Recently making big news was the American Bar Association’s Formal Ethics Opinion 477 which requires lawyers to take “reasonable efforts” to ensure the security of their communications with clients. While the opinion states that unencrypted email “remains an acceptable method of lawyer-client communications” and thus does not require lawyers to encrypt all client communications, it does indicate that certain circumstances do warrant “particularly strong protective measures, like encryption”. This is consistent with Massachusetts ethics and Data Privacy Laws. At a moment in time wrought with data breaches and cyber-threats, encryption is a good way to secure your client’s data and meet your ethical obligations.
Encryption, in layman’s terms, scrambles your data into an unreadable format and is one of the best methods of protecting your digital data. With the ubiquity of tools to secure your data comes easy to use interfaces and instructions. Any lawyer can encrypt sensitive data, and in most cases for free. Here’s how:
Encrypting physical devices
One of the most common reasons for inadvertent disclosure of client data or loss of client data is stolen and lost laptops or devices. Even an amateur cybercriminal can easily extract the contents of an unencrypted hard drive. If you have not encrypted the hard drive of your laptop, you should do so today. Encrypting your laptop is a simple process and should not impact your work. Once you turn on hard drive encryption, each time you log off your computer, the entire contents of your hard drive are encrypted. When you log back in, the contents are unencrypted for use. The activation process for both Mac and Windows computers is quite straightforward.
Mac computers use FileVault to encrypt the hard drive. This is native to your Mac; that is, there’s no need to buy a third-party product. You can find FileVault in System Preferences > Security & Privacy. Click the lock in the lower left-hand corner to make changes to the settings and then click “Turn on FileVault.” You’ll be prompted to either select to use your iCloud account to reset your password or create a recovery key. Either way, you’ll need that information to access your data in case you ever forget your computer login.
Certain Windows computers also come installed with Windows Bitlocker Drive Encryption. These include the Pro, Enterprise, and Core (Windows 8.1) editions of Windows. If you only have Windows Home, upgrading to Pro costs $80. It’s well worth it just for hard drive encryption! Access Bitlocker from you Control Panel > System and Security. Turn on Bitlocker to encrypt your hard drive and save your recovery key.
For tips on encrypting your hard drive, see http://www.lawtechnologytoday.org/2015/01/how-to-encrypt-data-on-your-mac-in-a-few-simple-steps/ for Mac users and https://support.microsoft.com/ for Windows users.
If you save client data to an external drive (i.e. for backups) or USB flash drive, you can encrypt those drives as well. For Mac users, all you need to do is find the drive you wish to encrypt, right click and select “Encrypt [Name of Drive]”. The password you set can be used to unencrypt the drive.
Windows users can use BitLocker to encrypt external drives. Right click on the drive you wish to encrypt and “Turn on BitLocker.”
Files and folders
File and folder encryption can be helpful for a couple of reasons. First, rather than encrypting your entire hard drive, you could decide to only encrypt a certain folder with sensitive client data. If you are diligent in storing all your sensitive files in one folder, this is a fine option. The problem, however, is that many times a file on your computer may not be located in just one place. For example, say you receive an email with a sensitive client file attached, which you then open using Outlook on your desktop. That attachment is automatically saved somewhere on your local hard drive. Furthermore, if you download the document to your desktop or downloads folder and forget about it, that file will reside in yet another place on your hard drive. If you’ve only encrypted one folder and not your entire hard drive, that file can likely be accessed in an unencrypted area of your hard drive. Second, encrypting a file or folder is a simple way to secure data and email it to a recipient.
Word for Mac allows you to encrypt any Word document via Preferences > Security. Create a password to secure the document. You can also encrypt PDFs with Mac’s native Preview tool. Go to Print > Save as PDF and then set the PDF security to require a password. Encrypting folders on the Mac requires you to use a secure disk image. You can create a secure disk image by opening up Disk Utility (use Spotlight, that is, command + space bar, to find Disk Utility). Then, go to File > Disk Image from Folder and select the folder you wish to encrypt. After you have created the secure disk image, delete the original folder.
Encrypt Word documents from within Microsoft Word by selecting File > Info > Encrypt with Password. For PDFs (also works with other file formats), right click on your document then select Advanced > Encrypt contents to secure data. The same right-click method also works for encrypting folders.
Smartphones are highly susceptible to inadvertent disclosure of client data because of the high rates of lost or stolen devices. Without passcode protection, information can easily be retrieved. With iPhones, as long as you use a passcode or Touch ID (iPhone 5s or later) the contents of your phone are automatically encrypted. To boost security, it is advisable to change the default four-digit passcode option to a longer alphanumeric code. Android models starting with 6.0 (and some 5.0 phones) ship with encryption turned on by default. To ensure that encryption is activated, check in Settings > More > Security.
Most attorneys are neither thinking about nor have concerns with the interception of client calls. But, if you have a high-profile case that may be a target for interception, it’s worth looking at your options. FaceTime, a native iPhone app, encrypts audio end-to-end, however you have to call another iPhone user for encryption to work. Similarly, iMessage on the iPhone encrypts text but only when texting iPhone to iPhone. Two third-party applications – Signal by Open Whisper Systems and What’s App – have become popular for encrypted calls and texts; both are available for iPhone and Android.
Below are four different methods you can use to securely share files over the Internet.
- Encrypt individual files or folders and send via email.
As noted above, you can encrypt individual files and folders and attach those to an email. Then, either call or text the recipient with the encryption key (i.e. password) (just don’t send the password in the same email as your attachment), secure the files with only information that the recipient would know (i.e. Social Security number) and alert them, or secure the files with a pre-agreed upon password.
- Use a secure cloud storage program and share the link with the recipient.
You can accomplish this with services such as Dropbox, Box, and Google Drive. (As an aside, you should vet all cloud-based providers before using their service and take certain security precautions, such as using strong passwords and implementing two-factor authentication.) First, save the file to the cloud storage program and then share the file link with only the recipient.
- Use a secure client portal.
Most case management systems such as Clio, RocketMatter, MyCase, Cosmolex, and ZolaSuite have a secure client portal to communicate with clients. All your clients need is a username and password. You decide what to share with your client via the portal. This also helps keep your client informed and reduce email correspondence.
- Use an email encryption service.
There are many available and all work a bit differently. For example, Streak Secure Gmail is a simple add-on to Gmail. To encrypt a message, you select the lock button next to “Compose” to compose a new secured message. Streak will encrypt the entire contents of the email and attachments. All you need to do is set a password and give your recipient a hint. The recipient receives a garbled email with your hint and a prompt to enter a password.
More sophisticated services such as ZixCorp offer the ability to set rules that will trigger when you try to send emails containing certain information, such as a social security or financial account number. The recipient can view the email and attachment after registering their email address with ZixCorp and creating a password.
For additional encryption services, take a look at Citrix ShareFile, Enlocked, Go Daddy Office 365 Add-On, HushMail, Microsoft 365, RPost, Sendinc, Trend Micro, Trustifi, Virtu, ProtonMail, and Voltage. When selecting any email encryption service test it out to determine how how easy or difficult it is to use both on the sender and recipient’s end.
If you’ve made it to this point in the article, I have complete confidence that you can implement any of the aforementioned solutions. The (hopefully minimal) time and resources will be well spent in comparison to the cost of a potential data breach in your practice.
Heidi S. Alexander, Esq. is the director of Practice Management Services for Lawyers Concerned for Lawyers, where she advises lawyers on practice management matters, provides guidance in implementing new law office technologies, and helps lawyers develop healthy and sustainable practices. She frequently makes presentations to the legal community and contributes to publications on law practice management and technology. She is the author of the ABA Law Practice Division’s, Evernote as a Law Practice Tool, and serves on the ABA’s TECHSHOW Planning Board. Heidi previously practiced at a small firm and owned a technology consulting business. She also clerked for a justice on the highest court of New Jersey and served as the editor-in-chief of the Rutgers Law Review. She is a native Minnesotan, former collegiate ice hockey goaltender for the Amherst College Women’s Ice Hockey Team, and mother of three young children.