In an era of widespread “hacking” and theft of confidential information, nearly all organizations have an interest in ensuring that email communications are secure. Law firms protect the confidentiality of email communications by using elaborate security measures including robust firewalls and difficult-to-crack passwords. Within the legal industry, such measures have been deemed sufficient to justify continued use of ordinary email programs such as Microsoft Outlook to communicate confidential information relating to, among other things, non-public SEC investigations. However, about two years ago, the SEC evidently concluded that such measures were insufficient, and started using a web-based encrypted email program (“smail”) operated by Nasdaq-listed ZixCorp. Many staff members (particularly in Western SEC regional offices) have resisted using smail, but the agency apparently has made it mandatory, and the trend is towards more widespread deployment.
When a member of the SEC Enforcement staff sends a “Smail” email to opposing counsel, the recipient receives a message stating: “You have a U.S. Securities and Exchange Commission Secure Email message from [email address of staff member].” To view the secure message, click here.” The recipient must then fill out a web page “form” that requires them to enter their email address and password, which must meet the SEC’s security requirements. Only then can the recipient read and/or reply to the email.
Assuming that the SEC’s use of encrypted emails is necessary and justified (which I doubt), smail poses several operational disadvantages compared to regular email. The most obvious disadvantage is the inconvenience of not being able to read, or respond to, the message using one’s regular Outlook email program. This is not a major problem for desktop users who are able to easily launch Internet Explorer or some other web browser, but it can present significant difficulties for users who are traveling or otherwise out of the office. Older PDAs and smartphones (such as my old Blackberry) offer less than satisfactory Internet access, both in terms of slowness and poor navigational capabilities. In practice, I could not access “smail” message using my old Blackberry. Given the time-sensitivity of many e-mail communications with the Enforcement staff, the Web-based nature of smail operates as a disadvantage for the defense bar.
The program’s undisclosed miserly email retention policy presents other problems. Sent and received emails apparently are kept for only 90 days, and there is no obvious way to archive or store older emails. For instance, users may not store older emails in folders created for that purpose. Given the importance of email communications, which the Enforcement staff is using smail to send subpoenas and correspondence, the SEC’s unwillingness to provide users with a means of storing emails is inexcusable. Members of the defense bar should make a practice of cutting and pasting smail email communications so they can be saved as Word documents or otherwise archived on their own network.