BP Perspective Insights from a Business Partner

Decrypting Encryption in the Legal Environment

When discussing encryption, three questions typically come up: Why do we need encryption within our system? Are other law firms using it? How do we enable it seamlessly without frustrating our people?

Encryption is one important part of a law firm’s overall data security process. As with many things information-security-related, encryption is a word that’s thrown about as a significant requirement but without a lot of clarity. This article discusses the reasons for encrypting your data, considers the system requirements for having encryption in place and addresses modern solutions for this practice.

In its 2017 Purchasing Survey, the International Legal Technology Association (ILTA) found increasing use of encryption across law firms of all sizes. Encryption was used for hard drives, email, removable media, smartphone devices, file server volumes and document management systems. This trend demonstrates increasing commitment to the protection of client data from law firm management.

Attorneys have a duty of confidentiality that is broader than the attorney-client privilege. They have both legal and moral obligations to keep confidential information private. Law firms must take numerous steps to ensure that client information is kept confidential, its integrity is maintained and it’s available when needed.

ENCRYPTING DATA IN TRANSIT AND AT REST

There are two primary modes for encryption. In the first, data being transferred between two systems, such as your web browser and a website, can be sent encrypted so that someone who is not on either your computer or the web server cannot see it. Thus, your password, account balance and other personal information are not readily readable as they leave your laptop, go through a public internet connection, pass through multiple stops along the internet and eventually arrive at a server.

The second methodology for encryption involves encrypting the data when it is resting on a system without being used by a program or user. Let’s say your laptop is stolen. If your laptop is appropriately encrypted, data written to a disk is not accessible without your password. If someone steals your laptop, they cannot remove the disk and read it with another system. Similarly (though less likely), if someone was to steal one of your servers, they couldn’t just pull out your hard drive(s) and access the data on another server.

Law firms must take numerous steps to ensure that client information is kept confidential, its integrity is maintained and it’s available when needed.

ENCRYPTION IMPLEMENTATION

Successfully employed, encryption may be implemented while remaining invisible to the end user. Using encryption technologies can also improve security in other areas — such as requiring the use of a virtual private network (VPN) to access your network remotely or requiring a secure website in order to gain access to encrypted data in the cloud.

Implementing encryption does increase processor and memory overhead on your systems. On modern environments, this should not be a problem. However, utilizing encryption with aging systems will likely result in lower performance. In some cases, we have even seen data loss because the system cannot keep up the processing requirements. Faced with significant capital expenditures associated with these upgrades, many law firms are transitioning to cloud technologies as an alternative.

ENCRYPTION AND TECHNOLOGY AUDITS

Encryption requirements around client collaboration are being recognized through more frequent client-initiated technology audits. Clients are increasingly concerned about the secure transmission of emails and matter-related data files. Numerous vendors provide solutions to secure email and documents, although all encryption solutions are not created equal. Encryption can be accomplished within email platforms (e.g. Office 365, Mimecast, Proofpoint, etc.), file-sharing solutions (e.g. Citrix ShareFile) and document management systems (e.g. iManage Share and NetDocuments ShareSpace). These and similar cloud-based platforms ensure that data is encrypted and secured with user-specific access credentials and controls. Many even integrate with on-premises directories and multifactor authentication options.

Integrating third-party encryption solutions into the end-user experience can be a challenge. Vendors typically provide software plug-ins that attempt to seamlessly integrate with the Microsoft operating system and Office suite. Some excel at this better than others, so they need to be evaluated and piloted prior to adoption. The additional demand on processor and memory caused by Outlook and Word add-ins can cause performance and stability problems, so proceed with caution.

CLOUD ENCRYPTION

As mentioned before, cloud offerings can meet rigorous compliance and security requirements at a more reasonable cost than previously available. Today, more and more law firms are taking advantage of cloud computing resources. Top-tier cloud providers (e.g. Amazon Web Services, Microsoft Azure, etc.) provide fully integrated encryption technologies by default and without the same hardware requirements that may be needed locally. When properly deployed, these technologies can be more secure than traditional on-premise installations.

ENCRYPTION’S PLACE IN INFORMATION SECURITY STRATEGY

It is important that encryption be considered as part of a law firm’s overall information security strategy.

A fully protected legal technology environment, whether on-premises or cloud-based, must include more than just encryption and file-sharing policies. First, the law firm must have a method for managing information security, known as an Information Security Management System (ISMS). Without policies and standards to know what to do, law firms are often left with major gaps in their information security posture. Internal information technology teams and third-party technology vendors often lack sufficient information security expertise or bandwidth. Developing an internal committee, supported by appropriate information technology and information security expertise, is becoming more commonplace and is considered a minimum starting point for managing information security.

When properly integrated into your information security strategy, encryption will ensure that your law firm’s duty of confidentiality is met while protecting both the firm’s data and its reputation.