If you haven’t heard the word encryption (most likely on a daily basis) you may have been living underneath a very large internet signal proof rock for the last few years.
Lawyers are guilty of switching off when it comes to crucial IT topics (updates on law, compliance and clients tend to keep us busy) and I am yet to meet one who is very familiar with this topic.
Why do we need to know about encryption?
We can’t safely implement a solution alone in a complex and crucial area of IT where we lack expertise, but we still need to oversee and understand what processes are used to ensure our data is secure, and know how well those processes work.
Why? Because in the unthinkable event that our sensitive client data is accessed and read by an unauthorised third party, we’d need to report that to the Information Commissioner’s Office, the SRA and all our affected clients.
At worst, we could face legal action from our clients, investigation and/or fines from the Information Commissioner’s Office, and regulatory investigation and consequences from the SRA.
Not a combination we would want to wish upon ourselves or even our worst enemy.
What is Encryption?
Let’s start with the basics. Encryption is simply a method of coding data so that only someone with a “key” can decrypt it. So if our data is accessed by an unauthorised third party, they obtain meaningless data, not confidential client information.
But as we know, some codes are easier to crack than others. The good news is that encryption software providers rely on unbreakable encoding processes so that they can sell their software.
The bad news is that there are expert opinions concerning vulnerabilities in some encryption systems, and also encryption can be used against us; there are high profile incidents of hackers accessing data, encrypting it then demanding a ransom from their victims.
What data should be encrypted?
Data Protection and IT security measures including encryption are a nightmare to negotiate for us as non-experts, but vitally important to get right and for us to be on top of. It’s not just a case of deciding what to encrypt (that’s the easy part – all data should be encrypted), but what software we use to encrypt data and how.
Because we know nothing or nearly nothing, we need to trust an IT expert (not an IT salesperson) on what solution works best for the very high standards of data security we need to maintain. There are many many choices on encryption software to use, but first let’s briefly consider what data needs to be encrypted where.
Where should it be encrypted?
Firstly, any locally stored data on servers, PC’s, mobile phones, laptops and tablets should be encrypted “at rest” – this means that the data on the hard/storage drive should be encrypted so that if it is hacked or if the device is stolen, it cannot be read without entering the password. The usual device account password alone won’t prevent the data from being read or accessed if the device is stolen.
Secondly, if you store data “in the cloud” (marketing lingo for someone else’s computer), the data held at rest on this server should be encrypted, so if the third party’s servers are hacked, the data cannot be read or misused. And if you use a big provider, however much they harp on about data security, its very likely lots of people will be trying to hack their systems.
Finally, data in transit should be encrypted. That means data sent by email and from one location to another (e.g. from a local PC to a server) should be encoded so that any unauthorised third party cannot read the data while it is travelling from location A to location B. This is where I can use a second buzz-phrase; “end-to-end encryption” (used by WhatsApp) which basically means that data that is sent between PC’s/communication devices in encrypted in transit and so cannot be read, though this still doesn’t necessarily mean that data is impenetrable.
How could client data be compromised?
If you or your IT staff have achieved all three of the above at your law firm you are doing pretty well, especially if you actually understand the processes involved.
But what if the encryption process itself is compromised? That could happen in two ways; if the password is obtained or “cracked” by a third party who then uses the password to access the data, or secondly if the encryption process itself is compromised. Both are unthinkably awful.
The risk of an unauthorised third party gaining your password can be reduced by changing the password regularly, making sure it is complex and so not easy to crack, and of course making sure that not knowledge of the password is restricted to as few individuals as possible.
Knowing whether the encryption process itself could be compromised is about implementing a tried and tested solution that provides guarantees concerning its suitability for business use. In Part 2 I look at some encryption processes and product options.