Extract from article by David Greetham and David Levin
Legal ethics rules require attorneys to take competent and reasonable measures to safeguard information relating to their clients. Attorneys also have contractual and regulatory obligations to protect information relating to clients and other personally identifiable information.
To do this, firms must first understand what information they have. From that evaluation, a firm can identify an appropriate solution with acceptable risk as it applies to particular sets of data. In an ideal world, all information — including emails — would always be encrypted, whether in transit or at rest, and regardless of where it was stored. But in the real world, that’s not practical because it can add cost, frustrate users, and impede productivity.
The use of encryption boils down to a discussion of acceptable risk. The appropriate level of encryption depends on specific use cases and is a balance among many factors, including the sensitivity of the data, the need for usability and convenience in accessing and using the data, and the impact if the data were to be breached. For example, basic data that is public information, such as corporate addresses, probably doesn’t need to be encrypted. Conversely, details of an upcoming transaction held in the files of a firm specializing in mergers and acquisitions need strong protection.