You probably keep your valuables under lock and key to keep them safe, but do you take the same care with your clients’ digital information?
Technological advancements provide lawyers with more efficient processes to store, transmit, process, and use documents and other data. However, advancements in technology can also leave confidential client information potentially exposed if law firms fail to implement necessary data encryption procedures.
Many law firms use a variety of cloud services to draft or store documents, record or process their bills, or conduct any other professional activities. Even if your firm does not store any data in the cloud, what do you do if a desktop or laptop computer gets stolen or compromised?
By implementing and enforcing an appropriate encryption policy at your law firm, you can help reduce risk and avoid a costly – or even devastating – exposure of your clients’ confidential information.
Why Does a Lawyer Need to Know About Encryption?
Lawyers are obligated to protect the confidentiality of their clients’ data, and law firms have to pay closer attention to confidentiality than the average business. If law firms do not secure their client communications and other data, they could violate the attorney-client privilege, lose clients, be subject to malpractice actions, damage their reputation, and possibly also lose their license to practice law.
From the ethics perspective, four rules generally govern the lawyer’s obligation to secure client data – “ABA Model Rule 1.1, which deals with competence; Rule 1.4, which involves communications; Rule 1.6, which covers the duty of confidentiality; and rules 5.1 through 5.3, which focus on lawyer and nonlawyer associations.”
For example, if California attorneys fail to take the proper precautions to protect client data, they violate their duties of confidentiality and competence. Similarly, Opinion 12-3 of Professional Ethics of the Florida Bar states, “[l]awyers may use cloud computing if they take reasonable precautions to ensure that confidentiality of client information is maintained, that the service provider maintains adequate security, and that the lawyer has adequate access to the information stored remotely,” and “[t]he lawyer should research the service provider to be used.”
These ethical rules essentially require that attorneys exercise “reasonable efforts” to prevent “inadvertent or unauthorized” disclosure and access to client information. These rules also require “lawyers to not only keep abreast of the law but technology, as well.”
For example, ABA Formal Opinion 477R recommends that “[a] lawyer should understand how their firm’s electronic communications are created, where client data resides, and what avenues exist to access that information.” The ABA’s Formal Opinion goes on to say that “[l]awyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters.”
Different communication methods pose different threats. For example, communicating by email raises different security concerns than communicating through a private chat feature on a website. Likewise, storing data on a local computer or server requires different precautions than storing data in the cloud with a service like DropBox or OneDrive.
What Is Encryption?
Generally, encryption can be thought of as a way to translate documents and other data into a language that only you know. Encryption converts readable text, documents, or other data into unreadable, scrambled code.
Encryption in its basic form is a concept that has been in use for thousands of years. Ancient Egyptian, Hebrew, Greek, Chinese, Roman, and Arabic civilizations used various forms of encryption to send private messages and secure trade secrets, among other things.
The common thread in the various encryption techniques is that ordinary writings or other information is systematically scrambled into what appears to be unintelligible gibberish. The method used to systematically scramble the ordinary data is called an “encryption algorithm” or “cipher.”
The same encryption algorithm or cipher can then be used to unscramble the apparent gibberish back into ordinary data. The encryption algorithm often also requires the use of a “key” that works with the algorithm to unlock the scrambled data.
There are now many complicated encryption algorithms and methods providing various levels of security in different circumstances. For example, one of the more common encryption algorithms – called Advanced Encryption Standard (AES) -- was announced by the National Institute of Standards and Technology (NIST) in 2001 after a 5-year competitive review process.
More in-depth discussion of encryption types and methodologies is beyond the scope of this article. Instead, we will focus on the difference between encryption “in transit,” encryption “at rest,” “file level encryption,” and “application level encryption,” because these terms are often used by vendors trying to sell various solutions to lawyers and law firms.
Encryption “In Transit”
Most people are aware that information sent across the Internet carries a risk of being intercepted by third parties. Data sent across the internet or inside an office network is called “data in transit.”
Because data in transit can easily be intercepted and read, this data is often encrypted. Encryption of data in transit – for example, from a web browser to a company’s website – is called “encryption in transit” or “end-to-end encryption.”
In general, “[e]ncryption in transit should be mandatory for any network traffic that requires authentication, or includes data that is not publicly accessible,” writes Casper Manes for Tech Talk. However, because so much of a law firm’s data necessarily contains confidential and privileged information, lawyers should pay special attention to this issue.
Encryption in transit is most frequently seen with websites. When you visit a website, do you look to see if the website address begins with HTTP or HTTPS? The letters “HTTP” stand for Hyper Text Transfer Protocol. The ‘S’ stands for secure. When visiting a website, make sure you use the secure version, because HTTP websites do not have encryption in place to secure data sent across the internet to and from the website.
Web browsers like Internet Explorer, Firefox and Chrome also display a padlock icon in the address bar to indicate that a HTTPS connection is in effect. Looking for the padlock symbol is the easiest way to know if you are on a secure site.
When working with different online service providers, lawyers should make sure the vendors and their apps use encryption in transit or end-to-end encryption.
However, lawyers should also be aware that encryption in transit only protects data when it is sent from their browser to the vendor’s website, and not at any other time.
Encryption “At Rest”
Many people do not realize that the inactive, saved emails, documents, and other data on their devices, called “data at rest,” also carries the risk of being subject to a data breach.
Encryption of data at rest is frequently used to protect information stored on hard drives, thumb drives, laptops, and mobile devices while those devices are not turned on, or being used or accessed. According to John Spacey, “Where it is common for firms to encrypt data in transit because this encryption is visible to customers, in some cases firms skip encryption of data in rest.”
“Physical access can get past file system permissions, but if the data is stored in encrypted form and the attacker does not have the decryption key, they have no more than a useful paperweight or a drive they can format and use for something else,” writes Casper.
For example, if you have sensitive information saved to a desktop computer or laptop and you lose your device, whoever finds your computer can easily access its files if they are not encrypted – even if you password protected your account.
Hackers find data at rest an attractive target, because the often-unencrypted files contain valuable financial information and employee data. If a lawyer’s desktop computer, laptop, tablet, or mobile phone is stolen, the results can be even more disastrous.
According to legal software provider Clio, “41 percent of all data breaches between 2005 and 2015 were the result of lost devices. A laptop is lost or stolen every 53 seconds. Roughly 70 million smartphones are lost each year—and only 7 percent are recovered.” In fact, a 2009 Intel study revealed “over 12,000 laptops are lost or stolen every week at U.S. airports alone.” No one plans on losing a device, and you never know when it will happen to you.
“Full disk” encryption is a type of encryption at rest that helps deter unauthorized exposure of confidential data if the storage device is lost or stolen. By enabling full disk encryption on desktop computers, laptops, and other devices that contain client communications and other data, you can significantly increase the security of valuable client information.
Most new computers, laptops, tablets, and mobile phones provide a means to fully encrypt the digital storage on the device. For example, Microsoft Windows 10 Professional and higher versions come with a feature called BitLocker that allows you to fully encrypt the entire drive. Apple uses a feature called FileVault for the same purpose. Android also offers full-disk encryption.
However, like encryption at rest generally, full disk encryption only protects data when the computer or other device is turned off. If you applied full disk encryption on your computer or other device, but your device is lost or stolen while it is turned on, the at rest or full disk encryption will not stop an unauthorized person from accessing the confidential information on the device.
Many online service providers advertise at rest encryption, which is helpful. However, many also advertise up times of 99% or more, meaning their systems are almost always on and available for use. This in turn means that the data stored with the online service provider may almost always be accessible, even to an unauthorized hacker.
What can be done to protect law firm data when it is stored in an online service provider’s systems?
“File Level” Encryption
If you want to take your firm’s data security a step higher, consider using applications that offer additional encryption approaches like “file level encryption.”
File level encryption allows each file on your computer, phone, or in cloud storage to be separately encrypted. According to a MyDiamo article, “‘File encryption’ is the best choice for only taking into account of high security and required additional functionality for security.”
With file level encryption, attorneys can ensure that their confidential information can only be accessed by using a password or key. This provides a secure method of storing files, but is also means the file can be securely emailed or otherwise sent to another person who also has the password or key.
There are many different tools for encrypting your files. For example, VeraCrypt is a “strong tool that's simple to use and to the point,” and is completely free. Another popular tool called GNU Privacy Guard (GnuPG) has a variety of different implementations, and is also free. A third tool called AESCrypt has been called “the absolute most simple way to encrypt virtually any file quickly and easily,” and is also free.
These and other similar tools can all be used to securely store sensitive files on a computer, thumb drive, phone, or even in cloud services like Dropbox, Box, Microsoft OneDrive, and Google Drive. In addition, there are a number of different services like Encrypto, BoxCryptor, Sookasa, and Cryptomator that specialize in providing encryption for cloud storage.
File level encryption works great for file storage, and for emailing or otherwise delivering electronic files to different people. But how can confidential law firm information be protected when it is stored in an online billing or practice management system?
“Application Layer” Encryption
When data needs to be stored in an online billing or practice management system, “application layer” – or “app level” – encryption “offers the highest level of security.”
With application layer encryption, data is encrypted at all times, including when it is at rest and in transit. When an online billing or practice management system uses the application layer encryption method, encryption and decryption occur within an application itself, and all data is encrypted both when it is stored and when it is being used.
The SANS Institute explains that, because application layer encryption allows data to be encrypted in the application itself, “the data can also be encrypted across the network,” and “[b]y the time the database receives the data, it has already been encrypted and then stored in the database in this encrypted state.”
“Given that data is encrypted before it is written to the server, a hacker would need to have access to the database contents as well as the applications that were used to encrypt and decrypt the contents of the database in order to decrypt sensitive data,” as stated in “Database Encryption.” In fact, network security solution company Barracuda Networks, Inc. opined that “[a]pplication layer encryption is the only reliable mechanism to guarantee against malicious tampering of such data.”
With application layer encryption, even if an uninvited party somehow breaches the online billing or practice management system, the hacker would still not be able to access your data because it is entirely encrypted within the application system.
Although no cybersecurity system can be completely foolproof, using additional safeguards like application layer encryption results in a substantial additional safeguard to protect your data.
The attorney ethical rules and guidance are flexible in order that the general principles can evolve with new technological innovations. As an attorney, understanding who can access your data as well as where threats to data security come from is crucial.
Consider attending classes and seminars, or watching appropriate online continuing legal education (CLE) presentation, to educate yourself on the constantly changing digital arena.
By educating themselves, lawyers have a better chance using the right security and thereby preventing data breaches. Attorneys who are not up to date on available technological advances might miss out on innovations that could improve – and perhaps even save – their practice.
This article first appeared on Law Technology Today on 7/18/18.