Email Security Standards in the Legal Profession

Email is indispensable in today's business routine of law firms and legal departments. Sensitive and confidential information is frequently exchanged. It is therefore all the more important to take appropriate technical measures to ensure the security and confidentiality of communications.

The problem of low adoption of end-to-end encryption (E2E) via S/MIME or PGP is well known. Attempting to communicate with clients (especially private individuals) via E2E encryption usually fails due to simple practicality.

Legal Requirements for Lawyers in Email Communication

Lawyers are professional secret holders. Not least because of this characteristic, they have a particular duty to ensure that communication content between them and their clients remains confidential.

The guidance document from the Conference of Independent Data Protection Authorities of the German Federal and State Governments from May 27, 2021 distinguishes between obligations for normal risks and obligations for high risks. Depending on this, transport encryption may be sufficient protection, or qualified transport encryption and possibly E2E encryption may be necessary.

Because holding a professional secret can be an indicator of high risk, professional secret holders must particularly examine the level of the respective risk.

Qualified Transport Encryption Should Be Used by Default

There are practically no email services today where transport encryption is not enabled. This means that for normal risk, it can largely be assumed that communication with the client is acceptable from a data protection perspective. Nevertheless, a high risk remains in individual cases: Was the sick note allowed to be received or sent by email in normal communication in an employment law case?

Against this background, it is advisable for any law firm to create the technical prerequisites for qualified transport encryption.

Qualified Transport Encryption According to BSI TR-03108

The BSI (German Federal Office for Information Security) sets requirements for secure email communication with Technical Guideline TR-03108 and defines the state of the art. Some security measures must be provided or implemented by email providers. However, for the various security protocols to function and interlock, adjustments to domain-specific DNS entries are necessary.

Implementation Effort for Qualified Transport Encryption Is One-Time Only

Given that qualified transport encryption only needs to be set up once by the law firm and then enables a significantly higher level of protection in email traffic without further interaction, it is surprising that only about 4 percent of law firms in Germany have activated it.

In many cases, law firm administrators could implement the setup without additional costs and without downtime.

Study: Adoption of Email Security Techniques in the Legal Profession

The authors conducted an analysis of approximately 25,000 data records from the Federal Official Lawyer Directory of the German Federal Bar Association prior to writing this article, examining the email addresses contained therein. The email-specific entries of the domain servers for the domains associated with the email addresses were retrieved, and the identified email servers were analyzed (non-intrusively).

Data Collection via the German Federal Bar Association Search Service

In Germany, approximately 165,800 lawyers are licensed and can be found via the German Federal Bar Association search service. The website of the Federal Official Lawyer Directory offers the option to list all licensed lawyers for each of 29 bar association districts. These are displayed in groups of six entries per page. Through web scraping, we downloaded and saved the email addresses of all six listed persons on every fifth page of the lawyer directory for each bar association district. In this way, approximately 20% of lawyers licensed in Germany were captured.

Not every entry yielded an email address. Many people stored in the directory use the same domain in their email. Either because they use a provider like T-Online without their own domain, or because as members of a large law firm like Fresh***, they had listed an email address "@fresh***.com".

After the obtained data was cleaned of errors and duplicates, a total of 12,105 different email domains could be generated from the data. Email domain here refers to the part of an email address after the "@" symbol, e.g., "t-online.de" for "ra-schmidt2341@t-online.de".

Analysis of Implemented Security Protocols per Email Domain

The security protocols presented in the remainder of the article can be checked for a respective email domain through targeted DNS server queries and connection attempts to the mail server registered in the DNS entry.

The Linux tool "dig" was used for this, as well as open-source software mecsa-st published by the EU Commission as part of a 2020 study. (Link to tool on GitHub)

Each of the 12,105 domains was subsequently examined with both tools and the results were cached for further analysis.

Due to the nature of the investigation, only portions of the security protocols could be examined. For a complete analysis of the correct implementation of the respective security protocols, actual email communication with the examined mail server would have been necessary. The analysis is therefore limited to the presence of externally recognizable DNS entries, which then suggest (correct) implementation in the mail server.

Regarding TLS, it should be added that the analysis only captures whether a mail server supports TLS, not whether it mandatorily only receives or sends via TLS.

Cleaning and Evaluation of Analysis Results

The analysis results of the 12,105 queried domains required some cleaning steps before evaluation. After the analysis, it turned out that some frequently queried mail servers apparently returned a negative result for the STARTTLS test, even though they support STARTTLS. This could be attributed to the fact that the analysis conducted by the authors exceeded the request-per-time limit on the corresponding servers.

These inconsistencies in the data could be eliminated through manual follow-up checks.

Analysis Results: Adoption of Security Protocols

The study conducted by the authors reveals a fundamentally positive picture:

Of the 11,546 domains to be evaluated after error correction, 11,436 of the email servers used had implemented TLS with valid certificates (over 99%). (At this point, it should be noted that this does not definitively mean that the others have not implemented TLS at all. There can be various reasons why the test produces false-negative results for individual connections.)

A large majority has also implemented the important protocols DKIM and SPF. Interestingly, the corresponding DMARC entry is only set to "quarantine" or "reject" in just under a quarter of the tested domains. This is surprising, as it directly builds on DKIM and SPF and means no additional implementation effort for the respective lawyer or law firm.

DANE and DNSSEC are far behind, however. There are some providers that already implement these security protocols by default. If a law firm or lawyer uses this service directly (i.e., without their own domain), they benefit directly from it.

Implementation for Law Firms

Most law firms and legal departments do not operate their own mail servers but use services from third-party providers like Microsoft 365 or Google Workspace. Nevertheless, they usually have their own domain.

To be able to use measures like SPF, DKIM, DMARC, or DANE, the required DNS entries must be created and entered for the own domain. The actual checks and actions are then performed by the mail servers of the service providers. These are essentially one-time settings.

TLS is already standard with all common mail servers and usually requires no action from the law firm. A practically complete implementation of this standard observed is therefore not surprising.

The necessary settings can be entered by administrators (or skilled lawyers) into the DNS system of their own domain.

DANE and DNSSEC are already supported by many domain registrars. However, the implementation varies: Some providers offer convenient activation at the push of a button and automatically make the necessary settings. Others require a more complex configuration to be performed by the law firm administrator.

To implement DANE, after activating DNSSEC, the so-called TLSA records must be set. We do not have a complete market overview, but had to learn from our own (painful) experience that, for example, Microsoft with its mail server offering (Exchange 365) cannot easily provide the necessary information:

Given that the Technical Guideline BSI-TR-03108 considers the implementation of DANE necessary for secure email traffic, law firms may need to examine the supported security aspects of mail service providers.

Conclusion

Email security is an important topic for every law firm. Measures like TLS, SPF, DKIM, and DMARC can be implemented with manageable effort and provide effective protection against many threats. DANE and DNSSEC are already legally necessary today, but given their adoption and implementation obstacles, they should be described as forward-looking.

MaraDocs Upload Platform

In addition to our current product MaraDocs, we are actively developing an upload platform to enable the exchange of files between law firms and clients. The platform will ensure that files exchanged between law firms and clients are confidential and secure.

Stay up to date with us and sign up for our newsletter.