Denver Bar Association
December 2003
© 2003 The Docket and Denver Bar Association. All Rights Reserved.
All material from The Docket provided via this World Wide Web server is copyrighted by the Denver Bar Association. Before accessing any specific article, click here for disclaimer information.

Do You Know Who Is reading Your Email?

by Peter J. Schaub

Every day more than 30 billion e-mails are exchanged between businesses, professionals and individuals. E-mail has become the primary vehicle for the exchange of information between businesses and their suppliers, clients and employees. And as e-mail is expected to increase to over 60 billion e-mails a day in the next few years, the opportunity for an individual or business to be harmed as a result of intercepted e-mails is growing exponentially. The ease of intercepting e-mail is simply amazing. (Go to your favorite search-engine and search for "Intercepted e-mail" and you will find many free or low-cost software applications that allow users to intercept e-mails sent by anyone within an organization). As a matter of fact, there are companies that specialize in conducting "corporate e-mail mining" to support lawyers in their discovery process.

In recognition of this problem, there are a plethora of new laws and regulations that address how e-mail is to be handled, transmitted and retained. Intercepted e-mails can be used to misrepresent or impersonate an individual or company and these e-mails are one of the leading causes in the FTC’s estimated $49 billion in damages as a result of identity theft. It is estimated that there are over one million people in the U.S. today who have the perquisite skills to intercept e-mails. One only has to look at HIPAA (Health Insurance Portability Act), GLBA (Graham, Leach, Bliley Act), SARBOX (Sarbannes-Oxley Act) or the NASD 3010, to see how the government is responding to ensure that data and e-mails are handled appropriately by an organization.

In addition, several states are currently reviewing the use of e-mail to determine if lawyers utilizing e-mail to communicate with their clients are meeting the requirements of the Model Rule 1.6(a). (The Model Rule 1.6(a) refers to the required confidentiality and expectation of privacy in the communications between lawyers and their clients.) Recently the Missouri Bar Association issued an opinion that lawyers should use secure messaging or encryption services if they are using e-mail to communicate with their clients.

Some interesting facts about e-mail:

    •When you delete an e-mail . . . it is not deleted! Most computer systems simply flag the e-mail as deleted but it can be recovered using numerous inexpensive tools.

    •Even if you delete an e-mail on your computer, it can exist on backup tapes and disks for years, where it can be retrieved quite easily. Many discovery processes have included e-mails that have been backed up more than 10 years ago!

    •When you send a message via e-mail, multiple copies of the e-mail can exist on your computer, your e-mail server, multiple Internet servers, as well as the recipient’s e-mail server and computer. And that doesn’t include anyone else’s computers that the e-mail was forwarded to by the recipient.

What can you do to protect yourself and your organization from the significant damages of having one of your e-mails intercepted, as well as assisting you to meet some of the legal and regulatory requirements of your industry?

First, ensure that you have set policies and procedures in your organization regarding the type of information that is to be transmitted through e-mail. Never send unencrypted e-mails that you wouldn’t want to read in the newspaper the next day. Or even worse, e-mails that your client wouldn’t want everyone to read! (Just ask Bill Gates about that one).

Second, use a product, such as NeoCertified

(, to encrypt your e-mail, which ensures that only the sender and intended recipient can read the message.

Third, never send information that is confidential, such as your Social Security number, tax information or account numbers, through traditional, unencrypted e-mail.

Fourth, ensure that you have informed the recipients of your e-mails if you do not want your e-mails forwarded.

Fifth, delete your e-mails routinely and persist those deletions to your attached server, to ensure that deleted e-mails may not be backed up to tape or disk.

Sixth, at minimum, defragment your hard drives on your computer on a monthly basis to release e-mails that are flagged as "deleted." (However, remember that the recipient of your e-mail will still have a copy on their computer as well as within their backed up files).

Finally, ensure that your trusted advisors are using some form of secure or encrypted e-mail when communicating with you regarding confidential information.

Peter J. Schaub is the President of NeoForte, which provides NeoCertified products for security and encryption for email. He can be contacted at or you can visit the NeoCertified website at:

Member Benefits DBA Governance Committees Public Interest The Docket Metro Volunteer Lawyers DBA Young Lawyers Division Legal Resource Directory DBA Staff The Docket