How and where do I encrypt sensitive client data?

In Part 1 of this post I looked at what data encryption is, why its important for us to understand it, and what data should be encrypted where. This is Part 2, where I look at some encryption processes and software options.

You are most likely already using different encryption tools for different aspects of data storage and transit; so for example the software used to encrypt emails may be different to the software used for encrypting data stored on servers or PC’s. If you’re shopping for new encryption software, it may not be as simple as finding one provider that does a complete job everywhere.

Specific software recommendations are beyond my expertise, but if you start by checking out reviews of encryption software for businesses, you’ll find a very mixed bag of offerings.

Local device Encryption

Some software packages, such as VeraCrypt, will encrypt data held on your local PC hard drive. This is essential for any device which could be stolen or misused by a third party. Another option for local devices is BitLocker, an encryption package that is part of Windows Pro operating systems.

Email encryption

Other encryption software, such as Cellcrypt, offers secure messages and encrypted voice calls for mobile devices. There are also numerous packages that offer end-to-end encryption for emails sent either from desktop computers or mobile devices. Microsoft Office 365 Enterprise E3 and E4 users can configure an email encryption service which does not require the email recipient to download software to unlock the encrypted email – instead they enter a pass-code.

Encryption of data in transit

This is a complex but essential area of IT security and expert knowledge and input is essential. When our data travels, there’s a high risk of that data being accessed if it is not protected. Lower cost “network level” encryption and data protection is possible but it requires a combination of solutions which are beyond the remit of my basic knowledge.

One method is to create and use Virtual Private Networks to encrypt data in transit, commonly between local PC’s, mobile devices and servers on a work network. There is even a free worldwide network called Tor which claims to enable its users to use the internet anonymously and through encryption, and some commercial VPN options can be found here.

Encryption of data held “in the cloud”

So you’re using someone else’s computer to store your data. The provider says its secure and suitable for holding sensitive data, but is that assurance enough? Maybe not, especially if that guarantee cannot be found in the contractual small print. But there are software products which encrypt data you hold on someone else’s equipment, so if it is compromised it cannot be read. One of these products is BoxCryptor.

Encryption of data held on a server

Is the data “at rest” on your server encrypted? If not, it could be vulnerable. On Windows Servers, you can use Bitlocker to encrypt data at rest. Thales (formerly Vormetric) say their products offer encryption solutions for any server.  If you are not sure what server you have and whether data is encrypted on it, you need to know how it is encrypted, and also what the potential vulnerabilities are even if the data is encrypted.

What next?

As usual as with all IT related matters, this isn’t an easy decision making process and definitely one where you need to orientate yourself on the key issues then carefully assign the practicalities of choice and implementation to an impartial IT professional, with appropriate oversight from management. Now for the important disclaimer:  I cannot verify the suitability of any product mentioned in this post for use by law firms!

Some further guidance on encryption practicalities and the legal framework is provided by the Information Commissioner’s Office, and the Law Society provide comprehensive guidance on Cyber-Security issues for law firms.

If you haven’t done so already, the Law Society’s free online cyber-security course for Legal and Accountancy professionals is a great starting point for getting yourself orientated on the relevant issues. You could also complete a data/information security audit, where you work with IT professionals to complete a comprehensive report or map which shoes you how where your every aspect of your sensitive data is stored and sent, and addresses any potential vulnerabilities.

Whether you’re expert or inexpert on IT issues, your comments are welcome. Please also get in touch with me if you provide IT services to law firms and would like to write regular posts for this site on IT issues.