This series began with a post on the Massachusetts Data Privacy Laws, which provide standards for businesses that keep certain types of personal information. Following up that statutory and regulatory update, I provided you with my top digital security tips, including tip #6: Encryption.
In this third post, you’ll learn about encryption. I promise no techie language, only what you need to know.
What is encryption?
“[T]he conversion of data into a form called a ciphertext that cannot be easily understood by unauthorized people.” I pulled this quote from David G. Ries, Sharon D. Nelson, and John W. Simek, Encryption Made Simple for Lawyers (American Bar Association 2015). For everything you need to know about the history of encryption, “ciphertext”, as well as “how to”, I suggest checking out this book. It is now available in our lending library.
What you should know about encryption is that it is essentially the best way to protect your digital data. It can be used to protect electronic data that resides on your hard drive, external drives, USBs, servers, cloud storage, smartphones, and tablets, as well as data that is transmitted wirelessly (i.e. e-mail communications).
Why should you use it?
Well, you’ve got an obligation to protect your client’s data pursuant to Rule 1.6. New rules, previously approved by the SJC and soon to be promulgated on July 1, 2015 (more information to come on this blog), add the following language to the Rule:
“(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
As the authors of Encryption Made Simple for Lawyers point out,
[i]nadvertent disclosure includes threat like leaving a briefcase, laptop, or smartphone in a taxi or restaurant, sending a confidential e-mail to the wrong recipient, producing privileged documents or data, or exposing confidential metadata. Unauthorized access includes threats like hackers, criminals, malware, and insider threats.
In terms of ethical obligations, there is no requirement that attorneys encrypt client data (see Massachusetts Bar Association Ethics Committee Opinion 00-01). However, under the Massachusetts Data Privacy Laws, certain types of data must be encrypted. That has been covered previously at our blog, stemming back from this post.
When should you use it?
As noted in our previous blog posts regarding the Massachusetts Data Privacy Laws, the law requires encryption of “all transmitted records and files containing personal information that will travel across public networks, encryption of all data containing personal information to be transmitted wirelessly[, and] . . . [e]ncryption of all personal information stored on laptops or other portable devices.” (See 201 CMR 17.00).
In basic terms, what that means for you, is that if you collect “person information” as defined by the statute and store it on a laptop or portable hard drive and/or send it via e-mail, it must be encrypted.
If you are not holding onto personal information, do you still need to encrypt? I’ll give you my lawyerly answer: It depends. It’s a cost-benefit / risk analysis. How sensitive is the information? What type of security safeguards have you implemented? Have you vetted third-party providers? Are you using free or premium/enterprise level service providers to store electronic data? How much will it cost you in time and money to encrypt your data?
How to use it?
I know, you are all saying, get on with it Heidi. What we really want to know is how to encrypt. Ok, ok, here it is.
Files, Folders, Hard Drives, and External Drives
1) Mac OS X Encryption. Mac’s native features make it easy to encrypt documents, folders, and hard drives.
For encryption of:
- Mac Hard Drive: Use Apple’s native full disk encryption tool, FileVault. Available in all OS X versions Lion and later.
- External Drives: Right-click on the drive and set encryption.
- Folders: Use Apple’s native Disk Image feature found in Disk Utility.
- Files: For PDFs, use Apple’s Save as PDF tool. For Word, Excel, and Power Point documents, use Microsoft Office’s encryption feature.
- Windows Hard Drive: Use BitLocker, Window’s native full disk encryption tool. Available in Windows Vista Enterprise and Ultimate and Windows 7 Enterprise and Ultimate, and Windows 8 and 8.1 Professional and Enterprise.
- External Drives: Use BitLocker to Go, available as part of BitLocker.
- Folders: Use Window’s Encryption feature.
- Files: Use Window’s Encryption feature. For Word, Excel, and Power Point documents, you can also use Microsoft Office’s encryption feature.
3) External Drives. You can also purchase USB drives with built-in encryption. For example, IronKey, Kingston, and SanDisk all make devices.
Tips: When you encrypt files, folders, and external drives, you’ll need to set an encryption key. It’s the passcode you’ll enter to decrypt the data for use. Use a strong passcode or even a phrase with a minimum of 14 characters, symbols, lower and upper case letters, and numbers. (See Encryption Made Simple, pp. 64-65).
Next up in my data security series: email, mobile, and cloud-storage encryption. Stay tuned . .
(Last updated 9-16-2016)