‘Tales from the En-Crypted: Tricks for Securing Data’
‘Part 1: Transactions’
It’s okay if you don’t like encryption. Really it is. The basic premise behind encryption technology is that someone out there is just waiting to steal and misappropriate your private communications. It’s an unpleasant thought. It’s also true, that there are bad actors, who are waiting for you to slip up, who would love nothing more than to get their hot little hands on your and your clients’ confidential information. So, while you may not like encryption, you have to wrestle it down. Beside the fact that it’s likely best practice to encrypt sensitive data (like financial account numbers and social security numbers), there is also the matter of state law (some require encryption of certain data) and the revised Model Rules of Professional Conduct, which could be construed as requiring encryption, in certain instances.
The in-flight view is that there are two broad ways you’ll need to meet the encryption challenge within your law practice: There will be times when you will need to encrypt documents one at a time. In this first part of this short blog post series, we’ll address that sort of transactional encryption. There will be other times when you will need to perform tasks related to encryption over and over again, or across a platform; and, the issue then will center around how you develop workflows and processes to manage for that need. We will address that sort of process encryption in the second part of this short blog post series.
Although it is becoming less and less and common, as it becomes more and more difficult to hide from technology and its applications to law practice, there are still a number of firms that remain mostly untouched by encryption. Sometimes, this is a conscious choice made by lawyers, in order to avoid the ‘problems’ associated with encryption, which can be summarized as: the addition of extra steps (for lawyers who are doing the encryption, and for clients who are accessing encrypted documents). In other cases, a law firm legitimately does not have much to encrypt, and it’s not an ostrich maneuver. In those cases, the challenge hinges on encrypting electronic documents in a piecemeal fashion. If the need is for one-off encryption, from time to time, broader solutions don’t make a whole lot of sense, since those are not likely to be investments that pay off. For example, if a law firm is encrypting 6 documents per month, it’s probably easier to just encrypt those documents, even if those documents are being emailed, rather than paying for an email encryption service, to automate the process.
The good news, which should be most encouraging to those lawyers who wish to avoid encryption for its supposed technical difficulty, is that encryption at the document level is quite easy to accomplish, via drafting software or PDF applications. Encrypting documents at the user level is really just the selection and application of a strong password. Whether you’re utilizing a drafting or PDF application, the steps are almost always as follows: select the security option/tab, enter a password, reenter the password, save the document, send the document. The entire data scramble takes place in the background, instantaneously. You can add additional security features to your documents, if you want; but, basic document encryption is just that simple. You can encrypt a document within Microsoft Word, Word Perfect, on Macs or through freeware tools, like Open Office and Libre Office. Adobe Acrobat, the industry leader in PDF production and conversion, features built-in encryption tools, as does Nuance Power PDF. Even free PDF tools, like Cute PDF, make available encryption features.
Most of the time, when a firm that doesn’t often do so, does encrypt a document, it’s because the intention is to send it somewhere, often to a client. So, it’s true that the transaction is not completed until the client is able to receive/recover her encrypted document, and access it. There is some nuance to finalizing the transfer, however. One thing you don’t want to do is to email the password to open the encrypted document, even if you do so in a separate email from the one in which you’ve sent the encrypted document. The better practice is to call your client with the password (which can become their single password for opening documents that are sent encrypted by the firm), and keep the key off of email entirely. If your email is hacked, you want the hackers finding encrypted documents, and not also the passwords that go with them.