What encryption do law firms need?

Lawyers have a responsibility to take reasonable steps to protect the confidentiality of their client’s data under four primary ABA rules^[1]:

• Rule 1.1, dealing with competence including that associated with technology
• Rule 1.4, addressing secure communication
• Rule 1.6, outlining the duty of confidentiality
• Rules 5.1-5.3, focusing on lawyer and nonlawyer relationships

Individual state bar associations have addressed this as well, in addition to numerous ABA Opinions, including Formal Opinion 477R, wherein attorneys are expected to understand where data is stored and who could potentially access it. One of the easiest and most effective ways for lawyers to take action to protect client data is to implement encryption wherever possible. Essentially, encryption scrambles data, including text and documents, and makes it unreadable to anyone without the proper key.

There are two types of encryption that firms should pay attention to: encryption in transit and encryption at rest.

Encryption in transit means the data is only encrypted while being sent from one location to another, such as while being uploaded or sent. If data is not encrypted while being sent, this means anyone can intercept and read potentially sensitive information.

Encryption at rest means data is encrypted while it’s being stored, ensuring that even if there was a data breach, the information would still remain unreadable without the proper authentication.

Consider the use of encryption on the following technology in order to adhere to ABA standards and limit the risk of unauthorized individuals accessing confidential client data:

Email. A common method of communication, emails are often used for sensitive information. At the very least, these emails should be encrypted while in transit to prevent anyone from capturing their information. If you’re unable to encrypt your email, sensitive information should be sent as an encrypted attachment. As an alternative, a client portal can provide a way to prevent any confidential email from being sent via email and relies instead of email for notification of messages waiting in the secure portal.

Devices. Many of today’s devices offer the option to encrypt all the information it contains, known as full-disk encryption, and doing so is a simple best practice to put into place. Without entering the proper passcode or pin, the data remains encrypted. Windows and macOS both offer encryption, while Android device encryption varies^[2]. An alternative to using the built-in encryption software is to use software or apps created for the purpose, but make sure they are legitimate prior to installing.

Data storage. If you are storing your data on a computer, see the above device encryption recommendations. For storage on an external server, see the below vendor recommendations. For storage on a third-party cloud-based platform such as Dropbox, see the below Cloud recommendation. If you are storing information on an internal server, information should be encrypted in transit during upload and then encrypted at rest during storage.

Vendors. Lawyers should be asking their vendors questions about the types of encryption they use. Vendors and their apps should be using encryption in transit, also known as end-to-end encryption^[3].

Cloud. Whether you are using cloud storage such as Dropbox or Microsoft One Drive or cloud-based programs including practice management, accounting or billing, encryption is critical. These programs should be protecting data during transmission with encryption, at minimum using 128-bit SSL. During storage, data should be protected in fully compliant data centers and encrypted at rest.

References

1. Safeguarding Client Data: A Lawyer’s Duty to Provide ‘Reasonable’ Security
2. How to Encrypt All Your Online and Offline Data
3. Common Types of Encryption: What Lawyers Need to Know