‘Tales from the En-Crypted: Tricks for Securing Data’
‘Part 1: Processes’
It’s okay if you don’t like encryption. Really it is. The basic premise behind encryption technology is that someone out there is just waiting to steal and misappropriate your private communications. It’s an unpleasant thought. It’s also true, that there are bad actors, who are waiting for you to slip up, who would love nothing more than to get their hot little hands on your and your clients’ confidential information. So, while you may not like encryption, you have to wrestle it down. Beside the fact that it’s likely best practice to encrypt sensitive data (like financial account numbers and social security numbers), there is also the matter of state law (some require encryption of certain data) and the revised Model Rules of Professional Conduct, which could be construed as requiring encryption, in certain instances.
The in-flight view is that there are two broad ways you’ll need to meet the encryption challenge within your law practice: There will be times when you will need to encrypt documents one at a time. In the first part of this short blog post series, we addressed that sort of transactional encryption. There will be other times when you will need to perform tasks related to encryption over and over again, or across a platform; and, the issue then will center around how you develop workflows and processes to manage for that need. That sort of process encryption will be covered in this, the second part of our short blog post series.
If you can encrypt one document, why not encrypt a bunch? In a number of practice areas, personal injury-related fields being the most obvious example, lawyers must create packages of information to provide to insurance adjustors or administrative personnel. Adobe Acrobat offers the ability to create document packages including PDF and other file formats, which packages can be encrypted just as single files are. In the alternative, other file format documents can be converted to PDF, and packaged with other PDF documents. Lawyers who must regularly submit settlement packages create a template for doing so; and, the penultimate step in that process (before sending), where certain of those documents are likely to contain sensitive medical information, is to encrypt the entire package.
If you regularly use a laptop or tablet, and save documents directly to that device, it represents best practice to encrypt those documents containing sensitive data, as personal devices, like laptops and tablets, are susceptible to loss or theft in a way that desktops (for example) are not -- desktops are just too heavy to easily move. Even if you do not need to encrypt the entirety of the documents in a folder, it likely makes sense to encrypt the whole folder, if you would otherwise be encrypting 8 of 10 files, for example. Many of the applications that would allow you to encrypt a file or a device, will also allow you to encrypt individual folders.
The same logic applies to device encryption that applies to folder encryption: if 8 of 10 files in a folder need to be encrypted, just encrypt the entire folder; if 37 of 50 folders need to be encrypted, it probably makes a whole lot more sense to just encrypt the entire device containing those folders. The challenge with respect to encrypting devices lies in the variety of operating systems now available. Fortunately, there are solutions across all major categories. Microsoft Windows users can enable BitLocker to encrypt their devices. FileVault offers hard drive encryption for Mac users; iOS encryption allows you to encrypt your iPad or iPhone. Android phones and tablets can also be encrypted through native applications. Open source whole disk encryption tools include VeraCrypt (successor to TrueCrypt), AxCrypt and 7-Zip. You can pay for PGP or SafeBit. Just remembers that thumbdrives are devices, too -- even if they’re often forgotten, as so many redheaded stepchildren to more popular devices, like smartphones and tablets -- and, If you’re a heavy thumbdrive user in the physical transfer of sensitive documents, buy encrypted thumbdrives, or encrypt the files you load to your unencrypted thumbdrives.
If encrypted email attachments are only rarely sent, it’s probably fine for the law firm with that limited volume to encrypt documents one-by-one (since it won’t have a major effect on efficiency), and send those attachments along via an otherwise unencrypted email system. However, if sensitive information must be continuously sent, in the form of email attachments or through email text, it makes more sense to automate that process, through the use of an email encryption tool. There are a number of applications like that available, some related to specific email platforms. Microsoft Outlook allows for the encryption of a single email or all outgoing emails. Two popular paid options are ZixCorp’s and Reflexion’s. Using a paid email encryption system, lawyers can manually select for encryption of specific emails, or default to pre-set triggers, through which the system will encrypt emails based on information included in text or attachments, which pre-set information triggers can be overridden on a case-by-case basis, using code words or phrases, like ‘donotencrypt’. Clients and colleagues receiving email messages through email encryption systems will access messages and attachment via a secure mailbox, for which they can select unique passwords, which would then be usable for future interactions via the system.
Encryption in the Cloud
Lawyers using cloud-based systems should be aware of the encryption features available within those programs. At a baseline level, review and understand the encryption features of each cloud platform you use, and watch for the https:// (https://en.wikipedia.org/wiki/HTTPS) appellation, which signifies that a webpage is encrypted. Remote desktop applications and practice management software systems will feature built-in encryption, as will all of the major document storage platforms, like Dropbox and Box, as well as Google’s Drive, Apple’s iCloud and Microsoft’s OneDrive. SpiderOak is a ‘zero knowledge’ database -- you keep yourself (and must remember) the encryption key. And, that last part exposes a gnawing concern over encryption in the cloud: in most cases, your provider, not you, maintains the encryption key; so, in order to shuffle that arrangement, you can encrypt particularly sensitive documents before you add them to the cloud.