In the article “Encryption Made Simple for Lawyers,”¹ the authors defined encryption as:

“A formula to transform readable data into unreadable data. The formula is an algorithm (called a cipher), the readable data is called plaintext, and the unreadable data is called ciphertext. Decryption is the reverse process, which uses a key to transform the encrypted data back into readable data. As long as the decryption key is protected, the data is unreadable and secure.”

Since that article was published in 2013, the United States has experienced 6.4 billion data breaches.² An overwhelming majority of those attacks could have been thwarted if users had in place baseline hardware, software, and communication encryption protocols.

When encrypted data or physical devices are stolen, hackers typically are unable to review the encrypted, redacted, or altered data, rendering the data elements unreadable. Properly encrypting data and devices might obviate the need to report breaches under Wisconsin’s data breach statute³ and supreme court rules.⁴ Lawyers should ensure that their firms’ data and devices are encrypted, so as not to become low-hanging fruit for thieves. Here’s what you need to know.

Hardware Encryption

Hardware encryption is the most common and easily implemented encryption layer. Properly encrypted devices ensure that only the people who have credentials can unlock the devices and access the data. For example, an encrypted piece of hardware, such as a USB drive, phone, or computer that is stolen from a law firm, would be unreadable by thieves attempting to hook the stolen hardware up to another machine to read the stolen data. The only way to unlock and read the data would be for the thieves to have the credentials needed to log in or unlock the device.

Microsoft Bitlocker. Microsoft Bitlocker is a free encryption tool included with Windows 10 Professional and newer editions, including Enterprise but not Home Editions. To implement Bitlocker encryption, 1) right-click on a local hard drive or connected USB drive in Windows Explorer and select “Turn on Bitlocker”; 2) answer the question about how the data should be encrypted; and 3) select a password for decrypting the drive. It is fastest to encrypt a new drive before data is initially placed on the device (the larger the data, the longer it takes to encrypt). Users also can ensure the drive is permanently attached to one computer, like an internal hard drive, or make it portable like a USB drive, so it can be shared with other computers. Apple has a similar system called FileVault that also can be easily activated to encrypt the device.

Protect Mobile Devices. Mobile devices are also sources of sensitive information that lawyers should protect, for example, applications on mobile devices that are used to communicate with clients, manage case files, and run law practices. Newer IOS and Android devices are encrypted by default when a passcode to use the device is set up. If using Microsoft InTune or similar mobile-device management systems, system administrators can set up device encryption and make sure users are unable to disable the encryption protocols. With newer IOS, Android, and mobile-device management systems, users can also send erase commands from another device when a device is lost or might be compromised.

Microsoft 365 with Microsoft InTune. Law firms with a Microsoft 365 subscription that includes Microsoft InTune can encrypt all devices automatically. To do so, go to endpoint.microsoft.com, sign in, navigate to “Devices,” and select “Configuration profiles.” Here you can create a profile to implement and control device encryption in an environment. The advantage to using this tool is that it is a “set it and forget it” control, which means users can ensure that all devices meeting the criteria of the configuration setup will be encrypted automatically. It is still a best practice to regularly check security controls to make sure threat actors did not disable them. Checking security controls ensures no devices fall through the cracks because the features were not properly enabled.

Software Encryption

Every piece of computer software is powered by computer code. Typically, a user can access the software and the user’s data by providing a user name and password. Hackers have two ways to access data: compromise the underlying computer code in the software or gain access to a user’s login credentials.

The easiest way for hackers to access a user’s login credentials is to target the specific user. The most common tactic is to send emails or text messages that appear to come from a known acquaintance or legitimate company and ask recipients to click on links or provide additional information. Another method hackers use is to purchase stolen data that becomes available after large-scale data breaches and then “phish” for additional information or use logins on other services⁵ (in case someone was using a hacked login for multiple different websites).

Using individual, unique passwords and changing passwords frequently or after detecting an unauthorized login are helpful ways to thwart password thefts. It’s also a good idea to regularly check whether your email account has been subject to a public data breach, by visiting https://haveibeenpwned.com/.

Not all breaches of underlying computer code can be prevented. When companies become aware of vulnerabilities in their code, they issue security updates. This is why it is vital to install software updates in applications when they become available or to avoid using software that is no longer being patched (updated). It is also crucial that lawyers protect or encrypt their data in the software applications.

Encrypting Messages

Securing and encrypting communications may conjure images of secret agents in espionage movies and notes marked “for your eyes only” that dissolve after reading. Encryption works differently in online environments. Unless encryption is automatically turned on or the software used to transmit the message is encrypted, you should assume the communication is insecure. You also can purchase encryption tools as additions to current services.

It is no longer valid for lawyers to claim that technology is too complicated or that smaller law firms will not be targeted. Understanding technology and protecting client information in the cloud are professional requirements every lawyer must take seriously.⁶

Although safeguards and protections can be installed on devices and machines, human error remains the most common cause of data breaches. Lawyers must discuss with staff and clients the type of protocols that are in place to protect client data. Equally important is knowing how to use the software and security protocols and their corresponding limitations.

Email Encryption

Emails are sent across the internet in plain text, meaning that it is possible to intercept or read the email at any point between the sender and the intended recipient. Encrypting email communications can be done in a variety of ways.

Microsoft 365. For Microsoft 365 users with email accounts hosted with Microsoft, an encryption tool can be obtained by adding to a current subscription or purchasing a Microsoft 365 premium subscription. Once the service is enabled, an encryption button will appear in Outlook, easily allowing the sender to encrypt messages.

Proofpoint. Third-party encryption software products also are available for purchase. For example, Proofpoint is a cost-effective and robust solution that includes other features such as archival, retention, and email failover. Proofpoint’s encryption uses two techniques: 1) the sender can include a pre-determined trigger word, such as [ENCRYPT] in the subject line; and 2) the software can also be configured to proactively encrypt outgoing emails that may contain data such as Social Security or driver’s license numbers. The second option adds a significant layer of protection to your outgoing communication, but can mean that there are more false positives (emails that are encrypted that did not need to be) when this feature, called data loss prevention (or DLP), is enabled.

Identillect. Another third-party software option is Identillect. The email encryption can be integrated into Gmail, Outlook, or Microsoft 365 or used as a standalone feature. State Bar of Wisconsin members receive a 20% discount on annual license purchases of Delivery Trust Email Encryption. For more information, visit https://www.identillect.net/wisconsin.

Encryption Limitations and Challenges. Regardless of the type of software used to encrypt emails, there are some limitations. To send or receive emails, email servers must be able to read the plain text (that is, not encrypted data) of the subject, to, from, cc, and bcc lines and file-attachment names. Thus, even when sending encrypted email messages, it is very important not to include personal identifiable information (PII), such as a Social Security number or driver’s license number, in any of these fields.

Another set of challenges relates to the human interventions needed to send and receive encrypted emails. There are learning curves for law firms and clients – it takes time to ensure full adoption of encryption processes in firms. Further, there is little control over what happens once the communication reaches a client (although some email-encryption solutions can restrict forwarding, printing, or downloading of content to a hard drive).

Even with the limitations and extra steps, encrypted emails can help prevent data loss and reduce the number of potential clients who must be notified if a law firm suffers an email data breach.

Message Encryption

Many clients prefer to communicate with their lawyers via text or social media messages, rather than by telephone or email. Unless the lawyer and the client use the same encrypted platform to exchange messages, most of the sent messages are not secure or they include too many exceptions as to what can and cannot be easily encrypted. Lawyers who want to protect their messages should use end-to-end encryption, which helps ensure that no one other than the parties to the message can read the messages (not even the hosting software company).

Text Messages

Standard text messages are not encrypted when transmitted between phones. If both the sender and the recipient use Apple products and the iMessage feature, then the messages are end-to-end encrypted. Lawyers who do not want to provide their personal cell phone numbers may choose to rely on a third-party application for text messages.

Popular third-party text-messaging applications include the following:

• Threema provides secure end-to-end encryption, is available on Android and iOS platforms and desktop computers, is easy to use, and is relatively affordable. In addition, users can verify the identity of text-message senders.

• WhatsApp and Signal are completely free platforms that use end-to-end encryption for text messages.

• Some cloud-based practice management systems have text-message encryption features, either as a built-in feature or integrated with other voice-over-internet protocol companies.

Both Threema and Signal (https://signal.org/) meet General Data Protection Regulation privacy laws, and both have the option to store data on a device instead of in the cloud. This is important for lawyers concerned with companies having access to law firm or clients’ data.

Messages sent to users outside of encrypted applications typically are not secure. For instance, WhatsApp allows people to send text messages to users who are not on the application, and those recipients would receive unencrypted messages to their devices.

Social Media

Facebook Messenger is not secure by default: users must configure the “Secret Conversations” feature to enable encryption. Even then, it’s currently only available on Android and iOS phones, not on the web interface.

Instagram also requires users to enable end-to-end encryption in messages, and it is only presently available in some areas. Snapchat also is not entirely secure – encryption is turned on, but texts and other items can still be screen-capped. TikTok’s messages also are not encrypted. And the list goes on.

Regardless of the service, users need to understand when and what is being encrypted, the terms of service, potential security vulnerabilities in the software, and the access companies have to unencrypted data (it may be more than users thought or want7).

Web-based Communications

Web-based communications include material submitted via online forms and on e-commerce website locations. It may also include uploaded files such as photographs and documents. Any information transmitted on an unencrypted website can be intercepted. Likewise, if an insecure internet connection is used, hackers can intercept information before it reaches a secure website.

It is important to understand how web browsers distinguish secure websites. It is important to use only encrypted websites when visiting websites that deal with PII, financial data, or client information. The padlock next to the address bar indicates whether the site is encrypted (for an example, see www.google.com). This is called Secure Socket Layer (SSL). All modern web browsers support encryption, with the web host ensuring encryption. Users need only visit the site and check for the secure padlock in the address bar in their browser.

Whenever connecting to the internet, either by a wireless or wired connection, encrypt your traffic (information you are transmitting from your computer to the internet) so only you and the intended party see it. If using a wireless connection, only connect to networks with a padlock or other encryption indicator. Users will need to supply a password provided by the wireless owner to connect. An even better option is using a mobile hotspot or a cell phone as a hotspot if the internet subscription allows it because doing so ensures information transferred between the device and the internet is private.

You can also use a virtual private network (VPN) to create a secure internet connection to your workplace or employer. This requires a specially designed website and software on the device to create a secure tunnel. Some websites can load the VPN quickly on the fly, making it easy for users to connect securely. Note that a private VPN is for personal use to a specific site, whereas a public VPN can be used by anyone to encrypt all internet traffic to the host that is selling the VPN subscription. It is important to note that the public VPN subscription products on the market might claim to keep browsing private. There is some truth to their claims, but there are still ways for websites to track traffic, even if visitors are using a public VPN. So always be careful!

Conclusion

It is important to take precautions when transmitting data digitally, especially considering the exponential increases in cybersecurity attacks and the likelihood of suffering a data breach. Carefully consider which forms of communication you will allow with your clients, and then help them learn and implement the chosen technology and procedures. Finally, no amount of encryption is guaranteed to be 100% effective. When implementing a data security plan, be sure to consider the human factor and include training for your staff and clients to properly identify and secure private information to avoid data breaches and ransomware.

Endnotes

¹ See John W. Simek & David G. Ries, Encryption Made Simple for Lawyers, Wis. Law. (Dec. 2013).

² See Crucial, Data Loss and Cybercrime in Numbers, https://www.crucial.com/articles/external-ssd/data-loss-cyber-crime-in-numbers (last visited April 15, 2022).

³ See Wis. Stat. 134.98(1)(b).

⁴ See Wis. Formal Ethics Op. EF-15-01: Ethical Obligations of Attorneys Using Cloud Computing (amended Sept. 8, 2017), www.wisbar.org/ethop.

⁵ Brian Krebs, Sextortion Scam Uses Recipient’s Hacked Passwords, July 12, 2018, https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/.

⁶ See Wis. Formal Ethics Op. EF-15-01, supra note 4.

⁷ See Aviva Meridian Kaiser & Christopher C. Shattuck, Social Media: Who’s Got Your Data, Wis. Law. (May 2018).

» Cite this article: 95 Wis. Law. 57-60 (May 2022).