Encryption Keeps Files and Client Information Confidential

By Martin T. Tully – April 12, 2012

In “Tablets + The Cloud = A Powerful Mobile Presentation Tool,” we lauded the advantages of pairing tablet computers and the Cloud to enhance evidentiary presentations. Some lawyers, though far from Luddites, will just never be comfortable placing work product in the cloud. With reports of data-security breaches seemingly becoming weekly news, you can hardly blame them. Particularly disturbing was last summer’s revelation by web-based storage firm Dropbox that a programmer’s error caused a temporary security breach that, for about a four-hour period, allowed any password to be used to access any user account.

Sticking to email and local storage doesn’t always provide much comfort, either. Email accounts can be hacked, and everyone knows someone who has lost a flash drive or left a laptop or mobile device in a cab. Indeed, in recent years, there have been numerous reports of confidential data such as personal records being exposed through loss or theft of laptops or backup drives. But these tools are essential to the modern practice of law. What is a concerned, conscientious lawyer to do?

Improve the chances that your confidential work product and client information stays that way by encrypting your files. Encryption can be used to protect both data “at rest,” such as files on computers and storage devices (for example, flash drives), and files sent as attachments to emails. Encrypting these files helps protect them, should physical security measures fail.

Simple and free online tools exist that can be used to either encrypt individual files or an entire flash drive. For example, TrueCrypt is a free, open-source software system for establishing and maintaining an on-the-fly-encrypted data-storage device. On-the-fly encryption means that data is automatically encrypted right before it is saved and decrypted right after it is loaded, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. Furthermore, the entire file system is encrypted, including file names, folder names, the contents of every file, any free space, metadata, and more.

Files can be copied to and from a mounted TrueCrypt volume the same way they are copied to/from any normal disk (for example, by simple drag-and-drop operations). Files are automatically being decrypted on the fly (in memory/RAM) while they are being read or copied from an encrypted TrueCrypt volume. Similarly, files that are being written or copied to the TrueCrypt volume are automatically being encrypted on the fly (right before they are written to the disk) in RAM. Note that this does not mean that the whole file that is to be encrypted/decrypted must be stored in RAM before it can be encrypted/decrypted. There are no extra memory requirements for TrueCrypt.

Encryption can also help those who do use web-based storage to sleep a little better at night. For example, files can be encrypted before they are uploaded to, say, DropBox, SugarSync, or Mozy Stash. Or, you can use SpiderOak, a “secure and consolidated” free online backup, sync, sharing, access, and storage solution. Unlike DropBox, SpiderOak prevents anyone except you from decrypting your file, because the decryption key is not stored on their server. Instead, the key is stored on your local computer when you install the client. Please note that if you use SpiderOak and forget your password, then you will not be able to access your files again, because passwords are created locally and not stored on their server. Moreover, there is no password recovery feature, so they could become very secure—even from you!

Keywords: litigation, technology, cloud computing, encryption

Martin T. Tully is a partner at Katten Muchin Rosenman LLP in Chicago, Illinois.

Copyright © 2013, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).