Encryption ABC’s, easy as 1-2-3

The Massachusetts Data Protection statutes and rules compel encryption in certain scenarios and a modern interpretation of the Massachusetts Rules of Professional Conduct would suggest that encrypting data is the appropriate move in certain circumstances. Beyond that, it's also a pretty good idea, as a general practice, to encrypt your clients' sensitive data. Fortunately, it is not all that difficult to encrypt your files. In fact, as suggested by the title of this post, it's as easy as 1-2-3.

When you're determining a process for encrypting your law firm data, you'll need to ask yourself three basic questions:

  1. What are you encrypting? (a single document, a DVD, a device, etc.)
  2. How often will you need to encrypt? (one document every so often, document packages, pretty much every e-mail you send, etc.)
  3. Which encryption platform will you use? (a PDF conversion tool, e-mail encryption, whole disk encryption, etc.)

The most useful way to flesh out the practical responses to your encryption choices is to examine six scenarios based on the above factors and determine a course of action for each. The more often you encrypt, the more automated a solution you should seek. The following situations represent the most common encryption questions we receive at LOMAP:

If You're Encrypting One Document at a Time: You'll be able to encrypt your documents in as few as four simple steps: select security option, create password, reenter password and save document.  Popular options for encrypting single files include Adobe Acrobat and Microsoft Word, through which you can lump additional document security on top, if you wish. If Acrobat and Word are too expensive for your tastes, there are a number of cheaper document creation tools out there, including Open Office and Libre Office; on the PDF side, there are, among others Nuance PDF Converter, CutePDF and PDF Forge.

If You're Encrypting Document Packages: You'll be able to use the same tools listed above, but you should wait to apply your encryption to the document package until the entire package has been completed. You could, and likely should, encrypt individual inclusions if you will maintain those separately.

If You're Encrypting E-mails: If you occasionally send e-mails with matter that should be encrypted, it is probably easier to just encrypt the document(s), or the document package(s), that you send.  If you regularly send e-mail that needs to be encrypted, it probably makes more sense to use a tool built in to your e-mail system, that will allow you to encrypt on the fly, often via the use of a trigger word of some kind, to turn on (or turn off) the encryption protocol.  There are a number of options in this line, likely not to cost you more than $10/month/e-mail account.  An alternative would be to use a completely encrypted e-mail system, like Hushmail, but, that only works with other Hushmail users, and modern business uses generally require wider flexibility.

If You're Encrypting Devices: If you have a significant number of files saved to your device that must be encrypted there are paid services (like Symantec's PGP and freeware options (like TrueCrypt) that will allow you to apply encryption to your entire device. Some systems feature built-in encryption tools, such as Microsoft Office's BitLocker. Smartphones remain an outlier, as the platforms on which those devices run utilize different encryption protocols. Inquire with your provider as to what might work best respecting your particular phone.

If You're Encrypting Folders : If you don't want to encrypt your entire device, you could only encrypt those folders that contain sensitive documentation, or place all of your sensitive documentation into one folder that you would then encrypt -- although the latter method could conceivably wreak havoc upon your file organization. Most of the tools available to encrypt devices would allow you to encrypt individual folders, as well.

If You're Storing to the Cloud: Most of the reputable cloud providers will provide something like "government-level" encryption, in much the same way that carmakers used to offer the application of "space age polymers" to their construction plans. With any data retention system, the application of a secure password is essential. That requirement takes on further importance in relation to cloud-based systems, where access is almost completely predicated on password manipulation. Turn on two-factor authentication if it is offered by your provider.  But keep in mind that, if you rely on vendor encryption, the vendor will apply and know (in most cases) the encryption codes for your documents. If you want to overturn the tables and take back that power, I've written on a number of methods for accomplishing that, representing various sorts of usage frequency and automation levels; that's here.

It's inarguable that encryption technologies provide an additional lawyer of security for electronic business documents, but objections to the use of encryption remain largely centered around the administrative burden created by the steps required for applying encryption protection. Even though encryption does often require at least one extra step, however, the benefit of securing your client's data is worth it. In any event, the application of the correct tools, specific workflows and general processes can reduce the time spent handling individual tasks.

Tip courtesy of Jared Correia, Law Office Management Assistance Program.

Published August 22, 2013


To learn more about the Law Practice Management Section, which is complimentary for all MBA members, contact LPM Section Chair Thomas J. Barbar or Vice Chair Cynthia E. MacCausland.
©2017 Massachusetts Bar Association