“The real reason for encryption is to protect data: protect it from data breaches, protect it from folks getting access to that information who shouldn’t have access,” said Simek, vice president of Sensei Enterprises, a digital forensics, information security and information technology company in Fairfax, Va.
About 70 percent of data breaches involve laptops and portable media, he said. In 2007, 18 laptops were stolen from a law firm in Orlando, Fla., but the data was encrypted, Simek said, so no one could access it.
“You can consider encryption to be your get-out-of-jail-free card,” he said. “If it’s encrypted, it’s protected, and folks will not be able to gain access to it. There is no requirement to comply with data breach notification because the data is not accessible.”
Most lawyers avoid encryption for two reasons, said Ries, an attorney at Clark Hill Thorp Reed in Pittsburgh. “First, most attorneys think that encryption is too difficult,” he said. “They don’t want to go through the time to have to understand it. A lot of attorneys also think that they never need it. Both of those assumptions are wrong.”
Fortunately, users don’t have to understand the high-level math, computer science and computer engineering that go into encryption, Ries said. “For users, encryption is becoming easier,” he said. “Most attorneys will need some technical help in setting up encryption, but once it’s installed, it becomes easy to use.”
Both ethics and common-law rules address the attorney’s duty to safeguard client data, Ries said. In addition, “more and more, we are seeing contracts requiring attorneys to safeguard information, particularly where clients are in regulated industries like health care and financial services,” he said.
Model Rule 1.1 on competence was amended in August 2012 at the ABA Annual Meeting to reflect the attorney’s duty to understand the risks of relevant technology, including the risks to security and confidentiality of information. “Significantly, the [Ethics 20/20] commission said this wasn’t really a change,” Ries said. “It was just taking something that was already an implied duty and making it expressed.”
The comment to Rule 1.6 was also modified, tying together competence and confidentiality, Ries said. “This is basically saying that attorneys have duties to take competent and reasonable measures to safeguard information relating to clients,” he said.
Part of safeguarding client information with encryption is protecting the decryption key, Simek said. “If someone gets their hands on it, now they’re off to the races, so the encryption doesn’t do you any good,” he said.
A strong password of 12 or more characters is a must, he added.
Both data at rest (located on servers, desktops and laptops) and data in motion (transferred over wired networks, the Internet and cellular networks) need to be protected, Simek said.
He recommended full-disk encryption to protect data at rest on laptops and desktops. Full-disk encryption can be obtained at the hardware, operating system or software levels.
“If you’re buying a new computer, I highly recommend that you get the hardware-level encryption built in,” Ries said.