This is a guest post by Brian Focht, an attorney at Stiles Byrum & Horne in Charlotte and author of the highly regarded blog, The Cyber Advocate. Twice a month, Brian will post about important cybersecurity issues on which lawyers and other legal professionals should be focused. He can be reached at firstname.lastname@example.org.
Does your law firm have an encryption policy in place? Sadly, for many law firms, the answer – rather than a simple “yes” or “no” – is “what do you mean, Encryption Policy?”
For reasons beyond my understanding, there are a lot of people out there (not just law firms) who don’t encrypt their data. Anthem Health Care didn’t, to the chagrin of 80,000,000 people whose unencrypted records were stolen. Sony Pictures didn’t (and kept their passwords in an unencrypted file helpfully titled, you guessed it, “Passwords”). And it’s now clear the DNC didn’t.
Data encryption is no longer a ‘nice to have’ for law firms; it’s a necessity. But without an effective plan in place, any attempt to use encryption will be incomplete, levels of compliance will vary, and the potential for disaster will rise. (Think having your files stolen sucks? Imagine knowing where your files are, but not remembering the encryption password. It’s like Ransomware that you caused yourself.)
Start here: Know your data
Encryption methods and practices vary will vary based on the location of your data. For our purposes, there are three location categories for your data:
Data at Rest – this is your “saved” data. Any data not open and being used, or being transmitted from one location/person to another, is “at rest.” This category includes data saved on your server, saved in the cloud, saved to a portable storage drive, or just saved to your computer’s desktop.
Data in Transit – this is data being sent from one person or location to another. This category includes data transmissions to and from your computer via email, direct internet connection (cloud services), direct physical connection (such as via USB cable or ethernet connection), or other wireless transmission systems such as infrared or Bluetooth.
Data in Use – this is data that’s… being used. While this category most obviously includes data in files that are open and being used, it also includes any related files or databases that are being accessed and updated as a result (such as temporary files, databases, or other linked programs).
Ok, so now that we know how to categorize the data, what do we need to know about those categories and what questions should you be asking?
Data at Rest
Where do you save your data?
Whether on your mobile device, in your server, or stored in a cloud storage system, data at rest ALWAYS needs to be secure. As far as data you entrust to third parties, the security will be largely based on the third-party’s terms of service (download a free Third-Party Vendor Security Checklist here).
The data you save on your server, office computers, or mobile devices – or put another way, the data you have absolute ownership of – needs to be encrypted. Your Encryption Policy needs to address both the location of your data storage and how the data is to be encrypted when at rest.
Tools for Encrypting Your Data at Rest
Device-based Encryption – many systems come pre-installed with encryption capabilities. Use them. For example, if you’re making Time Machine backups, you have an option to encrypt that entire drive. Mac computers and iOS devices also come with built-in encryption. It’s foolish not to use them.
Software – if your device doesn’t provide sufficient encryption, or if you want to encrypt information in remote storage or cloud-based storage, you can invest in encryption software. Some highly-rated options include:
Note: Some experts strongly advise that you do NOT encrypt your archive files unless you absolutely have to. The reason for this is that your archives are meant to hold your data for a long period of time, only to be accessed if absolutely needed. That means you’ll need to be able to provide the encryption key whenever you access it, which might not be for a decade or more – you might not remember it/lose it. Also, the encryption software might not be compatible with whatever computer system you’re using in 15-20 years, rendering the files impossible to decrypt.
Data in Transit
How does your data get from one person to another?
When your data is “in transit” is when your data is most vulnerable. Whenever you’re sending confidential data from one place or person to another, it needs to be encrypted from the moment you send it to the moment they receive it. This type of security is called “end-to-end encryption.”
To understand why data in transit is so vulnerable, imagine your data traveling through a series of, for lack of a better description, tubes. If a hacker wants to access the data that’s stored on your system, they actually have to get past all of your security and firewall protections to do so. But while your data is in transit, they just need to pick a spot somewhere in the tube, and grab it as it comes by. Hackers frequently set up shop where they have access to high-traffic “tubes” (think Starbucks WiFi) and wait. This is one reason why discovery data tends to be so vulnerable.
While you can take steps to protect your data from being intercepted, it’ll never be perfect – unless you never send your data anywhere. Like cybersecurity in general, the only way to make your data 100% secure is to make sure it’s completely inaccessible to anyone – including you. Since you can’t prevent it from being intercepted 100% of the time, make sure that any data a hacker does manage to access is unreadable.
One way to transmit confidential data is through a secure portal on your law firm’s website or server (Editor’s note: Another is through Logikcull). (To be sure, though, even if you use a secure portal, you will only have the benefit of end-to-end encryption if both users have secure internet access – again, think Starbucks WiFi.) Numerous email, file sharing, and messaging services such as ProtonMail, WhatsApp and Signal, provide end-to-end encryption on mobile devices, which helps bypass the public WiFi problem.
Even if someone intercepts your data in transit, they will still have to crack your encryption in order to read it.
Data in Use
The only time your data should be unencrypted is when it’s being used. Once no longer in use, however, your data should be encrypted immediately. Here is where it becomes so critical that your law firm has an Encryption Policy in place. Make sure that your policy informs everyone where important data is allowed to be saved.
I STRONGLY recommend that your policy prohibits saving documents locally (to the user’s Desktop, My Documents, or similar local storage locations). First, allowing multiple versions of the same document to be stored in locations that may not be accessible remotely or by other users creates a lot of confusion – which usually isn’t resolved until the wrong document is filed or served. Second, one of the main reasons people save local versions of a document is to circumvent “inconvenient” security measures. Nip this type of behavior in the bud immediately! Remember: The data of 80 million people stolen in the Anthem hack was not encrypted, for the sake of convenience.
Do not allow your confidential data to be used and saved unencrypted (e.g. saving an important document as a Word file on your desktop) simply because it’s easier for the user at the time.
Make sure it fits your law firm
Your Encryption Policy will need to walk the extremely fine line between useful and secure. Never sacrifice security simply for the sake of convenience. Whenever you have the occasion to complain about the system not being convenient for use, remember that if the DNC had kept their emails and information encrypted within their system, it’s highly unlikely that the Russian hackers would have been able to get nearly as much information as they now have.
If your encryption setup actually inhibits your ability to function efficiently, it’s probably time to reexamine your Encryption Policy. However, always remember how much Anthem, Sony, and the Democratic National Committee wish they could trade a little inconvenience for the ability to go back and encrypt their data.