Volume 20, Number 4
By Joseph M. Hartley
Joseph M. Hartley is a trial lawyer in Santa Monica, California, where he tries legal malpractice cases. He can be reached via e-mail at firstname.lastname@example.org.
The digital world's ability to exchange information has several advantages: It's nearly instantaneous, you can deliver information almost anywhere in the world for practically nothing, and the information can be easily copied and adapted. It's speedy, cheap, accurate . . . and unsafe. You can place your firm's entire financial records on a modern laptop, but somebody can copy every one of those records in just a few minutes. An e-mail outlining your brilliant strategy can easily be sent to your opponent if you hit the wrong button. Even worse, one of your existing documents can be easily altered and changed, and conceivably passed off as your own.
The solution most commonly offered to render digital information secure is encryption: transforming the digital information into a code that is unrecognizable (and therefore unusable) by anyone who intercepts or steals it. Properly implemented, encryption can add a new layer of security to your operations and protect client confidences and other secrets. But it is not without its costs. Indiscriminate use of encryption can make it so burdensome that it won't be used, thus defeating the goal of increased security. This article explores how to determine whether you need encryption at all and, if you do, what kind of encryption makes sense for your needs.
The first question is whether you have any reason to encrypt any of your digital data. Some lawyers do not use e-mail and never exchange documents with clients electronically. Their office machines are well protected and not subject to being inspected by unauthorized personnel. Under these circumstances, encryption adds no real advantages and will, as shown below, actually impose significant costs and delays.
Compare this pristine (and pre-1980!) version of a law office with a twenty-first-century law firm that regularly communicates with its clients by e-mail, exchanges confidential documents with clients, possesses truly secret information in its files (clients' trade secrets, for example), and has numerous laptops that are used out of the office and thus are subject to theft, loss, or snooping by unauthorized personnel. This firm is in dire need of a firm-wide encryption policy.
Most law firms, of course, fall in between these two extremes. They need the ability to encrypt information when necessary but may use it only rarely. The question you must answer before you undertake an encryption program for your firm is, alas, how paranoid do you want to be? Encryption is not for the faint of heart and is expensive in administrative time and oversight. If you are not prepared to make the administrative investment, don't bother trying to implement encryption-you'll gain only a false sense of security. If you deal with real secrets or travel with confidential files, however, there is no better alternative than the strong encryption programs on the market.
Evaluating Your Docs
Before going through the considerable expense of obtaining and implementing an encryption scheme, you should determine generally what classes of documents in your practice might need encryption. The most common types include the following:
-E-mail . E-mail is still sufficiently secure that most ethics authorities believe that encryption is not necessary to safeguard the attorney-client privilege. However, ask yourself just how damaging each e-mail could be if it fell into the wrong hands. If this is a common concern, you probably need an encryption system so that all communications to and from clients are appropriately secure. This analysis applies to documents exchanged with clients as well.
- Electronic versions of documents protected by the attorney-client privilege. Letters or memos to clients that contain confidential or secret information often are prepared electronically but will be printed in hard copies and sent on to relevant parties. If the firm keeps the digital versions in its computers, the files are prime candidates for encryption.
-Work product documents. These range from legal research that is almost generic to the most specific details of how an attorney is going to impeach a hostile witness. Work product also may include data in litigation management programs. For example, CaseMap has a field for evaluating each fact in the database as helpful, neutral, or harmful. This is classic work product, and serious consideration should be given to whether it requires protection.
-Client secrets. Some pieces of information are more important than others. Letters to clients advising them to tell the truth at a deposition, although confidential communications, simply are not as important as, say, a trade secret like the formula for Coca-Cola. If you have such truly secret information somewhere in your computers, your client could be seriously harmed if it were stolen or disclosed. This type of material must be encrypted to protect both of you.
- Firm secrets. Some information must be kept confidential even from members of the firm. This may include financial data, employee salaries, social security numbers, health records, and so on; these are likely candidates for encryption.
Evaluating Your Needs
Take a really hard look at your practice with this list in hand, and answer the following questions:
-How many original documents do we produce? When you look at the number of truly confidential documents actually produced in a law practice, it's surprising that relatively few original documents merit the expense of encryption. On the other hand, a large and constant volume of confidential documents needs protection.
-Should we protect documents we send? The lawyer who never uses e-mail and communicates with clients only via postal or courier services should protect only the original file of a confidential document generated on a computer. A lawyer who communicates by e-mail (including both text and attachments) might want to encrypt the e-mail she sends to her client, her copy of that e-mail, and the original document attached to the e-mail stored on her machine.
Different uses require different solutions.
-Are theft, snooping, or loss real possibilities? Does your office allow staff to take computers or digital information out of the office, where it can be lost or stolen? Might you want to access confidential electronic files during a deposition in an opponent's office? Would you be embarrassed if you lost the computer and someone sold unencrypted confidential information to the National Enquirer? Does your high-security building provide enough coverage to eliminate such concerns?
After reviewing these points, you may conclude that the expense and bother of encryption are unnecessary for your office. This is a perfectly acceptable answer.
Evaluating the Programs
Selective vs. total. Encryption programs offer two basic approaches: selective or total. With the first type, you may make a decision about whether or not to encrypt based on individual files. This approach has the advantage of permitting you to encrypt only what is necessary, and is also the basis for data that will be shared with clients or for encrypting e-mail. The major disadvantage is that you may fail to encrypt a sensitive file that later may be stolen or disclosed to the opposition.
The total approach involves encrypting entire computer disk drives. This encrypts all the information on a disk drive, including programs and background information, without requiring any work by the user beyond inputting a password when the computer starts up. The advantage of this approach is that all files are automatically encrypted, no exceptions. The disadvantages are that your computers will take a small performance hit from the added process, and more seriously, that someone may forget the password or change it and refuse to disclose it (like the incompetent secretary you just fired). If the encryption program is complex and you don't have access as a supervisor, you're up a creek without a paddle and in handcuffs-all information in the system is irretrievable. And that can be even more catastrophic than a revealed confidence or secret.
However, the risk may be necessary. If you store significant quantities of confidential information on a laptop, you have no choice but to encrypt the disk drive. I have watched lawyers sally forth to depositions and meetings in offices of opposing counsel and leave their laptops unattended while confidential financial and legal information on the case just sits there waiting to be intercepted. Most lawyers won't snoop in an exposed laptop (some wouldn't know how), but enough do-or just might-that protection is essential. Even if you keep it with you at all times, it can be stolen or lost. If a laptop leaves the firm, ever, its hard disks should be encrypted.
Ekrjgt dcukeu. Practically everyone has seen or can understand the elemental "Caesar" cipher: Using the alphabet, replace each letter with the one two letters further down. Thus, "a" becomes "c," "b" becomes "d," "z" becomes "b," and so forth. (Reverse this process to decode our headline.) Encryption systems scramble data based on much more complicated mathematical algorithms, but the concept is the same.
The major thing you need to know about cryptography is whether you need a program with a symmetric or asymmetric cipher. A symmetric cipher uses a single key to encrypt and decrypt and requires both recipient and sender to have the same key to communicate. So a simple, secure, and easy way to exchange the key is necessary. If you're already interested in office security, you probably don't want to be exchanging keys by e-mail or phone. Exchanges in person or via the mail or a courier are probably best. On the other hand, if your goal is simply to encrypt your hard disk, exchanging keys is not an issue.
The second approach uses an asymmetric cipher and is commonly called public-key encryption. This uses two separate keys: a public key that is generally available and a private key that is retained by an individual. These keys are, in essence, the reciprocal of each other; the decrypting key undoes mathematically what the encrypting key does.
Symmetric ciphers are fine if exchanging keys is not an ever-present obstacle. If you find you're spending a lot of time updating and exchanging keys, a public-key system is better. Public-key encryption, however, is painfully slow, so most systems using public keys are hybrids of both programs, like Pretty Good Privacy, which is the most popular public-key program.
Word and WordPerfect do not have good encryption. Most word processors and spreadsheets allow you to "encrypt" each file. (In Word, on the Tools menu, select the Security tab of the Options entry and choose a password. In WordPerfect it's a much more complex procedure: save the document under the Save As command on the File menu, check the Enable the Password Protect checkbox, click Save, enter the password at Type Password for Documents, then select the encryption option under the Protection Options section.) This method may be enough to keep most lawyers from reading a file, but the encryption is often a simple substitution cipher (such as "Caesar") that can be cracked using pencil and paper in just a few minutes. AccessData sells software that will crack these password-protected files almost instantly. Don't rely on this kind of encryption for truly important files.
Evaluating the Costs
The total cost of encryption is far more than the cost of the programs, which tend to be inexpensive. Any type of security is inherently costly in time, maintenance, and training days.
The major expense of an encryption program is devising and administering safe passwords. A safe password is one that intruders would be unable to guess from their knowledge of the firm or user. Good passwords are random combinations of letters and numbers that are case sensitive and difficult to remember; they look like "g35FFL1D" or "olkieA38" or "U3qQdrnn." Bad passwords are easy to crack and include birthdays, the user's name, names of family and pets, and-the most common-"password."
Passwords are the Achilles' heel of any encryption program. They must be used to gain access to the program, but they also must be random and therefore difficult to remember. Can you really remember "U3qQdrnn"? Neither can your staff, and they will write it down next to the computer or inside the desk. Richard Feynman, the Nobel-winning physicist, cracked most of the safes at Los Alamos during the Manhattan Project because the users wrote the combinations on pieces of paper and stored them near the safe. The password is your combination to the encrypted data; without the password, even you can't get at it.
To make matters worse, effective password management requires that you change the word on a regular basis. Online banking services, for example, typically refuse to permit a customer to use the same password for more than 90 days. Your information may not be as valuable as a bank account, but do you really want to take that chance?
Finally, you cannot permit yourself to be locked out of your own information. Select a program that allows an administrative password to unlock the same data as the user password. Decent encryption programs have this feature; don't even think of buying a program that doesn't.
Unless you're willing to assign someone in the office to be The Enforcer about passwords and do periodic desk sweeps to make sure the password isn't being written down, don't bother implementing an encryption program in your office.
Deciding that outgoing e-mail should be encrypted will mean working closely with all clients and other recipients. You will need to agree on the same program. This means either that the client has to buy the same program that you're using, or you have to buy an extra copy or license and give it to the client. You must also arrange for exchange of the keys. Without the keys, you cannot read what you receive, and your client will not be able to read your electronic messages either.
Some clients take to encryption like ducks to water and find it exciting. Others are intimidated into paranoia at the mere suggestion of it. Either way, you should have a frank discussion with your clients about the need for encryption; they will have the same costs and problems that you will, so you should be certain that encrypted communications are appropriate and necessary, not just the latest cool toy. After all, you may become their help desk for all encryption-related questions.
If you believe you really need encryption, you should get a couple of books written by Bruce Schneier, who actually makes his living as a cryptographer. Applied Cryptography (2d ed.) is an exhaustive discussion about implementing cryptography. Written for the non-math majors among us, it accessibly describes how cryptographic protocols work and explains most of the commonly accepted encryption algorithms. Its only drawback is that it was last updated in 1996.
An entirely nontechnical but profoundly insightful look into cryptography is Schneier's Secrets and Lies (2000), which is a lengthy meditation on the essence of security. Applied Cryptography tells you how to encrypt data; Secrets and Lies reveals the human factors that can cause encryption to fail.
WHAT TO AVOID
Unless you're prepared to become a mathematician, you're not going to be able-or want-to evaluate the technical features of encryption programs. What you can do, however, is become aware of danger signs in a program that indicate it is not secure.
Modern encryption technology of any merit has no secrets, which sounds like an oxymoron: The more known the encryption procedure, the better it can hide secrets. This can be resolved by understanding that the mathematical formulas that scramble data rely on computers that perform billions of calculations per second. Only rigorous mathematical testing makes flaws apparent. Never purchase an encryption product that does not rely on known, well-established (i.e., "old") encryption protocols. Many companies claim to have discovered fabulous new encryption technologies that depend on secrecy-cryptographers scornfully refer to these as "snake oil." Make sure whatever program you buy is based on an algorithm that is in the public domain and has been rigorously tested. You can find this information in Bruce Schneier's Applied Cryptography (2d ed.) or through the alt.crypt newsgroup.
If you choose a program to encrypt one or more of your hard drives, you probably have concerns that someone may gain access to the data on your computer. If so, you also should use a disk cleaner to overwrite erased and temporary files.
Several products on the market will do this, and many of them are free. They erase deleted files by writing and rewriting data to the sectors of the disk drive containing the deleted files so recovery of the original files is impossible. Look for programs that promise to erase to Department of Defense specs. A disk defragmenter will do much of the same work and make recovery much more difficult (but not impossible).