What Attorneys Need to Know About Encryption

Most lawyers know that it is important to secure client property with locks and keys.  But, as a lawyer, do you apply the same level of caution when it comes to the digital  information of your clients?

Improvements in technology enable lawyers to use more efficient methods for storing, transmitting, processing, and utilizing client communications, work product, employee information, and other confidential data.

If law firms neglect to implement essential data encryption and data security measures, technologies that make lawyers' jobs easier can potentially disclose confidential client information.

Different lawyers and law firms employ various cloud-based law practice management software and storage applications to create or store documents, record or handle their invoices, or carry out other professional tasks. 

Even if you or your firm do not store any data on the cloud, what measures do you take if a server, desktop, or laptop computer is stolen or compromised?

By creating and enforcing a suitable encryption policy at your law business, you can mitigate risk and prevent a potentially expensive or catastrophic breach of your clients' sensitive information.

Why Should Attorneys Care About Encryption?

Attorneys have a legal duty to safeguard the privacy of their clients' information, and law companies must be more vigilant about confidentiality than typical businesses. 

Failure to adequately protect client communications and data by law firms may result in a breach of the attorney-client privilege, loss of clients, exposure to malpractice lawsuits, harm to their reputation, and potentially even the revocation of their law license.

From an ethical standpoint, the lawyer's obligation to protect client data is often governed by four rules:  “ABA Model Rule 1.1, which deals with competence; Rule 1.4, which involves communications; Rule 1.6, which covers the duty of confidentiality; and rules 5.1 through 5.3, which focus on lawyer and nonlawyer associations.”

For instance, in the event that attorneys in California neglect to implement the necessary measures to safeguard client data, they are in breach of their obligations of confidentiality and proficiency. Opinion 12-3 of Professional Ethics of the Florida Bar states that “[l]awyers may use cloud computing if they take reasonable precautions to ensure that confidentiality of client information is maintained, that the service provider maintains adequate security, and that the lawyer has adequate access to the information stored remotely,” and “[t]he lawyer should research the service provider to be used.”

Attorneys are obligated to make “reasonable efforts" to prevent the accidental or unauthorized disclosure and access to client information, according to these ethical principles. These rules also mandate that lawyers must stay updated not only on the law but also on technology.

As an illustration, ABA Formal Opinion 477R advises that lawyers should possess a comprehensive understanding of the processes involved in generating their firm's electronic communications and documents, the location of client data, and the available methods for accessing that information. The ABA's Formal Opinion states that lawyers must consistently assess and examine their electronic communication about client matters on an individual basis.

Various communication channels and other technology systems present distinct risks. Communicating via email has distinct security considerations compared to using a private chat function on a website. Similarly, the safeguards for storing data on a local computer or server differ from those for storing data in the cloud using a service such as DropBox or OneDrive.

What Is Data Encryption?

Encryption is a process that converts text and other data into a language that is known only to you, thereby ensuring confidentiality. Encryption is the process of transforming readable text, documents, or other data into incomprehensible and jumbled letters and numbers.

Encryption, in its fundamental essence, is a notion that has been employed for millennia. Ancient Egyptian, Hebrew, Greek, Chinese, Roman, and Arabic civilizations employed diverse encryption techniques to transmit confidential messages and safeguard trade secrets, among other purposes.

The underlying principle shared by different encryption algorithms is the systematic transformation of conventional texts or other information into seemingly incomprehensible nonsense. An encryption algorithm or cipher is the systematic process used to scramble regular data.

Subsequently, the identical encryption procedure or cipher can be employed to decipher the seemingly nonsensical text and restore it to its original form. The encryption algorithm frequently necessitates the utilization of a “key" that unscrambles and “decrypts" the encrypted material.

Currently, there exist numerous intricate encryption algorithms and techniques that offer diverse levels of security in varying situations. As an illustration, the National Institute of Standards and Technology (NIST) introduced the Advanced Encryption Standard (AES) in 2001. This decision came after a rigorous five-year evaluation process involving competition among different encryption algorithms.

Further exploration of encryption kinds and procedures is outside the limits of this article. Instead, our focus will be on distinguishing between encryption “in transit," encryption “at rest," “file-level encryption," and “application-level encryption." These words are frequently employed by vendors who aim to market different solutions to lawyers and law firms.

What is “Encryption In Transit”

Lawyers should be cognizant of the fact that data transmitted via the Internet is susceptible to interception by unauthorized entities. Data that is transmitted over the internet or within a local network is referred to as “data in transit."

Due to the vulnerability of data in transit to interception and unauthorized access, it is common practice to encrypt this data. The process of securing data as it is being transferred, such as from a web browser to a company's website, is referred to as “encryption in transit" or “end-to-end encryption."

Encryption in transit should be obligatory for all network communication that necessitates authentication or contains data that is not publicly available. Due to the presence of sensitive and privileged information in a legal firm's data, lawyers must give particular consideration to this matter.

Websites commonly utilize encryption in transit.

When you access a website, do you check if the website URL starts with HTTP or HTTPS? The acronym “HTTP" stands for Hyper Text Transfer Protocol. The letter “S" in this context represents the word “secure." When accessing a website, ensure that you utilize the secure version, as HTTP websites lack encryption measures to safeguard data transmitted over the internet to and from the website.

Web browsers such as Microsoft Edge, Firefox, and Chrome also exhibit a padlock symbol in the address bar to signify the presence of a secure HTTPS connection. The most straightforward method to determine if you are on a secure website is to search for the padlock symbol.

Lawyers must ensure that while working and collaborating online, their applications employ either encryption in transit or end-to-end encryption.

In addition, attorneys should be cognizant that encryption in transit alone only safeguards data during its transmission from their browser to the vendor's website, and not during any other period.

What is “Encryption At Rest”

It is important to note that the data that is stored and not actively being used on devices, known as “data at rest," might potentially be vulnerable to a data breach.

Data at rest encryption is commonly employed to safeguard information stored on inactive or inaccessible devices such as hard drives, thumb drives, laptops, and mobile devices.

It is typical for companies to encrypt data while it is being sent because this encryption is visible to customers. However, in certain situations, companies may choose not to encrypt data when it is at rest.

While physical access can bypass file system permissions, if the data is encrypted and the attacker lacks the decryption key, the data is essentially useless to them. The crook would either have a functional paperweight or a drive that they can reformat and repurpose.

For instance, in the event that you own confidential data stored on a desktop computer or laptop and you misplace your device, anyone who discovers your computer can simply retrieve its files if they are not encrypted, regardless of whether you have password protected your account.

Data at rest is a desirable target for hackers due to the presence of significant financial information and personnel data, which is commonly stored in unencrypted files. In the event of a theft of a lawyer's desktop computer, laptop, tablet, or mobile phone, the consequences can be even more catastrophic.

Lost devices accounted for 41% of all data breaches, as reported by legal software vendor Clio. A laptop is reported missing or stolen at an average rate of one every 53 seconds. Approximately 70 million smartphones are misplaced annually, with a mere 7% being successfully retrieved. According to a recent survey conducted by Intel, more than 12,000 computers are lost or stolen every week in U.S. airports alone.

Device loss is an event that no one anticipates, and its specific occurrence is unpredictable.

“Full disk" encryption is a form of encryption that protects confidential data from unwanted access when the storage device is lost or stolen. Enabling full disk encryption on desktop computers, laptops, and other devices that store client conversations and data can greatly enhance the security of important client information.

The majority of modern desktop computers, laptops, tablets, and mobile phones offer the capability to encrypt the entirety of the digital storage on the device. Microsoft Windows includes a technology called BitLocker, which enables complete encryption of the entire drive. Apple employs a functionality known as FileVault for the identical objective. Android also provides comprehensive encryption for the entire drive.

Nevertheless, similar to encryption at rest in general, whole disk encryption solely safeguards data when the computer or other device is powered down. If full disk encryption is enabled on a computer or other device, but the device is lost or stolen while powered on, the “at rest" or “full disk" encryption will not prevent an unauthorized individual from accessing the secret information stored on the device.

Several internet service providers promote the use of encryption at rest, which is beneficial. Nevertheless, some providers also promote uptime rates of 99% or higher, indicating that their systems are operational and accessible for usage practically all the time.

Consequently, this implies that the data saved with the internet service provider is typically accessible, even to an unauthorized hacker.

What measures can be used to safeguard law firm data when it is kept in the systems of an online service provider?

What is “File Level Encryption"?

To enhance your company's data security, consider utilizing applications that include extra encryption methods such as “file level encryption."

File-level encryption enables individual encryption of each file on your computer, phone, or in cloud storage.  “File encryption" is the optimal option when considering strong security and the need for additional security features.

File-level encryption provides lawyers with the ability to restrict access to their secret information solely via the use of a password or key. This offers a reliable approach to store files securely, while also allowing for the secure transmission of the file by email or other means to another individual who possesses the password or encryption key.

There is a wide array of tools available for encrypting your files.

VeraCrypt is an exemplary software that is both user-friendly and efficient. Additionally, it is available at no cost. GNU Privacy Guard (GnuPG) is another widely used utility that offers various implementations and is also available for free. AESCrypt, a third program, has been hailed as “the most straightforward and efficient method to rapidly and effortlessly encrypt almost any file." Furthermore, it is available at no cost.

These and other such programs can be utilized to securely store confidential files on a computer, USB drive, mobile device, or even in cloud services such as Dropbox, Box, Microsoft OneDrive, and Google Drive.

Furthermore, there are other various services such as Encrypto, BoxCryptor, Sookasa, and Cryptomator that specialize in offering encryption for cloud storage.

File-level encryption is highly effective for storing files and securely sending electronic files to multiple recipients via email or other means. However, what measures can be taken to safeguard sensitive information belonging to a law firm when it is kept in an online billing or practice management system?

What is “Application Layer Encryption"?

For the best level of security in storing data in an online billing or practice management system, encryption at the application layer, also known as app level encryption, is recommended.

Application layer encryption ensures that data is consistently encrypted, both when it is stored and when it is being transferred. When an online billing or practice management system employs the application layer encryption approach, encryption and decryption take place within the application itself, ensuring that all data is encrypted during storage and usage.

According to the SANS Institute, application layer encryption ensures that data is encrypted within the application, allowing for encryption across the network. This means that by the time the database receives the data, it has already been encrypted and stored in the database in its encrypted form.

In order to gain access to sensitive data, a hacker would require access to both the database contents and the software used for encryption and decryption. This is because the data is encrypted before being stored on the server.

Barracuda Networks, Inc., a network security solution business, stated that application layer encryption is the sole dependable method to ensure protection against unauthorized modification of data.

Through the implementation of application layer encryption, in the event that an unauthorized individual manages to infiltrate the online billing or practice management system, they would still be unable to gain access to your data due to its complete encryption within the application system.

While it is impossible for any cybersecurity solution to be fully infallible, incorporating extra measures such as application layer encryption significantly enhances the protection of your data.

Conclusion

State Bar rules and guidance are designed to be adaptable so that they can keep pace with new technological advancements.

As a lawyer, it is essential to comprehend which individuals have the ability to obtain your data and the sources of potential data security risks.

It is advisable to participate in workshops and seminars, or access suitable online continuing legal education (CLE) presentations, in order to acquire knowledge about the ever-evolving digital landscape.

Lawyers can enhance their likelihood of preventing data breaches by acquiring knowledge and understanding of appropriate security measures. Attorneys who are not well-informed about the latest technical advancements may overlook opportunities for innovation that may enhance, and potentially even rescue, their profession.