Avansic Whitepaper: Spooked By Encryption? How to Use it in Your Law Practice and E-Discovery
10-14-2014, Avansic - Corporate
Encryption is the process of encoding messages of information in such a way that only authorized parties can read it. Encryption does not prevent interception but makes it difficult for the content to be understandable to the interceptor.

Encryption goes beyond simple password protection – for instance, your computer has a password, but that can be bypassed by someone with the knowledge and ability to start a computer from a thumb drive or boot CD (this typically requires some IT knowledge). However, if the computer is both password-protected and encrypted, it is much more difficult to access the data in a useable form.

So why doesn't everyone encrypt everything? Every added element of security introduces a loss of convenience and requires extra steps before using the data. Encryption requires the use of additional software, maintenance of keys, personnel training, an additional burden on Information Technology staff, and extra work for anyone sending or receiving encrypted digital data.

Case Study
This case involved malpractice allegations against a hospital, and as such involved Personal Health Information (PHI) covered under HIPAA. Attorneys wanted to ensure that they properly protected any potential PHI the firm would receive (email or otherwise) and that any e-discovery vendors would do so as well.

First, the lead attorney contacted the IT department at the firm to discuss the encryption requirements set forth in HIPAA; data at rest must meet the NIST (National Institute of Standards and Technology) Special Publication 800-111, data in motion must meet the NIST Special Publication 800-52, 800-77 or others which are FIPS (Federal Information Processing Standards (FIPS) 140-2 validated. In this case, one of the IT staff had a background in information security and was familiar with these requirements. The firm's IT department proceeded to make several hardware, software and procedural changes. These included physical and local security of the firm's servers, devices and data, and created secure means for communication and filesharing (such as Secure FTP and encrypted email.) The most complex change, which addressed several HIPAA requirements, was two-factor authentication. This requires users to present two of three types of authentication when they login to a system: something you have (i.e., keycard or dongle), something you are (i.e., a fingerprint or iris scan), and/or something you know (i.e., a password).

When the firm received a production of requested documents from the opposing party, they requested that information be encrypted based on the “data at rest” specifications outlined above. In the meantime, the attorneys had carefully interviewed a number of e-discovery vendors about their experience with encrypted data, handling PHI and other security protocols; they selected a vendor that had worked on several cases involving PHI and were able to quickly and articulately outline their procedures in those types of cases. They also discussed each vendor's online review tool offering and whether it could handle HIPAA's encrypted storage and transmission requirements.

When the production arrived, the firm sent the drive and their e-discovery processing and online review tool loading instructions. The vendor received the encrypted drive, performed the necessary processing steps and loaded the information into the online review tool, making sure to maintain physical and logical separation of this case's data.

When the review was complete, the vendor created a production to the attorneys' specifications, properly encrypted it, and sent it back to the firm. Once the case was complete, both the firm and the vendor made sure to purge and destroy electronic media per NIST Special Publication 800-88.

How Does Encryption Work?
Encryption works by using established algorithms to translate data into a different form by using an encryption key. There are a number of encryption protocols and each uses various key lengths and different methods of key exchange. If a file is encrypted, you can't open a file to see what is inside without the decryption key, but some encryption programs and protocols allow you to see filenames and other metadata without a key.

Email is the most obvious place to apply the additional security of encryption. Currently, non-encrypted email systems send data in plain text. This means that email is essentially being sent in a clear envelope through the internet - it's uncertain who handles that information as it is routed to its destination. Encrypting email scrambles that letter so that only someone with a key can open it.

There are a number of tools available to encrypt email and documents. Some are free or packaged with other software, such as BitLocker and 7-Zip, and they employ an algorithm technology widely accepted to meet and exceed the NIST and FIPS standards when appropriately used. However, care should be taken since history has shown that backdoors can be discovered and revealed in previously accepted industry standards (TrueCrypt).

Law Practice Use of Encryption
More law offices are handling encrypted documents or emails in order to comply with regulations (such as HIPAA) or protect sensitive corporate information at the behest of their clients. There are different types of encryption for data at rest and data in transit. For instance, if you use BitLocker to encrypt a server's physical disk and turn the server on and login, the system is now considered open to attackers; encryption only protects the system from physical theft, not electronic penetration. This is why encryption of data in transport is different.

Encryption is required protocol for any electronic data that might have Personal Health Information (PHI) under HIPAA as discussed above. Everything that is received by a vendor or produced by a vendor (even if the PHI has been redacted) must be encrypted to those standards as well. Other regulations may also require encryption including financial services and the energy sector.

If you encrypt client data, it is easier to destroy it since “losing” the encryption key essentially renders it unreadable (as required by HIPAA). At the same time, when a matter is closed and it is time to remove access to data it will not be necessary to search through backups to locate all copies of the encrypted data. Instead, you can destroy the backups of your encryption key and leave the encrypted data on the backup. However, this is a double-edged sword since loss of the key might render needed information unreadable by authorized parties.

Hackers and Encryption
Encryption can also be used for nefarious purposes. Several law firms have recently been targeted by hackers using ransomware like CryptoLocker. This malware encrypts entire hard drives or servers worth of firm information and essentially hold it for ransom – they promise to give the firm an encryption key after being paid a certain amount of money, usually within a short timeframe. They will often demand payment in the form of Bitcoin, a virtual currency. This makes the perpetrators even more difficult to track down.

The best defense against this type of incursion is adopting the security principle of “least privilege” in a firm's information technology use. This means that a user can only access the information and resources that are specifically essential for their purpose; for example, that an attorney can only access fileshares relating to his cases, not those of another group, or that individuals login to their computers as a normal user rather than an administrator account. Of course, any added security introduces a lesser convenience – it may mean calling the IT department when installing an update for their software since they don't have administrative rights.

The second best defense firms have is to take regular and comprehensive backups of their email and file servers, so even if someone encrypts their live systems, they can draw from backups and continue business operations with minimal interruption.

Encryption and E-Discovery
When sending a large production to an opposing party or government agency, encryption does not affect the usability of the data. However, using that same technology for day to day functions such as email may be inconvenient – the same issues with higher security but less convenience as mentioned above. It should be noted, however, that as regulations continue to be added and amended this might soon stop becoming an option and become a requirement within certain industries.

Vendor selection is very critical when encryption is part of the process, and carefully interviewing potential vendors about their experience with encryption and with sensitive data is key. Handling the extra steps, particularly if online review is involved, requires a higher level of information technology sophistication than some may have.

A law firm's introduction to encryption may be during e-discovery for a case. When dealing with encrypted ESI in e-discovery, there is a much higher level of cooperation required among the parties. Implementation of key exchange, secure sites or devices to exchange data, changing passwords and other day-to-day tasks require expertise that is currently not ubiquitous. The benefits of encryption may extend to additional areas of a law firm's general business practice, and the increased security may outweigh some of the extra steps required for implementation.