Keep your sensitive e-data safe with encryption
Posted Feb 1, 2008 11:48 AM CDT
By Dennis Kennedy
We’ve seen a steady stream of stories about stolen laptop computers loaded with sensitive data. And USB flash drives make it easy to back up and transport important data, but they are just as easily lost or stolen.
Because lawyers’ computers generally hold confidential or sensitive information, no lawyer or firm wants to make the headlines for losing one.
There are commonsense ways to protect your hardware, especially on the road, but none are foolproof. A good security technique is to assume your first level of defense will fail and make a backup plan so you have a seamless and relatively painless experience when the failure happens. This is known as an “elegant failure,” and it’s a good thing.
Having your sensitive data encrypted is a particularly elegant example of elegant failure. If data is stolen or improperly accessed, the encryption protects it from compromise or exposure.
E-mail encryption was a hot topic in the late 1990s until the ABA issued Formal Opinion 99-413. This opinion has been expansively interpreted—fairly or unfairly—to mean lawyers do not have to be concerned about encrypting e-mail. It’s an open question whether the opinion would be the same if it were issued today.
However, let’s take a closer look at another type of protection: disk encryption. Using encryption, you can secure certain files on drives or portions of drives (including hard drives or USB drives) or specific folders. Some encryption tools even hide the encrypted folders from anyone who doesn’t know they exist.
In the past, people worried—justifiably—that encrypting drives would make their work slower and more cumbersome. Today’s faster drives and processors make those performance issues much less of a concern.
However, two other recent developments are also changing how we look at encryption. First, Windows Vista, in its Enterprise and Ultimate versions, has a built-in drive encryption tool called BitLocker.
Second, Dell recently began to offer notebook computers with Seagate’s Momentus 5400 FDE.2, an encrypted hard drive with a special chip devoted to full disk encryption. This built-in encryption will cost an extra $100, but moving encryption to a chip eliminates performance concerns.
On the software front, your reasons for not considering encryption are diminishing. For example, the highly rated open-source encryption software TrueCrypt is available at no cost and is just one example of free or low-cost encryption alternatives.
I recommend you experiment with TrueCrypt and a spare USB drive to help you learn about disk encryption and make your own decisions. I definitely recommend reading the manual before you launch. This is not the kind of program you want to fire up and go.
In my case, I downloaded and installed TrueCrypt by using a spare USB drive and designating a 30-megabyte folder for the encrypted files. I let TrueCrypt create an encrypted folder for me.
TrueCrypt prompted me to create a strong password (eight or more characters including numbers, symbols and upper- and lowercase letters). In a moment or two, I could add files to this folder, where they were encrypted and hidden. Later I used TrueCrypt and my password to locate, open and unencrypt the files.
Are there any concerns? Yes. If you forget your password, you will not be able to recover your encrypted files. Really. That’s what strong encryption means.
When you balance the risks of loss or exposure of sensitive data against the costs and effort in encrypting data and drives, it’s becoming clear that we’ll see many lawyers moving to disk encryption in the very near future. The encryption world has changed, for the better, and it’s time for lawyers to revisit the encryption question with fresh eyes.