Encryption is a topic most attorneys don’t want to touch with a 10-foot pole, but it is becoming an increasingly important part of security. Encryption is an electronic process to protect data. All attorneys should generally understand encryption, have it available for use, and make informed decisions about when to use encryption and when avoiding it is acceptable. Fortunately, many easy-to-use encryption methods currently are available. Most attorneys will need technical assistance to install and set up encryption, but using encryption is generally easy after that.
Encryption uses a formula to transform readable data into unreadable data. The formula is an algorithm (called a cipher), the readable data is called plaintext, and the unreadable data is called ciphertext. Decryption is the reverse process, which uses a key to transform the encrypted data back into readable data. As long as the decryption key is protected, the data is unreadable and secure. The technical details of how encryption works are complex, but attorneys need not understand them so as to use encryption.
Encryption can be used to protect data at rest (on desktops, laptops, servers, or portable media) and data in motion (over wired or wireless networks and the Internet). Encrypted data cannot be read or used unless one has access to the decryption key.
Attorneys have ethical and legal duties to protect information relating to clients. Encryption is an important consideration in addressing these duties.
Laptops and Portable Media
The attributes that make laptops and portable devices useful also make them very dangerous from a security perspective: they are compact and they are portable. As their prices fall, the information-handling capacity of laptops and portable devices continues to increase: laptops with 1TB (terabyte) and larger hard drives, USB thumb drives with capacities of 256 GB or more, portable hard drives with 1 TB or more (the same as desktop computers). A massive amount of data in compact form can be easily lost or stolen.
If not properly protected, laptops and portable media are ripe for causing security disasters. One survey reported that 70 percent of data breaches resulted from the loss or theft of off-network equipment (laptops, portable drives, PDAs, and USB drives). Strong security is a must. Encryption is now a standard security measure for protecting laptops and portable devices, and attorneys should be using it.
In fact, according to a joint United States/United Kingdom research team, full-disk encryption is so effective that law enforcement and federal agencies are complaining that they are unable to retrieve the encrypted data during criminal investigations. Federal courts are struggling with the issue of whether compelled disclosure of passwords and passphrases for decryption is allowed by the Fifth Amendment.
Backing up data is a good practice, but not if the process results in the exposure of confidential data. If a backup drive is encrypted, it will have a strong level of protection even if it is stolen. In the case of a drive lost by an employee of a Maryland law firm (see sidebar), the backup drive had little or no protection. It is not uncommon for backup software to have the ability to encrypt the backed-up information. Generally, it is just a simple matter to check an option for the backup to be encrypted.
As the examples in the accompanying sidebar demonstrate, encryption is particularly important for laptops and portable media. There are three kinds of encryption for protecting laptops and portable devices: hardware encryption, encryption in operating systems (like Windows and Apple OS X), and encryption software.
Hardware Encryption. There are two basic approaches to encrypting data on hard drives: full-disk encryption and limited encryption. As its name suggests, full-disk encryption protects the entire hard drive. It automatically encrypts everything and provides decrypted access when an authorized user properly logs in. Limited encryption protects only specified files or folders or a part of the drive. With limited encryption, the user must elect to encrypt specific data.
Think a Security Breach Can’t Happen to You?
As the following examples demonstrate, a security breach can happen to anyone, anytime. That’s why encryption is so important.
After the high-profile theft of a Department of Veterans Affairs laptop and external hard drive containing the personal information of more than 28 million veterans in 2006, security guidelines for federal agencies added the requirement of encryption of all data on laptops and portable devices, unless the data is considered “nonsensitive.”
In January 2007, 18 laptops were stolen from the offices of a law firm in Orlando. The laptops were reportedly protected by encryption, and the incident received very little publicity. In discussing this incident, the SANS Institute, a leading information security organization, noted, “[l]aptop thefts aren’t going away, but by this time next year, this type of item (laptop stolen, but the data was protected) shouldn’t be newsworthy.”
Recently, a Maryland law firm lost an unencrypted portable hard drive that contained medical records of individuals involved in a lawsuit against its client hospital. The firm’s usual practice for ensuring off-site backup was that at the end of each work day, an employee would take home the hard drive containing backup data. One day, an employee took the hard drive but accidentally left it on the train she rode home. By the time she realized this and went back to check, the hard drive was gone.
All hard-drive manufacturers now offer hard drives with hardware full-disk encryption built in. All major laptop manufacturers offer models with these drives. Hardware encryption is generally easier to use and administer than encryption software. Some examples are Seagate Secure and Hitachi Self-Encrypting Drives. Secure use requires enabling encryption and setting a strong password or passphrase. The contents of the drive are automatically decrypted when an authorized user logs in and are automatically encrypted when the user logs off or the laptop is turned off.
Because most encryption programs are tied to a user’s password, secure passwords or passphrases are essential, and a forgotten password can result in losing data. Automatic logoff after a specified time is important so that unencrypted data will not be exposed if a user goes away from a computer or forgets to turn it off. In an enterprise environment, such as a law firm, an administrator must have access and the ability to reset passwords, back up drives, and recover keys.
Operating System Encryption. Current business versions of Windows and current versions of Apple OS X have built-in encryption capabilities.
Windows Vista Enterprise and Ultimate and Windows 7 Enterprise and Ultimate include an encryption feature called BitLocker. BitLocker works below the operating system and encrypts an entire volume on the hard drive. BitLocker requires either a computer that is equipped with a trusted platform module (TPM) chip on the motherboard or use of an external USB drive to hold the decryption key. If an intruder gains access to a USB key, the encryption can be defeated.
The business versions of Windows also include an encryption function called encrypted file system (EFS), which allows encryption of files and folders. An authorized user who is logged in has access to decrypted data, but the data is encrypted and unreadable to anyone else. EFS can be easily cracked using forensic tools. You are better off using BitLocker or one of the other third-party encryption products discussed below.
Setup of both EFS and BitLocker is fairly technical. For most attorneys, it will be necessary to obtain technical assistance to implement them.
File Vault is the built-in encryption for Apple OS X products. File Vault 2 provides full-disk encryption for newer versions. Follow Apple’s instructions for turning it on. After a password is set, it just requires turning on the FileVault button in System Preferences. Recent advances in decryption technology have been used to attack Apple’s encryption scheme, and the Passware software suite claims to be able to defeat FileVault 2 in less than an hour.
Encryption Software. Some commonly used third-party encryption software products for hard drives include those offered by Symantec (PGP and Symantec Endpoint), McAfee, Check Point, Guardian Edge, and Utimaco (Sophos). A common open-source encryption program that is free and relatively easy to use is TrueCrypt.
Hardware-encrypted drives and encryption software are available for USB drives and portable hard drives. Microsoft’s BitLocker to Go can be used to encrypt portable devices. Individual USB drives with built-in encryption capability are also available, like the IronKey (Immation), KanguruMicro, Kingston, and SanDisk Cruzer Professional and Cruzer Enterprise. The IronKey is a favorite of the authors. It includes strong encryption, wiping if the wrong credentials are entered too many times, and strong physical construction, with wiping from physical tampering. As an added bonus, several of the models contain a password-management application called Identity Manager, which stores passwords of any length in a secured, encrypted “vault.” As for passwords themselves, the current recommendation is that they contain at least 12 characters.
Smartphones and Tablets
Smartphones and tablets are basically small computers, with substantial computing power and high storage capacity. Like laptops and other mobile devices, they can be easily lost or stolen and should be protected with encryption.
The security of BlackBerry devices has long been the “gold standard” for secure communications on cellphones. If you use the BlackBerry Enterprise Server (BES), the communications are automatically encrypted. Encrypting the device itself is accomplished by enabling Content Protection, which appears under Options – Security Options – Encryption and sets encryption for the device memory, encryption strength, contacts, media files, and expansion memory card. In addition, you must set a password for the phone and set the inactivity timer to lock the phone. The password and timeouts are set by going to Password, which appears under Options. Many law firms use BES to manage employees’ BlackBerry devices. This centralized management installs the desired security settings onto phones, with no user interaction required.
For iPhones and iPads, hardware encryption was implemented in iOS 4. All files are automatically encrypted and decrypted when the device is unlocked. But this provides little protection unless “Simple Passcode” is turned off, “Require Passcode” is turned on, and a strong passcode is selected. Require Passcode should be set for a short time, and Erase Data should be turned on. iOS also includes a feature called data protection, which secures emails and attachments stored on the device and data in other apps designed to work with the device.
Android OS has included encryption for tablets (starting with Honeycomb) and for phones (starting with Ice Cream Sandwich). Earlier versions of Android require third-party encryption apps, such as WhisperCore, Droid Crypt, or AnDisk Encryption. Also, Motorola and Samsung sell enterprise phones with built-in encryption capability. Turning on encryption generally requires touching the Encrypt or Encrypt Tablet button in Settings. A strong PIN or password and automatic logoff after a set time are also important to keep the data encrypted.
It is important to follow the manufacturer’s instructions when setting up encryption. Get help if you need it. Initial encryption might take a while when a device has already been in use, so make sure the battery is fully charged before starting.
Weaknesses have been reported in the encryption for both iOS and Android, so it is important to consider multiple levels of security. Despite limitations, however, smartphones and tablets are more secure with encryption, and attorneys should be using it.
Communication via wireless connections must be secured to protect the transmission. Encrypting the wireless network will protect the data from being intercepted and viewed. There are many free “sniffer” applications that can be used to view the contents of unencrypted data streams. Essentially, there are three commonly available types of encryption schemes for wireless networks: WEP (wired equivalent privacy), WPA (Wi-Fi protected access), and WPA2 (second-generation WPA).
WEP provides very weak encryption and is fairly easy to crack. WPA is stronger but also has been cracked. Therefore, neither WEP nor WPA is recommended. WPA2 is secure and should be the encryption method of choice for wireless networks. As with passwords for other uses and devices, the WPA2 passphrase should be long and complex.
In addition to making sure that their wireless networks are secure, attorneys should ensure that third-party wireless networks they use for client matters are protected by encryption. They should be protected by WPA2 and require a user name and password for access. This is particularly the case for public networks. Many security professionals and US-CERT, the U.S. Computer Emergency Readiness Team, have recommended that public networks should not be used for confidential communications. If public networks are used, a virtual private network (VPN) can provide security. A recent ethics opinion concluded that an attorney has an ethical duty to evaluate the security of a wireless network, home or public, before it is used for client communications and to take appropriate precautions in using it. California Formal Opinion No. 2010-179.
The confidentiality and integrity of emails is another important issue for attorneys. Email messages are sometimes compared to postcards written in pencil: both forms of communication can be viewed or altered by third parties.
While some ethics opinions have been incorrectly interpreted as saying that email encryption is never required, current opinions stress the requirement of using reasonable and competent safeguards. For example, California Formal Opinion No. 2010-179 states “encrypting email may be a reasonable step for an attorney to take in an effort to ensure the confidentiality of such communications remain so when the circumstances call for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.”
Encryption is increasingly required in areas like banking and health care and by state data-protection laws. As these requirements continue to increase, it will become more and more difficult for attorneys to justify not using encryption.
For email, the term encryption is generally used to mean both encryption as described above and the authentication process, which are used, in combination, to protect email. Encryption protects the confidentiality of email. Authentication identifies the sender of an email and verifies its integrity.
Encryption translates a message into a protected electronic code. The recipient (or anyone intercepting the message) must have a key to decrypt it and make it readable.
Encryption generally uses a pair of keys to encrypt the email. The sender uses the recipient’s public key to encrypt the email and any attachments. Because the public key only encrypts the email, it does not matter that it is available to the public or to various senders. The recipient then uses his or her private key to decrypt the email. The private key must be safeguarded because anyone who has access to it can use it for decryption.
The process is easy to use once the keys are set up in an email program such as Outlook. The most difficult steps are getting the keys (digital IDs) and making the public key available to senders. Once encryption is set up in Outlook, the sender clicks on the Message tab in the Options group and clicks the Encrypt Message Contents and Attachments button. At the recipient’s end, the message will automatically be decrypted if his or her private key has been installed.
Digital authentication of email also generally uses a key pair. The sender uses his or her private key to digitally sign the email. The recipient then uses the sender’s public key to verify the sender and integrity of the message. In Outlook, after installation of the private key, the sender clicks the Options tab in the Permission group and clicks Sign Message. After the sender’s public key has been installed in the recipient’s compatible email program, the recipient will receive an automatic notice of verification of the message’s sender and integrity.
For protection of confidentiality and authentication, the sender’s and recipient’s key pairs are used in combination. The sender uses both the Encrypt Message and Attachments command button (which uses the recipient’s private key) and the Sign Message command (which uses the sender’s private key). At the receiving end, the email program automatically uses the recipient’s private key to decrypt the messages and automatically uses the sender’s public key to verify authenticity and integrity.
Again the challenging part is obtaining key pairs, exchanging public keys, and setting them up in the email program for encryption. Keys are available from commercial public-key authorities such as Verisign (now part of Symantec). Public key authorities have online directories in which their customers’ public keys are available.
Another form of email encryption is transport layer security (TLS) encryption. It automatically encrypts email between two email gateways. If a law firm and client each has its own email gateway, TLS can be used to automatically encrypt all emails between them. TLS encryption protects emails between email gateways only. It does not protect emails within the sender’s and recipient’s networks and does not protect email that is misaddressed or forwarded through other email gateways.
Secure email is also available from managed-messaging-service providers such as Zixcorp, Mimecast, and Data Motion. They provide email encryption without the complexity of setting up and exchanging keys.
As an alternative to encryption, confidential information can be protected by putting it into a password-protected attachment rather than into the body of the email. File password protection in some software, such as current versions of Microsoft Office, Adobe Acrobat, and WinZip, uses encryption to protect security. It encrypts only the document and not the email, so the confidential information should be limited to the attachment. It is generally easier to use than is complete encryption of email and attachments. However, the protection might be limited by use of weak passwords that are easy to crack.
It has now reached the point (or at least is reaching it) where most attorneys should have encryption available for use in appropriate circumstances. In addition to complying with any legal requirements that apply, the most prudent approach to the ethical duty of protecting confidentiality of electronic communications is to have an express understanding with clients about the nature of communications that will (and will not) be sent by email and whether or not encryption and other security measures will be used.
Encryption is now a generally accepted practice for protection of confidential data. Attorneys should understand encryption and use it in appropriate situations. All attorneys should use encryption on laptops, portable storage media, smartphones, and tablets that contain information relating to clients. They should make sure that transmissions over wireless networks are secure. Attorneys should have encryption available for email and use it when appropriate. While most attorneys will need technical assistance to install and set up encryption, use of encryption after that is generally easy.