We have been given another reprieve; but, as of January 1, 2010, M.G.L. c. 93H and 201 CMR 17.00 will require Massachusetts attorneys to encrypt all confidential personal information stored on their portable electronic storage devices such as laptops, USB flash drives, USB hard drives, or DVD/CD. 2010 may seem a long way away; but, this effective date will be here before you know it. So, what information do you need to encrypt? And, how do you encrypt that information? You can find an explanation of what needs to be encrypted at our November 19, 2008 blog posting. The how-to-encrypt piece of the puzzle is more daunting. The simplest means of complying is NOT to put confidential personal information on a portable hardware device. Your primary questions should be: Why is this information on a device that is leaving the office? Do I really need real time access to this information outside of the office? Am I really going to be accessing the information in a private location?
Assuming you really need the information on a portable device, you can use either hardware or software solutions, or a combination of both. One hardware solution is the purchase and use of secure, encrypted hard drives, such as Iomega’s eGo Encrypt Portable Hard Drive, Lenovo ThinkPad USB Portable Secure Hard Drive, McAfee Encrypted USB Drives or the BUSlink RFID Key Encrypted External Hard Drive. These hard drives use various means of locking and unlocking the data, but all of the data on these devices is encrypted. Depending on the size of the hard drive you purchase, prices range from $122.00 to $400.00. If you need less storage capacity from your portable electronic storage devices, you can use encrypted USB flash drives. The crème de la crème in this category are the flash drives produced by IronKey ( 1GB for $79.00 to 8GB for $299.00). These devices are described as “self-defending mobile storage” that “employs ‘always-on’ encryption”. This device uses hardware encryption which, the company claims, cannot be disabled, prevents cold-boot or brute force attacks. The drive will also automatically erase all data after a predetermined number of failed attempts to open the device have occurred. As an additional safeguard, you can purchase the ability to remotely wipe data from a device that is in the hands of a person with the key. Kingston produces a number of encrypted flash drives, including the Data Traveler Vault-Privacy Edition which encrypts confidential information and enforces a complex password for entry. (2GB FOR $110.00 to 8GB for $308). Other manufacturers of encrypted USB flash drives include: SanDisk, CMS Products, and Edge Tech Corp. This is neither an inclusive group, nor an endorsement of any of these companies or their products. READ the reviews of the products which will often bring to your attention difficulties in using a particular products that you would not otherwise consider.
There are also a large number of software encryption programs. One of the leaders in the industry is PGP Corp. PGP provides multiple products, including for Macs. Its PGP Desktop Professional provides full disk encryption, email encryption, IM encryption (for some products), zip archives and a secure file shred for $219.00. The PGP Desktop Professional appears to be a good, full-featured product at a good price; in other words, it’s the sort of package that would likely fit the needs of most solo attorneys. PGP also features a $99.00 Desktop Home version, which handles email encryption, volume disk encryption, and AOL IM encryption, along with zip archives and secure file shredding. Other companies providing encryption software include: Encryptx Corporation, BitArmor, Symantec, McAfee, CyrptoForge. There are many free versions of open source encryption software available. These will allow you to create encrypted virtual drives or to encrypt entire hard drives or individual documents. The most well-known of the free services is TrueCrypt, which works with Windows Vista/XP, Mac OS X and Linux. Other free programs include: FreeOTFE, FREE CompuSec, Cypherix LE Free, and LockNote. These free programs use various encryption methods; allow you varying degrees of control of how much you can encrypt, and offer little or no support. Again, the programs listed here are neither endorsed by me, nor are they an exhaustive list of available programs. Again read the reviews from users. Several attorneys have complained to me about how difficult various software products are to use.
Words of caution are necessary: If you have never used encryption software before, proceed slowly. Read the fine print. Read the instructions. Backup the data. Make sure you know what your keys and passwords are before you encrypt your entire hard drive. It is great to protect the confidentiality of your information, but it is all useless if you cannot get at your information.
In the future, look out for my follow-up post on encryption of personal information transmitted across public networks, or transmitted wirelessly. In addition, I will be doing a post on using remote access and hosted web-based servers as alternatives methods of complying with encryption requirements.