Lawyers And Disk Encryption: ABA Model Rule 1.6 Confidentiality of Information And Recommendations.

People in the legal sector have sought our services to protect portable digital devices.  It’s not surprising, really: legal professionals have taken up technology for better efficiency and mobility, and you’d be hard pressed to find a lawyer or a paralegal who didn’t own a laptop or a smartphone (or both), or one who doesn’t use email or send documents electronically.

No wonder, then, that individual lawyers as well as legal firms seek out AlertBoot’s services in order to secure laptops, smartphones, and tablets, as well as backup media such as external hard drives.

My own research showed that lawyers are not required to use encryption; however, some mentioned that this may not necessarily be so, and pointed me to the American Bar Association (ABA) Model Rules of Professional Conduct, particularly Rule 1.6, which deals with the confidentiality of client information.

After going over it, and the opinions that the ABA has published, I finally understood what our clients were hinting at: as of May 2013, lawyers are not required to use encryption, just like medical professionals are not required to use encryption.  However, for professionals in the medical sector, HIPAA and HITECH rules are structured so that one cannot escape the use of encryption, especially when it comes to portable devices that store sensitive patient data.

Likewise, the ABA concludes that the use of encryption (or any other type of data security) is not required.  The twist, however, is that those in the legal profession have always been required to protect a client’s information, and thus they have little recourse but to use encryption and other data protection tools…. although this depends on the situation.

The ABA leaves it up to individual members to know when that situation arises.

Laptops and Smartphones: Encryption is Needed

I won’t go into the details, but it’s pretty clear that if a lawyer uses either a laptop computer or a smartphone to store and access confidential client information, these require a certain degree of protection.

Thankfully, most smartphones and tablets that use iOS (Apple) and Android already come with disk encryption built-in.  For Apple devices, it’s just a matter of setting up a password, since their smartphones and tablets already come encrypted.  When choosing a password, the rule of thumb is that the longer and more complex the password (i.e., it uses both letters and numbers), the more secure it is.

For Android devices, encryption has to be enabled.  Instructions on how to secure these devices are easily found via online searching.

For laptops, the story is a little different.  Most computers do not come with laptop encryption software on them.  For example, BitLocker is included free in Microsoft Windows versions labeled “Ultimate” and “Enterprise.”  If you’re using Windows “Professional” or lower in the OS chain, then BitLocker is not available.

Assuming that free disk encryption comes with your particular computer, you still have to figure out whether it matches your needs.  I’ll discuss it further below, but here are a couple of scenarios to consider: will you need help resetting your password in the event you forget it?  Do you know how to manage and safeguard your encryption key?  Do you know what to do in the even your data gets corrupted and your computer won’t boot up?

“Reasonable Efforts” to Protect Data

In the comments to Rule 1.6 of the ABA Model Rules, it is noted that:

(c)  A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

I can already see how this is confusing: what exactly defines “reasonable”?

The consensus appears to be that the use of encryption is a reasonable effort.  Why?  For various reasons:

  • Encryption is one of the pillars on which computer security is based upon.
    1. It is used in finance ensure secure transactions over the internet.  Online banking, for example, is possible because of data in motion encryption.
    2. It is used in medical sector to protect patient data that are stored in computers, smartphones, tablets, backup tapes, external hard drives, etc. – anywhere a digital byte may be stored.
    3. It is used by governments to secure their own sensitive information, be it military transmissions, classified information, or otherwise.
  • Data security experts not only testify that encryption works, they use it to secure their own data.
  • Governments the world over have slowly been admitting that they cannot break encryption, and have resorted to passing laws that would legally allow them gain access by coercing the data’s owner.

So, it’s pretty established by now that encryption works, and it works very well.  The question is, then, what type of encryption solution should one get?

Encryption Recommendations

While there are many ways to encrypt data, my recommendation would be to use a solution that meets the following: 

  • It employs AES-128 or higher.  AES, American Encryption Standard, is the de facto encryption algorithm for the US government.  Data security researchers the world over have attacked, and are still attacking it, and AES has proved to be resilient.
  • It was validated by NIST.  The National Institute of Standards and Technology tests encryption software to see whether there are any weaknesses to them.  Even if a particular encryption software employs AES, there could be weaknesses in it how it is actually used within a particular software suite.  NIST’s validation ensures that such weaknesses are not present.  The US federal government can only use NIST-validated encryption.

A quick word on validation: some encryption packages out there claim to be “NIST-certified.”  NIST itself doesn’t use the terminology “certified.”  If you find a software or hardware vendor who claims their security product is certified by NIST, it either means one of two things:

  • They’ve actually been validated by NIST, but are confused and are interchangeably using the words “certified” and “validated.”  Security-wise, this confusion is not a problem.
  • They have not actually been validated by NIST, but their software conforms to NIST requirements, which are listed publicly.  The idea is that you’ll be secure…but without someone actually kicking the tires, you’ll always wonder if this is actually the case.  This is potentially a problem.

Does the second situation above matter?  It might for meeting certain legal terms.  For example, HIPAA and HITECH rules require that “valid encryption processes” be used in order to enjoy safe harbor from the Data Breach Notification Rule.  What is a valid encryption processes?  Well, it turns out that it’s whatever NIST says it is, and in order for NIST to make a decision, they have to go through the process of validating it.

When you think about it, it only makes sense: what would a bunch of healthcare professionals know about encryption requirements?  It only makes sense for them to defer to people who test and research computer security for a living.  Namely, the group of researchers at NIST.

What Do You Want?  What Do You Need?

Once the above conditions are met, lawyers should be evaluating the extra features that mobile data security and encryption providers to the legal sector are putting at their disposal.

  • Encryption Key Management.  Each device that employs cryptological protection has its own encryption key; this is why you can use the same AES encryption algorithm and still guarantee privacy.  In the event that something awry were to happen, such as your computer not booting up, the key has to be produced.  Otherwise, you’ve essentially locked yourself out of your computer forever.  Even if you knew your password, it wouldn’t help in this case: Passwords are, to put it simply, a method to push the encryption key in place so that you can access a device’s data.  Since you have the password but no key, you’re locked out.

    One of the greatest challenges when it comes to encryption in the enterprise is not the act of planning and carrying out laptop encryption.  Rather, it’s the management of the encryption keys (essentially keeping track of which key belongs to which machine and ensure that you’ve written down the key’s details correctly, as a single character error will invalidate your key).

  • Password Recovery.  People forget their passwords for myriad reasons.  If your encryption software comes with a method to reset a password, this will help assuage any concerns regarding passwords.  Generally, password resets require an outside party to be involved (your laptop, smartphone, or tablet wouldn’t house a password reset feature because it would become a security issue).  For example, an Android device’s password can only be reset by going through Google’s services.
  • Data Recovery.  Computers fail.  Sometimes, they fail spectacularly.  Under such circumstances, chances are that help is necessary when it comes to recovering your data.  Even if you have an IT department, chances are that they’ll need help.  After all, recovering encrypted data is not a situation most people, even if they work with computers, face on a frequent basis.  If you’re using free encryption, who do you turn to?
  • Management Server.  If your office requires the protection of multiple computers and smart devices, you’ll be better off with a server for managing your encryption project.  Among other things, a dedicated computer server allows an administrator to deploy the encryption software to multiple computers and devices, push out required updates, and run audit reports to ensure that everything is as it should be.
  • Encryption of external media.  While the storage capacity of laptop computers has increased exponentially, a universal law appears to be that your laptop’s disks will “runneth over.”  Even if that’s not the case, sometimes you may find it convenient to copy a file to a USB flashdrive and hand it to a colleague that will in turn copy it to his or her laptop, especially when the files are too big to be emailed.

    External disks are the weak chain in full disk encryption because data is copied in its raw form to external storage media.  In other words, when full disk encryption is used, the data is only encrypted when it’s on that particular computer disk.  Copy it over to some other disk – be it a hard disk drive, a USB flash drive, or a CD – and the data is no longer protected.

    This is also true for hand-held devices.  Android products often feature an expandable memory slot.  Encrypting this external storage location is also important in ensuring top-grade data security.

    Also, if you back up your laptop’s computer data to an external hard disk, you’ll also want to make sure that this backup disk also encrypted.

  • Remote Data Wipe.  Even if you have encryption in place, you’ll probably gain some peace of mind knowing that the data can be irrecoverably deleted in the event that your device is lost or stolen.  Data wipes can be triggered in two ways: the command can be given by an administrator when the device is stolen or it can be automatically triggered when the wrong password is entered a certain number of times (e.g., on the eleventh incorrect password entry attempt).

It’s not a coincidence that AlertBoot Mobile Security (for smartphones and tablets) and AlertBoot Full Disk Encryption (for laptop computers and external hard drives) address all of the above issues, among other things (you can find out more by contacting us).

Use Your Judgment

Ultimately, though, you must understand that encryption is not a perfect palliative to your data security ills.  It doesn’t take a rocket scientist to realize that not losing a smartphone or a laptop computer is always the best “choice” when it comes to data security.  Encryption is there to play back up, not to be the main star.

Related Articles and Sites:


Comments (0)

Let us know what you think