July 01, 2015

Encryption: Basic security you should be using now

David G. Ries

Encryption is now a generally accepted security measure to protect confidential data. Yet many attorneys have either ignored encryption or offered pretexts for avoiding it. Attorneys often dismiss encryption, stating that “I don’t need encryption,” “Encryption is too difficult,” and “Encryption is too expensive.” These excuses, however, are misplaced and all attorneys should generally understand encryption, use it when appropriate, and make informed decisions regarding when encryption should be used and when it may be avoided.

Encryption basics

Encryption is an electronic process to protect data using two steps—encryption and decryption.

  • Encryption is the conversion of data from a readable form, called plaintext, into a form, called ciphertext, which cannot be understood by unauthorized people.
  • Decryption is the process of converting encrypted data back into its original form (plaintext), so it can be understood.

Encryption can protect stored data (on servers, desktops, laptops, tablets, smartphones, portable devices, etc.) and transmitted data (over wired and wireless networks, including the Internet and e-mail).

Encryption uses a mathematical formula to convert the readable plaintext into unreadable ciphertext. The mathematical formula is an algorithm (called a cipher). Decryption is the reverse process that uses the same algorithm to transform the unreadable ciphertext back to readable plaintext. The algorithms are built into encryption programs—users don’t have to deal with them when they are using encryption.

Figure 1. The encryption process.

Encryption keys are used to implement encryption for a specific user or users. A key generator that works with the selected encryption algorithm is used to generate a unique key or key pair for the user(s). A key is just a line or set of data that is used with the algorithm to encrypt and decrypt the data. Protection is provided by use of the algorithm with the unique key or keys.

The process is called secret key or symmetric key encryption where the same key is used with an algorithm to both encrypt and decrypt the data. With secret key encryption, it is critical to protect the security of the key because it can be used by anyone with access to it to decrypt the data.

Where a key pair is used, one to encrypt the data and a second one to decrypt the data, the process is called asymmetric encryption. For this kind of encryption, a key generator is used to generate a unique key pair, one for encryption (a public key) and the other for decryption (a private key). With key pairs, it is critical to protect the private decryption key since anyone with access to it can decrypt the data.

For a simplified comparison to the physical world, the encryption program is like a lock, the algorithm is like the internal mechanism of the lock, and the key is like a physical key or combination.

Attorneys need encryption

Threats to data in information systems and computers used by attorneys are at an all-time high and growing. Electronic communications and wired and wireless network traffic can be intercepted. Cyberspace is a dangerous place. The FBI has repeatedly warned that hundreds of law firms are being targeted by hackers.

Encryption, as part of a robust security program, can provide strong protection against many current threats.

Encryption is particularly important for laptops, smartphones, tablets, and portable media because they can easily be lost or stolen. The Verizon 2014 Data Breach Investigation Report explains it this way:

Encrypt devices

Considering the high frequency of lost assets, encryption is as close to a no-brainer solution as it gets for this incident pattern. Sure, the asset is still missing, but at least it will save a lot of worry, embarrassment, and potential lawsuits by simply being able to say the information within it was protected.

(Emphasis added.)

Encryption is generally easy

Fortunately, easy-to-use encryption options are available. Encryption and decryption are often automatic, after setup, or are as easy as point and click. In many applications of encryption, data is automatically decrypted when a user logs on and automatically encrypted when a user logs off or shuts down. Encrypting e-mail, after setup, is often automatic or requires a simple click or checking a box. Many attorneys will need technical assistance to install and set up encryption, but it’s generally easy from there.

Encryption can be so transparent that users don’t even know that they are using it. For example iPads and current iPhones automatically enable encryption when a user sets a passcode. (On Android phones and tablets and Blackberries, encryption is enabled by clicking a button or buttons.)

Encryption is affordable

There are currently many affordable options available for encryption, including free options. Some examples include:

  • Encryption is built in to iPhones, iPads, Android phones and tablets, and Blackberries.
  • The current business versions of Windows (e.g., Windows 8 Professional and Enterprise) have built in encryption, called BitLocker—included at no cost. It does require the extra cost of the business version, but that provides additional functionality beyond encryption. BitLocker works best with more expensive business class laptops and desktops that have hardware called a TPM (Trusted Platform Module) chip installed. Again, this grade of PC provides additional features beyond encryption support.
  • Apple laptops and desktops have built in encryption called FileVault 2—included at no cost.
  • Reasonably priced encryption software is available from suppliers like Symantec, McAfee, Check Point, WinMagic, and Sophos.
  • Low-cost portable drives are available with built in encryption or they can be encrypted with FileVault 2, BitLocker, or encryption software.
  • Gmail and Yahoo have announced that they will be offering end to end encryption for their e-mail.
  • E-mail encryption is available with Microsoft Office 365.
  • Reasonably priced secure e-mail service is available from providers like Zixcorp, Mimecast, Voltage, and Data in Motion.

Conclusion

Encryption is a generally accepted security practice for protection of confidential data. Attorneys should understand encryption and use it in appropriate situations. All attorneys should use encryption on laptops, portable storage media, smartphones, and tablets that contain information relating to clients. They should also make sure that transmissions over wired and wireless networks are secure. Attorneys should have encryption available for e-mail or secure file transfer and use it when appropriate. Although attorneys may need technical assistance to get started and install and set up encryption, use of encryption is generally easy.



David G. Ries

Dave Ries is a member in the Pittsburgh office of Clark Hill PLC, where he practices in the areas of environmental, commercial, and technology law and litigation. He has used computers in his practice since the early 1980s and since then has strongly encouraged attorneys to embrace technology—in appropriate and secure ways. Mr. Ries is a co-author, with Sharon Nelson and John Simek, of Encryption Made Simple for Lawyers (American Bar Association 2015).