Legality of sending personal information via email

[Tycoon]

I just got an email from an attorney with an attached word document that has my Social Security, name, and address plastered all over it. Is this legal for a law firm to do this?

[livesoft]

To my knowledge, there is nothing illegal about this.

[cheese_breath]

I guess if the IRS can do it, why can't your lawyer?

[dodecahedron]

Legality aside, it strikes me as extremely imprudent and showing very poor judgment. Unless the email is encrypted on both ends, I would take my business elsewhere and let the attorney know why. Maybe notify the state bar association as well if this appears to be standard operating procedure for the firm. Some form of official reprimand seems in order to me in order to protect future clients going forward.

[dodecahedron]

I guess if the IRS can do it, why can't your lawyer?

The IRS does not do this. The efile acknowledgement system does not work via email but rather by secure encrypted portals.

[Tycoon]

If he were my lawyer I'd have fired him already!!! I've never had a professional institution do this to me. This clown sent the information after I expressly instructed him not to.

[Artsdoctor]

I cannot speak to the details of the law, but I have to say that this gives me pause.

First, my accountant always sends me my forms by a password-protected document. If I'm uploading any documents with my SSN on it, I use SecureDrawer which has been set up for me by my accountant.

Second, although this is not the same as your SSN and other sensitive information, as a physician I never send sensitive health care-related information by email to my patients. I have an encryption which I use (zixencrypt) but since we've instituted an electronic medical record, patients communicate only through a secure portal.

Even if your lawyer is not breaking a law, in this day and age, he is not practicing responsibly. If you have a good relationship with him, you can discuss this with him and see if you find a solution. Even if he/she cannot change the current practice, your concerns should be taken seriously.

As an aside, I have definitely received e-mails from lawyers with sensitive personal information that were not intended for me! We are all very busy and mistakes can happen. But identity theft is a serious concern which any professional should take seriously.

[dodecahedron]

If he were my lawyer I'd have fired him already!!! I've never had a professional institution do this to me. This clown sent the information after I expressly instructed him not to.

Glad he is not your lawyer! How did he get access to your SSN? I would definitely report this professionally irresponsible behavior to the state bar association.

[Tycoon]

My family is selling property in another state and my signature is needed. The lawyer (who apparently sells real estate) sent me the Cash Sale Deed in a Word document attached to an email. The SS#'s and personal information of eight family members are listed. This is after I told him in no uncertain words NOT to send it via email. No telling how many servers the email bounced through.

[cheese_breath]

I guess if the IRS can do it, why can't your lawyer?

The IRS does not do this. The efile acknowledgement system does not work via email but rather by secure encrypted portals.

Oops. My bad. I missed that it was an email. I was thinking USPS mail.

That changes my comment a lot.

[Calm Man]

I strongly disagree with the board sentiment. I am assuming the personal info is in the attachment and not the body of the email or the subject line. Many legal documents have personal info including SS numbers. Good lawyers, and I work with several, often send drafts for review. I suppose you could request that everything be sent by regular US snail mail. That would slow down the process for you quite a bit and certainly for the lawyer. A simple change that could be done in minutes would get a charge to you for time for a re-read as the document won't be that fresh possibly in the mind of the lawyer later. And mail isn't all that secure. I often get my neighbor's email and vice versa and sometimes things don't arrive at all. But for those who are indignant, this is a routine practice.

[Artsdoctor]

Calm Man,

It is true that email makes things awfully efficient. But encryption services abound and it is so easy nowadays to encrypt email that there's no legitimate excuse to not do it. Just because a large chunk of the legal world doesn't do it doesn't make it acceptable.

As I noted above, we've been encrypting accounting and medical documents for years. There's no excuse not to if you're sending sensitive information through servers (and like I mentioned, I have been the recipient of erroneous information from a lawyer; if that happened in medicine, I could conceivably be fined $100,000 for a HIPAA violation).

[Tycoon]

I spoke to a lawyer friend who resides in the same state and apparently it is not uncommon for correspondence to be sent via email. However, my friend said the lawyer should have honored my wishes.

[ajcp]

Legality aside, it strikes me as extremely imprudent and showing very poor judgment. Unless the email is encrypted on both ends, I would take my business elsewhere and let the attorney know why. Maybe notify the state bar association as well if this appears to be standard operating procedure for the firm. Some form of official reprimand seems in order to me in order to protect future clients going forward.

If Tycoon asked them not to do it they shouldn't have, but...good luck with that.

[dodecahedron]

Legality aside, it strikes me as extremely imprudent and showing very poor judgment. Unless the email is encrypted on both ends, I would take my business elsewhere and let the attorney know why. Maybe notify the state bar association as well if this appears to be standard operating procedure for the firm. Some form of official reprimand seems in order to me in order to protect future clients going forward.

If Tycoon asked them not to do it they shouldn't have, but...good luck with that.

Indeed, it appears from this law review article that the ABA and state bar associations have said it's okay for lawyers to send confidential information via unencrypted email.

http://www.stlr.org/2013/08/client-conf ... d-email-3/

I still think it is exceedingly poor judgment on the attorney's part.

[Louis Winthorpe III]

To answer your question, yes, completely legal. Not unethical either, so I disagree with the suggestion to report the attorney to the bar.

[denovo]

I guess if the IRS can do it, why can't your lawyer?

Does the IRS send anyone e-mails?

[dodecahedron]

To my surprise, this kind of cavalier treatment of sensitive data is also common in CPA offices, but this article says that 46 states have "data breach laws" that require notification of all parties if confidential data goes out via an unencrypted email.

http://www.thesavvycpa.com/camico/2014/ ... istakes-2/

[dodecahedron]

I guess if the IRS can do it, why can't your lawyer?

Does the IRS send anyone e-mails?

The IRS does indeed send email but in my experience they generally do not send confidential taxpayer data that way and in the very rare cases when they do, it is required to be encrypted (as the article I linked in my last post notes.)

See also:
http://www.irs.gov/uac/Encryption-Requi ... ation-1075

[dansnad]

If he were my lawyer I'd have fired him already!!! I've never had a professional institution do this to me. This clown sent the information after I expressly instructed him not to.

Glad he is not your lawyer! How did he get access to your SSN? I would definitely report this professionally irresponsible behavior to the state bar association.

Please do not ever retain an attorney.

[ourbrooks]

You could, of course, simply refuse to sign until the lawyer sent the documents by USPS, certified mail with signed return receipt.

Something fun to think about: Tell the lawyer that your email account has been hacked and then send back an edited version of the document that specifies that the sales proceeds are to be sent to a Nigerian bank account or a version that increases the sales price by 20%.

[denovo]

Something fun to think about: Tell the lawyer that your email account has been hacked and then send back an edited version of the document that specifies that the sales proceeds are to be sent to a Nigerian bank account or a version that increases the sales price by 20%.

Yes, submitting fraudulent documents to an attorney is always a good idea.

[dodecahedron]

If he were my lawyer I'd have fired him already!!! I've never had a professional institution do this to me. This clown sent the information after I expressly instructed him not to.

Glad he is not your lawyer! How did he get access to your SSN? I would definitely report this professionally irresponsible behavior to the state bar association.

Please do not ever retain an attorney.

I have a very responsible and professional law firm that has served me and my late husband well on a number of issues over the years. They use email for relatively inconsequential interchanges, letting me know of progress updates and deadlines and information they need, but for anything like this, with the potential for identity theft, I am sure they would never dream of sending confidential documents with the potential for identity theft via an insecure unencrypted email attachment, especially if I had explicitly asked them NOT to do so, as the OP did.

I supervise a volunteer income tax assistance site and I deal with information like this all time during tax season. I take painstaking efforts to make sure nothing like this ever goes out via email. The lawyers at the IRS have made it abundantly clear that we volunteers have an obligation to protect the confidentiality of sensitive taxpayer information.

The general counsel for the college where I teach has also told faculty and staff not to send sensitive educational information via email, but instead to use secure portals designed for that purpose. Here is a link to a public document for another college that outlines the confidentiality policy and the applicable federal laws (FERPA, Gramm-Leach-Blilley, and HIPAA) as well as a state law that applies there, and notes that there may be other applicable state laws if the information travels to another state. It stresses (just as my college's general counsel stressed to us, in a different state) that there are "onerous requirements in case of a possible breach of personal information."

If lawyers are telling unpaid volunteers and college faculty and staff that we have an obligation to respect confidentiality by not sending confidential information via unencrypted email, shouldn't the legal profession observe the same scrupulous measures, especially given the rates they charge?

[postingname]

To answer your question, yes, completely legal. Not unethical either, so I disagree with the suggestion to report the attorney to the bar.

Yes, he's simply guilty of poor judgement. If he has poor judgement in areas of importance like that, you have to wonder how careful he is in other areas.

[Mudpuppy]

One hopes that the proceeds from the property sale more than makes up for the headaches caused by emailing sensitive information in the plain. Let's go on the assumption the lawyer does not have the means to pay for a secured portal. There are still cheap, encrypted alternatives.

The lawyer and the OP could have used a DiceWords generator to create a passphrase over the phone. That passphrase could have been used in Word to password protect the document. As long as the lawyer is using Office 2007 or newer, password-protected files are AES encrypted. While there are feasible brute-force attacks against 2007+ Word password-protected files with AES encryption, that's still far better than nothing at all. And this doesn't require much technical know-how to do.

The lawyer and the OP could have set up PGP to exchange emails. This requires more technical know-how on both ends, but is much better than the Word option. Likewise, they could have exchanged a TrueCrypt file using a DiceWords passphrase communicated over the phone, but this would also require technical know-how.

[Tycoon]

I wish the proceeds would have been worth the hassle. I've spoken at length with the lawyer and he apologized profusely. He did seem contrite. I just wish he would have honored my directions to send the papers via USPS or FedEx. I view the whole experience as unprofessional.

[Buysider]

I view the whole experience as unprofessional.

I agree it isn't a good sign when a professional ignores your instructions.

I don't know if this will make you feel better, but any one who has a serious interest in finding out your name, address and social security number can do so quite easily, and if I wanted to find it out, hacking your lawyer's email (or yours) wouldn't be where I would start.

Because we use social security numbers to collect wage and payroll taxes, the Social Security Administration has to make its database wide open to anyone who has to verify numbers for employment. Using that, and Google, you can fairly easily find most peoples SSNs. Find a John Smith from New York, NY is harder than Josiah Ajsbaughu in Des Moines, IA, but not impossible...

http://techmeout.org/tag/get-someones-ssn/

[Tycoon]

^ Yes, I understand, but I look at like my front door. I realize that it can fairly easily be broken down, but I don't abandon it completely. Perhaps it's a false hope to believe personal information can be protected, but I will still do my best to safeguard mine.

[dodecahedron]

I wish the proceeds would have been worth the hassle. I've spoken at length with the lawyer and he apologized profusely. He did seem contrite. I just wish he would have honored my directions to send the papers via USPS or FedEx. I view the whole experience as unprofessional.

Okay, this puts a completely different light on it. Apparently it was an isolated inadvertent error rather standard operating procedure on the lawyer's part? I can imagine that after hearing you out at length, he has learned he needs to have his staff take more care in the future.

And I agree with the previous poster, Buysider, there are way too many easy alternative ways to get this data.

But after having personally heard heart rending stories of people whose lives have been total messed up by identity theft, I would find it hard to forgive myself if I facilitated it in any manner. In my opinion, the bar associations should be sending out clear guidance on this point to their own profession and I am shocked to learn they are not.

[Artsdoctor]

Dodeca,

First, thank you for the providing the ABA piece above. If you take a look at the last two paragraphs, you'll see that the ABA is actually questioning whether or not the legal profession needs to take encryption software more seriously.

It might be the norm to send sensitive documents over the internet by lawyers. I would venture a guess that this will change with time. The medical and accounting professions must protect sensitive information and the legal field is clearly behind the times on this one.

Your legal counsel may have very sensitive information on you and your family which could easily create a major headache if the information falls into the wrong hands. Intercepting attachments and emails could occur, as could office break-ins; however, these have got to be rare events. What is far more likely to happen is that the lawyer simply types in the wrong e-mail address to send a document. As I mentioned above, I erroneously received such a document from a previous lawyer destined for a completely different client whom I did not know. It is not appropriate that something like that could happen--it just isn't. Mistakes can be made by anybody. From an identity theft point of view, I believe that professionals should steps that are reasonable, not draconian. Encryption software is not onerous and I find it amazing that the ABA is living in such a distant past.

[anonyvestor]

Regardless of one's sense of "standard practice" within the legal community, this act was reckless and reprehensible. No lawyer (or any other individual) can justify transmitting this information in this fashion against the clients' wishes. And regardless, there were 7 other SSNs transmitted in this fashion to a third party - with no explicit consent in this regard.

This is NOT standard practice among any of the professionals (legal or otherwise) I have worked with. It is regrettable the legal profession continues to actively eschew any efforts to police itself to the same degree they enforce such standards within other professions. "Common practice" is not in itself adequate justification for bad practice.

Ask yourself - why is it the accounting and medical professions have higher standards in this regard???

Although I would be satisfied with a profuse apology from the individual lawyer in this case, there does need to be an effective way to communicate the need for higher standards within the legal profession. And there needs to be an effective internal or external mechanism to implement these standards.

THANK YOU FOR COMPLAINING. It is at least a start.

[Tycoon]

I just cannot get over my anger.
It was an obvious slight on his part as all but four of the buyer's TIN were X'd out. Why were the eight sellers not afforded the same consideration. I can't let this go. It's eating at me. I've dug further into this matter and what he did was not illegal, or unprofessional according to existing laws. He didn't break an ethics code. But damn I'm pissed.
I agree with the other posters. Everyone should rise to the standard the medical, financial services, etc. are held to.

[postingname]

http://techmeout.org/tag/get-someones-ssn/

That's a good article. Here are the two actionable items I got from it (quoting directly):

1. The easiest way to protect yourself is to never ever ever give any portion of your social security number out to anyone. Especially the last four digits which are the hardest to crack, yet are also the most common ones to be given out to strangers.

2. Another way to protect yourself is to never ever tell someone where you where born and the date of your birth.

That's pretty enlightening to learn that the last four digits of the SSN are the hardest to crack, yet they are the ones most commonly asked for and received. I wonder what we can offer as proof of ID if we don't want to give out those four digits...

[denovo]

This seems like something minor to get worked up about.

[sscritic]

I have seen a number of references to a client. And who would that be?

He is not Tycoon's lawyer, I got that part.

If he were my lawyer I'd have fired him already!!!

My family is selling property in another state and my signature is needed.

So does he represent the buyer? Does he represent the title company? In any case, it is clear that Tycoon is not the client and Tycoon's wishes are not the client's wishes. Maybe the client wants to spread personal details about Tycoon around, we don't know. If that is the case, then the lawyer is meeting the client's wishes.

[dodecahedron]

Dodeca,

First, thank you for the providing the ABA piece above. If you take a look at the last two paragraphs, you'll see that the ABA is actually questioning whether or not the legal profession needs to take encryption software more seriously.

Artsdoctor, my link was NOT from the ABA. It was an article written by a third year law student at Columbia in the student-edited law review on technology and public policy. Yes, this student author was raising excellent questions about ABA policy, but I see no evidence of questions raised by the ABA itself.

[postingname]

Dodeca,

First, thank you for the providing the ABA piece above. If you take a look at the last two paragraphs, you'll see that the ABA is actually questioning whether or not the legal profession needs to take encryption software more seriously.

Artsdoctor, my link was NOT from the ABA. It was an article written by a third year law student at Columbia in the student-edited law review on technology and public policy. Yes, this student author was raising excellent questions about ABA policy, but I see no evidence of questions raised by the ABA itself.

I'd think there would be certain subgroups within the legal profession that would be especially concerned. Namely, criminal defense attorneys, human rights attorneys and attorneys who protect whistle-blowers. They have a special need to protect their client's confidences, and have already been spooked about all the revelations about spying. Granted, "confidences" are not the same as "personal data" like SSN, but still.

[Artsdoctor]

Dodeca,

You're right: your hyperlink was indeed written by a third year law student. She summarizes the most recent ABA stance that I could find (2011):

http://www.americanbar.org/content/dam/ ... eckdam.pdf

Within the past year, it seems that the ABA has put out "thoughtful recommendations" that encryption be considered. I've reached my saturation on this topic, but it appears that the ABA and legal profession have at least considered this topic and at least the ABA is moving at a glacial speed to perhaps more strongly nudge lawyers to do this.

As everyone becomes increasingly aware of identity theft, I can't imagine that the legal profession wouldn't ultimately hold itself to the same standards that the medical profession has had to. Ditto for the accounting profession.

When I think back many years ago when all of those office medical charts with patients' social security numbers written down in an unlocked files, it makes me shudder. Thankfully, those days are long gone (or, they should be).

[dodecahedron]

Indeed, I think universities used to use SSNs as student ID numbers and plaster them all over the place! (ID cards, publicly posted grade lists, etc.)

In a particularly shocking example, about 15 years ago, a national academic competition for middle schoolers (kind of like the spelling bee but in another discipline) had compiled a booklet for the press covering the event which consisted of photocopies of the information submitted by the students. Much of it was inoccuous ("Your favorite flavor ice cream?", "Who do you most admire?", "What do you want to do when you grow up?", etc.), but it also contained every students' name, address, birthdate, and SSN! (Apparently they had collected that information so they would have it available to report any monetary prizes the students might win.)

And these media info books intended for reporters were just left stacked in piles in a public area of the hotel where any interested random member of the public walking by could pick one up and walk off with it.

No one had a clue back then about the potential for identity theft.