chevron-down Created with Sketch Beta.
DECEMBER 2019 | AROUND THE ABA

Encryption to protect confidentiality is easier than you think

Email and other forms of electronic communications offer fast, convenient and inexpensive ways to correspond, but they also present serious risks, particularly in the area of confidentiality.

In the On-Demand CLE “Encryption for Lawyers: Fulfilling Your Ethical Duties,” sponsored by the ABA Law Practice Division, John Simek of Sensei Industries and David G. Ries of Clark Hill LLC’s Pittsburgh office say that encryption can help mitigate the vulnerabilities.

And, many of the encryption options are inexpensive, easy to implement and easy to use.

Encryption transforms readable data into unreadable data and requires a key to make data readable again. It all happens automatically via encryption software.

Encryption can be used to protect data at rest, such as data stored on servers or devices, and data in motion, such as information transmitted through networks, the internet and cellphones.

If you’re using one of the leading office productivity suites, Google G Suite or Microsoft Office 365, you’re in luck. Out of the box, both offer optional email encryption.

Another option is Transport Layer Security, which creates a secure environment for web browsing, emailing or other client-server applications.  TLS is commonly used to secure web servers, allowing safe online transactions that are identified by a padlock icon in a browser’s address bar.

When applied to email servers, TLS provides encryption from one email gateway to another. For example, if a law firm and client both have e-mail servers that support TLS encryption, all traffic between them will be encrypted after they are set up.

Setup requires a digital certificate through a third-party certificate authority that confirms the authenticity of the servers.

While an industry standard for safety, TLS protection can be lost if emails are copied to or forwarded to recipients using systems that do not support TLS.

To secure your files, current versions of Microsoft Office, Adobe Acrobat and WinZip offer password protection.

Acrobat also includes “security envelopes” that can be used to protect multiple files placed as attachments in an encrypted “envelope.” Full encryption isn’t necessary if confidential information is placed within such password-protected attachments, instead of in the body of the email.

However, the protection can be limited by use of weak passwords that are easy to crack.

Current recommendations say passwords should be complex, at least 14 characters in length. “The longer the better,” Ries said.

When shared, passwords should be transmitted securely to the recipient in a phone call or text message, and certainly not in the same email as the encrypted attachment.

When setting up devices like cellphones, smartphones and tablets, follow the manufacturer’s instructions to enable encryption.

Use caution when using consumer cloud storage, Ries said. There are special editions of security software that includes cloud protection, which is recommended.

If you need to manage encryption on several devices, there is software to help you do that.

To protect data on a laptop, Ries recommends full-disk encryption, which encrypts the entire device, no matter where the sensitive data is stored.

If you think such security doesn’t apply to you, Simek and Ries note several relevant rules from the ABA Model Rules of Professional Conduct, including competence (Rule 1.1), communication (Rule 1.4), confidentiality of information (Rule 1.6) and supervision (Rules 5.1, 5.2 and 5.3).

Moreover, the ABA has issued two formal ethics opinions on security topics since the 2012 rules amendments: ABA Formal Opinion 477, “Securing Communication of Protected Client Information” (May 2017), which focuses on electronic communications and explores the general duties to safeguard information relating to clients in light of current threats, and ABA Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” (Oct. 2018), which also reviews lawyers’ duties to safeguard data.

For additional information on encryption options, the ABA-published book “Encryption Made Simple for Lawyers”  provides guidance. Additionally, the Electronic Privacy Information Center maintains a website with information on encryption and other tools to protect privacy.