June 20, 2016

Encryption for Lawyers

Why Should Lawyers Be Interested in Encryption?

When you send information (an e-mail message, a perhaps a file) electronically, it most likely passes through wires that are used publicly by many parties, or airwaves that are essentially radios. This means that someone may be able to intercept the information along the path and read it. In order to protect information from interception by unintended parties, technology was developed that makes the information unreadable by normal means. This is called “encryption.” As will be seen below, encryption also has other uses that are important to lawyers, including message or document verification and identity verification.

In the past, encryption has been almost solely in the realm of technical experts. Governments and companies have used encryption to one extent or another to protect communications. However, today even some phone “apps” include encryption. The question is what do lawyers really need to understand about encryption in order to improve how they practice in light of new technology, rules, regulations, and ethical responsibilities? Whether you are a solo practitioner in criminal law or an in-house corporate attorney at a Fortune 100 company, encryption affects many of the issues you encounter, whether you realize it or not.

Encryption is a way to make communications that are intended to be private actually remain private. Think of a client coming to your office. You are going to speak with them about a highly sensitive matter. You meet them in the lobby and take them up to your office. You don’t discuss the matter in the lobby, the elevator, or even your firm lobby, until you reach your office or a conference room and shut the door. Encryption is the same as shutting the door to keep communications private.

Why Is Encryption Necessary?

Encryption may be used to obscure information so that only the intended parties are able to review the information in the “clear.” This may take place on a device, or during transmission across networks or the Internet. Encryption may also be used to confirm identities of a party or a device. Digital signatures are a good example of this use. Data may be authenticated through the use of encryption. Encryption may be used to show that a document is an original and has not been changed.

Lawyers need to understand the basic concepts upon which encryption is based. This will help them understand how their companies are using encryption, how adversaries in litigation may have made decisions, or errors, in the use of encryption, how to protect their clients’ information, and how to protect themselves.

More than ever before, personal and confidential information is transmitted over the Internet in clear text and potentially exposed. Many people today increasingly rely on technology, but do not fully understand the importance of data, software, and systems security. Moreover, even security professionals have trouble using programs and tools intended for security purposes. As a result, several companies have recently suffered major data breaches resulting in high profile litigation. Damages can be massive and additional losses can include credit monitoring for all customers (direct and indirect), years of systemic and obtrusive audits, long-term impact to profitability/revenue projections, systemic and companywide obtrusive audits to identify and correct not just the source of the leak but other broken business processes that were discovered during these audits, data theft and destruction of files, servers, and storage systems. A basic knowledge of encryption and cybersecurity is necessary to help a user understand how he or she is an important part of the network that keeps their own data, and the data of their employer, safe.

How Encryption Works

Encryption is the conversion of data from one format to another format that is indecipherable by normal means, thus protecting the content of the data from prying eyes. It is the process of transforming data using a mathematical or logical function and delivering it to the recipient who then “unpacks” it using the appropriate methods or processes. The input is referred to as plaintext. Plaintext can be any form of information such as text, binary code, or even an image that needs to be transformed into a format that is unreadable by anyone except those who possess the secret to unlocking it. Encryption transforms plaintext into ciphertext, which contains the original message in a scrambled form.

Algorithms – Executing Encryption

One of the more challenging aspects of the encryption process, and arguably the most puzzling for the bench and bar, is the algorithm/cipher process. The algorithm or cipher consists of discrete steps that mandate how the encryption/decryption process is to be performed. To take a simple example, an algorithm could be to convert the letters in a message into numbers corresponding to their place in the alphabet, thus yielding an encrypted message or ciphertext. To decrypt the ciphertext, the algorithm would dictate that this process is reversed by converting the numbers back to their corresponding letters. The algorithm is thus the set of directives by which the encryption/decryption is executed.

Keys – Unlocking the Secrets of Encrypted Data

In technical terms, a key “is a discrete piece of information that enacts a specific result or output for a given cryptographic operation.” An encryption key can be thought of in the same way as a physical key or, perhaps more appropriately, a combination for a locker; they are special tools used to unlock something. In encryption, keys are the pieces of information that unlock the meaning of the encrypted data. The algorithm employed in a given encryption process defines the encryption key. It can be thought of as the design of the lock, which determines the specific cuts and grooves in the key that make it work.

Hashing – One-Way Encryption

Hashing is a distinct and different area of encryption. Hashing takes plaintext and transforms it into ciphertext in a way that is not intended to be decrypted. It does not keep the information secret, but rather focuses on preserving the integrity of the data and ensuring that the data received is what the sender intended the receiver to have. It is one-way encryption. The hashing function executed on the plaintext data is responsible for generating a fixed-length value that is relatively easy to compute in one direction, but almost impossible to reverse.

The hashing process outputs what is referred to as a hash, hash value, or message digest. The value should be unique for every different input that enters the process. This property of hashes allows one to detect even the slightest changes to data of any type. Basically, anything that is hashed and then changed, even minutely, will result in an entirely different hash value from the original value. For example, hashing may be used on a document when an e-signature is applied. Then, as long as the hash value has not changed, the originality of the document may be confirmed.

Here are a few of the places where hashes play an important role today:

  • Digital certificates
  • Verifying downloaded software
  • Password storage
  • Digital signatures

Digital Certificates – Passports of the Digital World

One of the primary issues in encryption is key distribution. A digital certificate identifies the holder of a particular key. It is like a digital passport. At a high level, a digital certificate is generated by an authentication system, and it provides identity verification. Depending on the type of certificate, the user may have to answer queries or enter information to verify their identity, thus protecting against undesirable results such as fraud.

A vast majority of the devices we use on a daily basis to communicate in a safe and secure manner would not work properly without digital certificates. Digital certificates are necessary for identity and authority verification in Public Key Infrastructure (PKI). Digital certificates bind public keys to their holding parties and indicate the actions that the holder of the key is allowed to exercise.

Examples

In order to show the times when encryption and legal issues collided, here are some examples of when encryption issues caused legal issues. These go beyond the major data compromises that have been in the news. These are real life examples of a type that comes up every day in companies, but are not usually presented to the legal team. A major bank had their entire consumer banking system go offline for hours because certain certificates expired and servers were unable to recognize each other. A major international employer wanted to prevent malware entering their systems through employees clicking on links in phishing e-mails – this required intercepting and monitoring all international employee internet traffic (including encrypted communications) through the use of certificates with names of the target, which may have even been competitors, sites. A money management company was socially engineered and a key which allowed access to a system that contained client information was provided to an unauthorized party. A company that provided virtual private network (VPN) authentication technology to companies was compromised such that the VPN transmissions could potentially be read by outside parties. Each of these situations presented significant legal and risk issues that lawyers had to help address.

How to Encrypt Messages

There are a variety of methods lawyers may use to encrypt messages. Generally, e-mail outside a firm is not encrypted. At larger firms, the IT department usually sets up a system where if “SECURE” or something similar is put as the first part of the subject matter, the message is automatically encrypted. In this situation, the client will receive a message asking them to log into a site and retrieve the message. Additionally, the IT department may set up a technology called Transport Layer Security (TLS) with the client e-mail servers, and, if done correctly, all messages between the servers will then be encrypted.

For smaller firms or individual lawyers, there are a variety of options, none of which are easy or elegant. There are a variety of secure messaging apps. iMessage uses encryption, except in iCloud. There are specialized apps that have been developed for encrypted messaging, and even encrypted calls. Signal, Telegram, and Glyph are a few of the apps that encrypt messages. Proton Mail provides an encrypted e-mail service that works in different ways depending on whether the person on the other side has the app as well. However, document retention, e-discovery, HIPAA, GLBA and Sarbanes-Oxley compliance, for example, are complicated by many encrypted apps. There are companies who have developed solutions to try to balance security and compliance, such as Vaporstream or MobileGuard. These are relatively new solutions and it is expected that encryption and compliance will be more highly integrated in the future.

Teaching Your Employees about Cyber Security

Motivating employees to encrypt their data and maximize password security might not sound like an easy task, but it is a critical one. A business can no longer rely on its IT department alone to keep its sensitive data private and IT systems secure. Helping your employees understand basic risks, such as those related to password security and portable devices in the workplace, helps to secure a company’s data as a whole, and saves money and time overall.

This newfound security awareness means making employees highly sensitive to security concerns. Employees should be trained to avoid security lapses like writing down passwords near their computers or giving out passwords to other employees. They also need to stay vigilant against persons claiming on the telephone to be employees working in the company’s MIS department (so-called social engineering). Passwords should be required to be “strong” passwords that cannot easily be broken by programs that can quickly break passwords composed of dictionary words, and they should be required to be changed on a monthly or bimonthly basis.

The organization’s internal security policy must also take account of the widespread availability of portable devices and storage media that can be connected to a network and used to download sensitive data. The security policy should prohibit regular employees and other personnel with access to the network computers from connecting portable devices that are not authorized and provided by the organization. Storage of sensitive data on portable devices should be strongly discouraged in favor of more secure alternatives; where it is unavoidable, policy should require that the data be encrypted. Speed bumps should be created on internal network systems to limit access to sensitive data to only required employees.

These are just some of the basic security skills that are easy to teach employees. Additionally, while it may seem self-explanatory, it is worth repeating that social networks are never truly private, and a “private” message to a friend can be shared far more widely than one might anticipate. Without educating employees on what they can do to keep electronic information secure and why it’s important, a company will struggle to defend its cyber “borders” from danger both inside and out.

Cybersecurity and Privacy Through the Encryption Lens

Cybersecurity and privacy have become irrevocably intertwined. It is impossible to protect electronic personal information without robust cybersecurity. Even if a company scrupulously follows the requirements of the jurisdiction in which personal data is collected, and provides appropriate notices of the use of the information, and the rights of the individuals who provide the information, unless the information is appropriately protected in transit, during processing, and at rest, the entities who collect or hold such personal data may be liable for significant liabilities and penalties. For example, the new EU/U.S. Privacy Shield that is to replace the Safe Harbor requires such appropriate protections.

Encryption is the primary basis at each stage. As discussed above, from protection during transmission to authentication of those who are provided access to the data, encryption plays the central technological role. However, it is humans who set up the technology, create and enforce the policies, and make the decisions of how strong the protections will be at each level. As a steward of client risk, the lawyer should immerse herself in the particulars of encryption policies and practices. This includes decisions on how and when communications of employees will be monitored.

It should be noted that encryption makes it more difficult to monitor many employee communications. When employees connect upload an confidential file using web pages with Secure Socket Layer (SSL) encryption to an online storage account, such as Box, or if they send an encrypted e-mail to personal e-mail account, the company may not be able to determine the contents of the communication. This creates significant risks. There are technical solutions that may allow for employers to bypass the encryption and monitor the communications, but if the communications are of a personal nature, this creates a different kind of risk, especially in the international privacy area. The attorney should be directly involved in these policy and technical decisions so that the risks being undertaken are properly managed, and to ensure the appropriate controls are in place.

Conclusion

Most attorneys do not consider the implications of encryption and cybersecurity in their daily lives. They may feel intimidated by the technology or that the responsibility is elsewhere. As we have shown, encryption use and practices fall squarely within the role of lawyers, from implementation to training. If you understand the basic concepts, you can guide the technologists in appropriate and legal protections of information. As more companies become dependent on information for operations and revenue, encryption takes on a larger and larger role. Lawyers need to watch over how it is implemented and used. This article just touches the basics of encryption technology and some of its uses. There is significantly more to learn and understand as technology advances at a rapid rate.

Additional Resources

For other materials on this topic, please refer to the following.

Business Law Section Program Library

Navigating the Ethical Maelstroms When the Law Firm Ship is Going Down (PDF) (Audio)
Presented by: LLCs, Partnerships and Unincorporated Entities
Location: 2015 Committee Meeting

Beyond the Privilege: The Ethical Duty of Confidentiality for the Business Lawyer (PDF) (Audio)
Presented by: Professional Responsibility
Location: 2014 Spring Meeting