YourABA: June 2013
YourABA September 2013 Masthead

For more information:

The ABA Legal Technology Resource Center has been providing ABA members with legal technology guidance for more than 25 years. Visit these resources for more on legal technology:
ABA Legal Technology Resource Center
Law Technology Today


Practical encryption: 3 tips for the average lawyer

By Joshua Poje
ABA Legal Technology Resource Center

Security is one of the hottest topics in legal technology, and for good reason: A security lapse can mean expensive work disruptions, frustrated clients and colleagues, and even professional discipline.

How should you be securing your data? Do a little bit of digging and you’ll find no shortage of advice. But, unfortunately, one of the most powerful security tools — encryption — also tends to be the tool that’s least well explained. Guides simply say “use encryption” but never seem to get to the how

We’ve assembled three simple encryption tips to describe situations where you might want to use encryption, and more important, how you can get started.

Tip No. 1: Files on the Go

Scenario: You’re headed out of the office for a series of meetings and you want to bring some electronic documents with you — open files you’re working on, a draft of a presentation, etc. — but you don’t want to carry around your full laptop.

Typical solution: Grab one of the thumb drives from the pile you probably have in your desk drawer, copy over the folders full and files you think you might need, and hit the road.

Problem: This is a case where convenience often trumps good sense. Throwing files onto a thumb drive and tossing it into your bag is fast and easy, but thumb drives are also easy to lose. Maybe it falls out of your pocket in a cab; maybe you plug it into a client’s computer and forget to take it with you when you leave. Either way, losing that thumb drive is equivalent to losing a file cabinet: There’s tremendous risk of exposing sensitive data.

Solution: You don’t need to entirely abandon convenience to get security. You can still use a thumb drive, but you want to make sure the contents of that drive are properly secured. There are a variety of specialty thumb drives on the market, like the IronKey, which come preloaded with sophisticated encryption software. If you want a cheaper route, the popular free encryption tool TrueCrypt can be used to turn just about any thumb drive into a highly secure encrypted drive.

A few cautionary notes:                                 

  • Encrypted or not, you still need to be careful about where you use the thumb drive. It’s generally smart to avoid public terminals (e.g., hotel common area computers) as they may harbor keyloggers or other malware that can expose your data.
  • Don’t leave open/decrypted files unattended. If you plug in your thumb drive, decrypt the contents and then proceed to wander away from your computer for a few hours, there’s no telling who will be able to access your data.
  • Any time you copy data offsite, you’ll want to have a plan for reintegrating that data when you return. If not, you run the risk of creating a versioning nightmare where you can’t tell which version of a file is the “active” version.

Tip No. 2: Emailing With Your Clients

Scenario: You need to exchange sensitive documents with your client, but in the digital age, printing and mailing physical documents seems slow, expensive and not exactly “green.”

Typical solution: Virtually all lawyers rely on email as a primary communication tool, so when it comes time to send documents, they go right into email along with everything else.

Problem: There are a number of practical reasons to be wary of sending documents via email (e.g., versioning, organization), but the real concerns are security related. Emails are easily misaddressed and are often forwarded to third parties without your knowledge or permission. If you attach a highly sensitive document to an email and send it to the wrong person in your address book, there’s nothing to stop that person from reading and disseminating the file in a way that’s likely to get you in hot water with your client and your disciplinary body.

Solution: Newer ethics opinions, primarily those regarding cloud computing, have noted that it’s important for lawyers to evaluate the sensitivity of the data they’re handling and to take steps appropriate to the sensitivity. You shouldn’t be afraid to continue using email for most of your routine correspondence and even routine document exchanges, but when handling particularly sensitive data — like your client’s trade secrets, for example — you should go a step further. 

Encrypted email allows you to protect your communications so that both the body of the email and any attachments are accessible only if the recipient has the proper decryption key/password. Even if you accidentally direct the email to the wrong address, they won’t be able to see a single bit of sensitive information. Better yet, most encrypted email tools include auditing features that tell you when (and by whom) the message was opened or attachments were downloaded. In some cases, you can also set restrictions to prevent forwarding or to force the email to “expire” after a certain amount of time.

Tip No. 3: Backing Up Your Data

Scenario: Like most law firms, your data is growing day by day and you want to make sure you’re both (a) backing up that data and (b) keeping the data secure.

Typical solution: While most lawyers have developed good habits regarding backup, the security of that backup file is rarely discussed or addressed. Files are often simply copied to an external drive or burned onto DVD/CD.

Problem: There’s a tendency to view backup files as something separate and distinct from your active files, and as a result, to worry less about the security of that data. But data is data, and you’re just as vulnerable to a data breach on your backup data as you are on your primary device.

Solution: It’s difficult to give a single solution to backing up securely given that each firm’s backup strategy is different. But in general, there are a few things you can do:

  • If you’re doing a one-off backup of a file or small set of files, consider using a simple encryption tool like TrueCrypt to place a copy of those files inside an encrypted volume. You can then back up that volume to an external drive or DVD.
  • Consider a cloud backup tool that includes in-transit and at-rest encryption. Mozy, for example, offers a backup option that allows you and only you to hold the decryption key. Data is encrypted locally before being copied to the Web for backup and, therefore, the vendor has no way of accessing the data. Just don’t lose your password!
  • Look in your backup software settings for encryption options. Many of the tools used for automatic backup, particularly those that ship with external hard drives, offer an option to encrypt the backup file. The options may be disabled by default to make the software slightly easier to use.

Back to top


EYE ON ETHICS

Shades of Rashomon:
2 views of 48 hours in the life of a client

TECHNOLOGY TRANSLATORS

Practical encryption: 3 tips for the average lawyer

FIRST FOCUS

Meet new ABA President James R. Silkenat

AROUND THE ABA

Plan in advance to handle crisis communications

Review of the billable hour finds few signs of life

Encryption, complex passwords are best ways to protect client data

How to better serve corporate clients

5 women lawyers honored with 2013 Margaret Brent Awards

Legal career counselors share 10 tips on how to achieve work-life goals

Law firm leaders explore what millennial lawyers think about diversity and inclusion

DOMA, Prop 8 rulings leave web of employment benefits laws to untangle

What you need to know about minimizing data breaches

MEMBERSHIP

Dues reminder

MEMBER ADVANTAGE

Be prepared when disaster strikes