Some 70% of data breaches involve laptops and portable devices. Ten percent of mobile phones are stolen during their useful life. In 2013 nearly a million and a half smart phones were lost.
Where lawyers are going increasingly mobile, those statistics make strong case for encryption according to John Simek and David G. Reis. The two gentlemen co-presented an ABA TECHSHOW session titled Decrypting Encryption – Gaining Competence on Encryption for Your Practice .
Forget iOS or Android the two types of phones are the one you lost and the one you’re going to lose. Any device that is portable is susceptible.
Aside from theft, hacking, snooping or other nefarious activities, whether by bad actors or three letter government agencies, the panelists point to four additional drivers of encryption for attorneys:
- Model Rule 1.1 (competence) and Rule 1.6 (confidentiality)
- Common law such as the risk of malpractice
- Contractual obligations required by a client
- Statues and regulations such as HIPPA in the case of health care
Encryption in Plain English
What does encryption do? It is a computer program, or algorithm that “scrambles” files on a device to render them unreadable – unless the user presents a unique “key” which is another piece of software code. For example, data stored on a phone or removable drive that is encrypted is unreadable and likewise, data that is encrypted before being sent over a network is also unreadable without that key (in the event it is intercepted).
Encryption software can come built into the hardware; or it can be acquired as a separate software package. The panelist said most attorneys will need assistance to set up – but once set up its “point and click” and relatively easy to use.
Typically data stored is referred to encryption “at rest” and data in motion or being sent over a network is called “in transit.” Data at rest includes information typically stored on servers, desktops, laptops, tables, portable media and smartphones. Data in motion, or transit, includes information sent over wired, wireless or cellular networks.
Transmitting unencrypted data over a network, the panel said, is akin to sending confidential files by postcard, which clearly can be read along the way.
5 Eclectic but Helpful Tips for IT Security
The speakers covered down on a range of tips throughout the hour long session, which included:
1. Word processing encryption. The speakers noted if you password protect a document in the Microsoft® Word processing program, the contents are encrypted (though they caution it’s “not as strong).
2. Does everything need to be encrypted? Probably not according to the panel, but they suggest lawyers “should have the means” if need were to arise.
3. Create strong passwords. The panelist recommend using 12 or more characters for creating a password (especially for a password manager tool) and ideally mix in capital letters, characters and non-sequential numbers.
4. Mobile device encryption. If you use an iOS-based device, the data is automatically encrypted when the screen passcode is used (it’s a default setting). For Android users, you’ll need to configure encryption in settings. The panel also said to avoid using four digit codes in favor of eight as there are programs specifically designed to break four digit codes (brute force).
5. Back up you encryption keys. It would be a disaster to encrypt data and then lose the key. Essentially, the data in that case would be unrecoverable, which is the purpose of encryption. Be careful to back up your encryption keys.
* * *
- GPSolo: Encryption Made Simple for Lawyers | (Also an ABA Law Practice Division book by the same title)
- Law Practice Magazine: Encryption so Easy a Lawyer can do It
- Law Practice Today: Cybersecurity for Attorneys: Understanding the Ethical Obligations
- Lawyerist: Encryption: Enabling Basic Client File Security
If you enjoyed this post, you might also like:
6 Tech Buying Tips for Small Law Firms [#ABATECHSHOW Recap]