Is it irresponsible for law offices to use hosted email?

Your Public Answer:
“Hi ..., I think it is irresponsible for law offices to use insecure e-mail. Legally law offices should have secure messaging. The delivery type of the e-mail service from in-house facilities/ or from a remote hosted environment should not be the question. There are several cases where the law firms or financial institutions were liable for not maintaining secure e-mail operation at their own premises. A hosted option might be more secure based on existing security and privacy controls. Ask your hosting provider the following questions: 1- Who can access to my data? Do they all have background checks? 2- Do you have 3rd party security certifications/audits? (SAS-70 type II, ISO 27001 etc) What was the scope of audit/certification? What are the audit results? 3- What are the data retention/archiving/backup policies? What are your plans for BCP/DR? When was the last time you performed a test? What are the results? How long do you keep the backup copies? 4- Do you have a privacy policy at your facilities? 5- What are the existing security safeguards for securing my data? (Physical, access control, encryption etc) 6- How do you segregate my data from your other customers? 7- Where do you store my data? Where are your data centers? 8- Can I see the service level agreement? 9- Does your archiving solution support stringent e-mail regulations, specifically SEC 17a-4 requirements? Can I search my archived messages? The question list can be extended. If you cannot get satisfactory answers from your hosting provider, it is a better option to have e-mail in-house. Google will not answer most of the questions above so probably they are not a good enterprise partner at the moment. Expect to have a business level messaging service from Google as a follow-up to their Postini acquisition.(2 years?) Let me know if you have a specific question, regards, - yinal ozkan”