing one, be mindful of where the service you use is located (including where the servers handling the emails on the system actually are). Snowden used a well-regarded U.S.-based encrypted email provider called Lavabit. Not long after Snowden’s revelations came to light, federal law enforcement forced Lavabit to secretly turn over the encryption keys safeguarding its users’ private communications. Lavabit’s founder tried to resist but was overwhelmed in federal court.  As a result, he shut down the service. Another well-regarded service called Silent Mail followed suit shortly thereafter as it felt it could no longer ensure its customers’ privacy. Both have since relocated to Switzerland and are planning to introduce a new encrypted email service called Dark Mail.

Larger companies offering encrypted email services typically control the encryption keys and will decrypt data before turning it over in response to a warrant or subpoena (including one coupled with a gag order). In addition, email service providers can legally read any email using their systems under Title II of the Electronic Communications Privacy Act, referred to as the Stored Communications Act. Moreover, emails remaining on a third-party server for more than 180 days are considered abandoned. Any American law enforcement agency can gain access to them with a simple subpoena.

Accordingly, if you choose to use a service based in the U.S. or another jurisdiction with similar privacy protections, be mindful of who controls the encryption keys.

2) Secure cloud storage. Another way to securely communicate or share files with a client or privileged third party is to place communication and files in encrypted cloud storage and allow the client or third party to have password-protected access to them. Rather than a direct email with possible attachments, the client or third party would receive a link to the securely stored data. The cloud service you select should be designed for security. Before you ask: DropBox and Google Drive would not be suitable options. There are a number of services offering well-protected cloud storage, and it’s important to do your due diligence before selecting one. If it all seems a bit much to figure out, two services I would recommend looking into are Cubby and Porticor.

3) Secure Web portal. A third approach is to place communications and files in a secure portion of your firm’s network that selected clients and privileged third parties can access. As with the secure cloud storage option, the email sent to the client or third party would have a link back to the secure Web portal’s log-in page. An advantage to this approach is that the communications and files do not actually leave your computer network and should be easier to protect.

An additional consideration: A government snoop or competent hacker doesn’t necessarily have to target a message while it’s encrypted. A message that is protected by strong encryption when it’s sent or held in secure cloud storage can still be intercepted and read once it has been opened or accessed using a mobile device or computer that has been compromised. The same holds true for intercepting a message before it’s encrypted initially. What steps can you take to protect yourself? The software on any computer or other device that can potentially access confidential data should be kept as up-to-date as possible. Devices should be protected against possible data loss if they are lost or stolen. And all firm personnel should have regular security awareness training with respect to social engineering and other threats.

At the end of the day, there is no single silver bullet to provide perfect security. But there are genuinely helpful steps that you can take to better protect your electronic communications and keep your sensitive data confidential.

Can Employers Ever Monitor Employees' Personal Social Media?

Yes, but be careful! There is no denying that the use of social media sites such as Facebook, Twitter and LinkedIn has exploded. The explosion includes both personal and business use of social media. It also includes use that is beneficial to employers and use that can be very damaging. Unfortunately, the influx of employment lawsuits that have followed the explosion have had limited practical value in guiding employees and employers on the permissible use and oversight of social media in the workplace. While many questions remain, the California State Legislature's recent enactment regulating employer use of social media does provide some guidance.

California Labor Code section 980 was enacted to prevent employers from (1) requesting an employee disclose usernames or passwords for personal social media accounts; (2) requiring an employee to access his or her personal social media in the presence of the employer; or (3) requiring an employee to divulge any personal social media to the employer. Applicants are protected in the same way as employees. The new statute, coupled with existing privacy laws, limits what employers may monitor when it comes to the personal social media of employees and applicants.

Definition Of Social Media
In what appears to be an effort to account for the ever increasing development of new social media, the new statute broadly defines social media as an “electronic service or account, or electronic content, including, but not limited to, videos, still photographs, blogs, video blogs, podcasts, instant and text messages, e-mail, online services or accounts, or internet web site profiles or locations.”

Prohibitions On Employers Monitoring Social Media
Employers may not require, or even request, that an employee or applicant:

  • Disclose a username or password for the purpose of gaining access to the employee or applicant's personal social media;
  • Access their personal social media in the employer's presence; or
  • Divulge any personal social media.

Employers are also prohibited from retaliating or threatening to retaliate against an employee or applicant who refuses to comply with a request or demand that violates the statute.

Despite the statute's broad definition of social media and its restrictive prohibitions on employers, it does provide some exceptions under which employers may request and gain access to employees' personal social media. For each exception, however, pitfalls exist. Employers need to know them in order to avoid costly mistakes.

Accessing Social Media As Part Of An Investigation
The statute does not affect an employer's existing rights to obtain personal social media “reasonably believed to be relevant” to an investigation of employee misconduct. Under this exception, the employer may only access the employee's personal social media under the condition that it is used strictly for purposes of the investigation or a related proceeding. While the statute does not define what “reasonably believed to be relevant” means, California Courts evaluate employee privacy concerns utilizing a balancing test, weighing the employee's reasonable expectation of privacy against the employer's legitimate business needs for accessing the information. It is wise for employers to evaluate each instance carefully before requesting an employee to divulge his or her personal social media under this exception.

Employer-Issued Electronic Devices
The statute does not preclude an employer from requiring an employee to disclose a username and password for the purpose of accessing an employer-issued electronic device such as a computer, smartphone or e-mail account. Employers should exercise caution, however, before digging through an employee's use of personal social media on the employer-issued device.

It is a violation of the federal Stored Communications Act to access a restricted or password protected site without the owner's consent. So, while it is permissible for an employer to require an employee to provide his or her password for access to the employer-issued device, an employer may be violating the law by accessing social media information on the device. For instance, having the IT department look up the employee's Facebook password stored on the employer-issued device in order to gain access the employee's personal Facebook page.

Adverse Action Against Employees
The statute does not prohibit an employer from terminating or taking adverse action against an employee or applicant if otherwise permitted by law. For instance, an employer may discipline an employee for violating company policy and using personal social media during work time. Nor does the statute specifically prohibit employers from accessing publicly available social media. This means that employers may view the personal social media of its employees that is available to the general public on the internet, such as blogs and other websites that do not restrict user access.

But, before taking any adverse action against an employee based upon the content of his or her personal social media, employers must keep in mind that California law prohibits employers from discriminating against an employee based upon the employee's lawful conduct occurring away from the employer's premises during non-work hours. Moreover, the National Labor Relations Board has held that employees may use social media to voice concerns over working conditions. While an employee complaining about working conditions or an issue with a manager on his or her Facebook page may reflect negatively upon the organization, the employee's use of social media to criticize working conditions may qualify as protected speech for which an employee cannot be lawfully disciplined.

What Is An Employer To Do?
First, be patient. The law develops at a snail's pace compared to the development of new technology and cultural trends. More guidance will come. In the meantime, employers should approach social media issues with careful consideration and planning. This should start with the development of a written social media policy, and not a sample or template policy. The policy needs to be specifically tailored to the employer and should discusses the importance of social media, the impact that social media has on the workplace, and how employee's use of social media reflects upon the organization. The policy should also define the permitted use of technology owned by the organization and employee's expectations of privacy or lack thereof.

If an employer elects to have a policy restricting personal social media use during work hours, it should ensure that the policy is applied even-handedly to avoid claims of discrimination. Employers should also consider the pros, cons and legal issues that relate to restrictions on supervisors' social media interaction with subordinates. For most organizations, it would be advisable to inform employees that they are not required to interact with supervisors on personal social media and will not be retaliated against for refusing to interact with supervisors.

A carefully planned and well written social media policy that outlines the organization's goals and expectations of employees' use of personal social media can help ensure compliance with the new rules and prevent costly disputes with employees.