You are here

Data encryption as a tool for lawyers to meet confidentiality obligations

Research articles : 
Introduction
Most lawyers would have heard the word “encryption”, and many have likely heard that encryption is a tool they should consider using to ensure confidentiality of client data. However, many lawyers would not have actually used encryption, perhaps due to not knowing how to go about encrypting data.
 
This article briefly refers to the important obligation on lawyers to maintain client confidentiality, reviews how data encryption can be used to help meet confidentiality obligations, and provides practical hands on tips for actually using encryption to protect client data.
 
Lawyers duties of confidentiality
As a matter of common law, lawyers owe clients common law duties of confidentiality:
 
Every lawyer owes a professional duty of confidentiality to his or her clients
(HMTQ v. Imperial Tobacco Canada Limited, 2013 BCSC 1963 at para. 21).
 
In addition, codified rules set out in professional codes of conduct expressly impose confidentiality obligations on lawyers. For example, in the Code of Professional Conduct for British Columbia it is stated:
 
A lawyer at all times must hold in strict confidence all information concerning the business and affairs of a client acquired in the course of the professional relationship and must not divulge any such information unless:
(a)        expressly or impliedly authorized by the client;
(b)       required by law or a court to do so;
(c)        required to deliver the information to the Law Society, or
(d)       otherwise permitted by this rule.
(Code of Professional Conduct for BC, s. 3.3-1)
 
Breach of duty to not take reasonable steps to protect confidential information
If a lawyer fails to take reasonable steps to prevent client confidential information being disclosed to unintended recipients that would constitute a breach of the confidentiality duties owed to the client the information pertained to. For example, if a lawyer left confidential client documents on a coffee shop table available for others to review, that would be a breach of the obligation to protect client confidential information. Similarly, if a lawyer left a laptop with no password protection in a coffee shop such that anyone could review the data on that laptop, that would be a breach of the obligation to protect client confidential information.
 
But what if the papers, or laptop, were left in a vehicle which was then broken into. Depending on the content of the paper documents, it may well be a breach of duty for leaving them in the vehicle in the first place. In the case of a laptop which may be more commonly left in a vehicle (or some other place it may be stolen), if it contains client confidential information on it then not having, at the very least, a password on it would seemingly be a breach of duty. However, although many lawyers would not know this, a device password offers little protection on a device such as a laptop where the data storage unit (e.g. the hard drive) can be physically removed from the device and plugged into another device to which the snooping eyes do have the password i.e. if the data on a hard drive is not encrypted then a thief can take the hard drive out of your laptop and put it in his laptop and see all of the data on that hard drive. Therefore, device passwords are not sufficient but rather the data on the storage unit should be encrypted.
 
What is encryption
Encryption is the process of encoding information in such a way that only authorized persons can interpret it.
 
One basic method of encrypting plain text, for example, is to convert each letter of the alphabet into a number (e.g. A = 1, B = 2, …) and then apply a secret sequences of steps to replace each character with a different number (e.g. add 21, multiply by 10) such that the resulting string of information appears to a human reader to be an incoherent jumble of information.  Only if the sequence of steps needed to unwind the jumble is known can the jumble be undone i.e. decrypted.
 
Fortunately, it is possible to encrypt data on a device such that anyone without the decryption password sees only the jumbled information, and anyone with the password sees the data in unjumbled format and can work with it without being troubled too much by the fact it is encrypted.
 
There are many situations in which one may want to encrypt files. For example:
  • All of the working data on a computer hard drive can be encrypted if there is concern that the computer may be lost or stolen (particularly relevant for laptops). Note that a computer password does not protect the data on a data storage drive built into the computer because that drive can be physically removed from the device and then plugged into another device owned by the thief / hacker and for which they know the password. In order to protect the data on drive it is necessary to encrypt the drive.
  • When making a backup of data for safekeeping, one may want to encrypt that data before placing it into storage in the cloud, on an external hard drive, etc.
  • When sending sensitive information by email (a somewhat unsecure mode of communication) one may want to encrypt the email attachments containing the sensitive information.
 
There are two methods for encrypting data: software encryption and hardware encryption. Each of these methods are discussed below. 
 
Software based encryption tools
A common way to encrypt data is to place a software program between the operating system and the drive on which data is stored. Such encryption software will only run when a password is entered, and the software encrypts all data written to the drive, and decrypts the data when it needs to be read from the drive. The decryption keys are held by the software so removing and plugging the drive into another computer will not allow access to the data on the drive in a readable format.
 
The following describes different options for software encryption.
 
Software encryption tools included with Windows
 
Windows BitLocker is a software encryption tool included with the Pro, Enterprise, and Education editions of Windows 10, although not the Home version.
 
For Windows Bitlocker to run on your computer it is required that your computer have as part of its hardware a special computer chip called a Trusted Platform Module, but most modern computers with reasonable specifications will include this chip.
 
Windows Bitlocker may not have the very strongest level of encryption, but given its adequacy and ease of access given that it is already installed in Windows, it is a good option for convenient encryption and laptop owners should seriously consider turning it on.
 
To turn on BitLocker:
  • Press Win + S to activate the Windows Search tool
  • Type in “Bitlocker” (without the quotes) and then click on the search hit for Bitlocker to open up the Bitlocker control interface, and then follow the prompts to encrypt a particular drive:
 
You will be required to enter a password to be used by Bitlocker, and will be required to enter this password when logging on to your computer. Be sure to use a long and strong password.
 
Depending on how powerful your computer is you may notice a minor performance decline when running encryption software such as Bitlocker because each time data is read from, or written to, the hard drive it needs to be decrypted / encrypted by the encryption software, and this uses up computing resources.
 
An alternative to Bitlocker, and an option for users who do not have Bitlocker built into their version of Windows, is Cipher which is an encryption tool built into all modern versions of Windows, including Home editions. However, Cipher must be run from the Command Line of Windows which is too daunting for many users, and as well the ability to quickly and selectively encrypt and decrypt folders and subfolders is limited using Cipher. Most users who do not have Bitlocker included in their version of Windows should consider one of the standalone encryption software options discussed below.
 
Flashcrypt
Encryption software made by FS Pro Labs in 2008 that allows quick an easy encryption of a folder by (after installing the software) simply right clicking on the folder and then selecting “Protect with FlashCrypt”:
 
Selecting “Protect with FlashCrypt” from the Right Click Menu will bring up a dialog box that allows you to enter a password to unlock the encrypted folder that will be created:
After clicking the “Protect” button (see screenshot above) the folder will be encrypted:
Flashcrypt is useful if one wants to protect a folder to be sent by email, or on a USB key to be sent by mail / courier, although it is necessary for the recipient to have Flashcrypt installed on their computer.
 
Flashcrypt is also useful for encrypting data backups to be saved on your computer, external hard drive, or in the cloud.
 
Because encryption and decryption does not happen on the fly as small bits of data are needed but rather in one big batch operation, encryption and decryption can take a few minutes and so Flashcrypt is not the best software to use for encryption / decryption of daily working data on a hard drive i.e. Flahshcrypt is good if you want to wrap up a bundle of data to be shared, or stored for a long time, but other software options (see below) are better for managing and using encrypted data on a daily basis.
 
Flashcrypt was created by FSPro Labs in 2008 and although not available for download from FSPro Labs website, https://fspro.net/, it is still available for download from Softpedia: https://www.softpedia.com/get/Security/Encrypting/FlashCrypt.shtml.
 
FSPro Labs currently prefer to offer other, paid, encryption software on their website.
 
VeraCrypt
VeraCrypt, https://www.veracrypt.fr/en/Downloads.html offers free encryption software (donations encouraged) that allows creation of vaults (called “volumes”) that can contain encrypted data. The software is first used to create the container file (which will act as a vault / volume), and then the vault/volume is opened as if it is a standalone additional drive on the computer. The process of opening the vault / volume and setting it up as an additional drive is called “mounting”.
 
A password is required to mount the vault/volume as a drive, and once mounted as a drive the vault can be accessed like any other drive on the computer, and data copied into it. After work is complete, the vault can then be “dismounted” with the data safely in it, with only the password holder able to access it.
 
VeraCrypt can be used to create a large vault on the hard drive of your computer and all of your data can be stored in that vault. When starting work on your computer you will be required to mount the vault, and then dismount it when finished working, but apart from these minor inconveniences the user experience of using the computer should be similar to without encryption.
 
A further option with VeraCrypt is that one can create an encrypted vault on a USB key (or other storage medium such as an external hard drive) and the encryption software saved on the USB key side by side with the encrypted fault. This allows any USB key to be turned into a secure archive that can be sent by mail / courier without concern for the data being accessed by a thief along the way, and without the recipient needing to install any special software on his or her computer i.e. the encryption software is on the USB key and all the recipient needs is the password to unlock the vault and some instructions on how to operate the decryption software.
 
The following explains the process for creating, and accessing an encrypted vault using VeraCrypt.
 
It is recommended to download from https://www.veracrypt.fr/en/Downloads.html the “portable” version of VeraCrypt, which will provide a library of files such as the below, including an executable file (VeraCrypt.exe) which can be used to run VeraCrypt:
 
Running VeraCrypt.exe (by double clicking on it) will open up the VeraCrypt control window, shown in the top half of the screenshot below. To create a vault / volume:
  1. Click “Create Volume”.
  2. Select the option to “Create an encrypted file container” and then follow the prompts.
 
As part of the vault / volume creation process you will, at a screen as shown in the screenshot below, be asked to “select” a file to be the volume:
 
 
The “Select file” button might be better named “Create file / volume container” because the above process does not involve selection of any pre-existing file, but rather involves:
  • selecting the location for the vault / volume container to be saved (e.g. on your hard drive, on your USB key, etc.) and
  • specifying the name for the vault.
For example, the screenshot below shows how (after clicking the “Select file” button in the screenshot above) to create a vault named “my secret stuff” in a currently empty folder on a USB key:
 
 
After specifying the location and name for the volume / vault to be created, follow the further prompts until you get to a screen as shown in the screenshot below, at which point you will be required to wiggle the mouse about randomly to generate random data to be used in the encryption process. When the bar at the bottom of that window turns green (as shown in the screenshot below) you can then click the “Format” button and finish the volume / vault creation process.
 
After you have created the volume / vault, you can open it by again running the “VeraCrypt.exe” file (referred to above) and performing the following steps (number references as shown in the screenshot below):
  1. Click “Select File”, and then browse to the folder containing the encrypted vault / volume that was previously created as described above.
  2. After selecting the vault / volume check that its path is correctly shown in the Volume field.
  3. Select a drive letter to open the volume as i.e. just like you have “C” drive on your computer the vault when opened will be listed as an additional drive, just like occurs when you plug in an external storage device such as a USB key. Note how C: is excluded from the list in the screenshot below i.e. because that drive is already being used as part of the computer.
  4. Click “Mount” to mount the vault / volume to the selected drive.
  5. Enter the password and click “OK”.
 
 
Once the vault / volume is mounted as a drive you can access it like you can any other drive. When finished working with the data in the vault / volume, you can dismount it in the VeraCrypt control window.
 
If you wish to send an encrypted vault / volume on external media like a USB key (or an external hard drive, etc.) such that the recipient can open it without having to install any software on their computer, do the following:
  1. Create a vault / volume on the USB key.
  2. Open the vault / volume and save the data to be encrypted into it (following the process explained above).
  3. Outside of the vault / volume, but also on the USB key, create a folder and then load into it all of the program files for VeraCrypt (shown in the first screenshot above in this section on VeraCrypt). The VeraCrypt program files will use up about 60 MB of storage space. 
  4. Tell the recipient of the USB key to run the “VeraCrypt.exe” file (by double clicking on it) and then to open the vault / volume on the USB key using the VeraCrypt control window, and the password which you will have to provide to the recipient.
 
The above described process for creating vaults and adding data to them, and then later opening them as needed, is certainly more inconvenient than not bothering with encryption at all. However, the effort required for encryption is worthwhile when dealing with sensitive data, just like locking the front door of your house is worthwhile, although more inconvenient than leaving the door wide open so you can waltz in and out.
 
FSPro Labs
Other encryption software options are available, such as FSPro Labs, the makers of Flashcrypt, discussed above; they offer paid encryption products, which can be reviewed on their website, https://fspro.net/.
 
Axcrypt
Axcrypt, https://www.axcrypt.net/, is the maker of another popular encryption software with a free version with basic functionality, and a paid version (on a subscription model) with many additional features.
 
Hardware based encryption
An alternative to software based encryption is to use a drive with hardware based encryption, which essentially involves the drive having a special computer chip which encrypts the data as it is written to and read from the drive.
 
Such hardware encryption is often available on modern sold state hard drives i.e. drives that have the data stored on computer chips, as distinct from traditional hard drives that have data stored on a spinning metal platter with a magnetic coating. Such sold state drives may be built into a computer (particularly laptops), or may be external hard drives which can be plugged into any computer. It is also possible to purchase USB keys which have hardware based encryption on them, although they can be a little harder to come by than one might expect.
 
The screenshot below shows the unlock screen for a WD Passport solid state external hard drive that has encryption; a password must be entered to access the decrypted data:
 
The fact that a hard drive has self encryption capabilities is not always clearly advertised, but look out for the following terms:
  • FDE = full disk encryption
  • SED = self encrypting drive
  • “Opal” which is a storage specification sometimes used on self encrypting drives.
Conclusion regarding encryption
Although some details of a few encryption options are discussed above, exhaustive review of the many available encryption software programs is beyond the scope of this discussion. This discussion is primarily intended to raise the issue of encryption as something to consider, especially for laptops and external storage devices, and to provide an overview of the types of procedures involved to encrypt and decrypt data.
 
Note that once a decryption password is entered to give access to the data on the drive then the data is freely accessible to the user of the computer, but also to viruses or malware that infiltrates the computer. In other words, it important to understand that encryption is not an alternative or substitute for a firewall or antivirus, but encryption primarily prevents wrongful access to data prior to valid entry of the decryption password for the encrypted vault.
 
Although the above steps to be completed to encrypt data may seem a bit overwhelming at first, after experimenting with them for a short time most lawyers will find using software such as Veracrypt quite manageable, and this option should be considered in particular by lawyers who keep confidential client information on laptop computers or other devices at high risk of being lost or stolen.