Data encryption as a tool for lawyers to meet confidentiality obligations

Most lawyers would have heard the word “encryption”, and many have likely heard that encryption is a tool they should consider using to ensure confidentiality of client data. However, many lawyers would not have actually used encryption, perhaps due to not knowing how to go about encrypting data.

 

This article briefly refers to the important obligation on lawyers to maintain client confidentiality, reviews how data encryption can be used to help meet confidentiality obligations, and provides practical hands on tips for actually using encryption to protect client data.

 

As a matter of common law, lawyers owe clients common law duties of confidentiality:

 

Every lawyer owes a professional duty of confidentiality to his or her clients

(HMTQ v. Imperial Tobacco Canada Limited, 2013 BCSC 1963 at para. 21).

 

In addition, codified rules set out in professional codes of conduct expressly impose confidentiality obligations on lawyers. For example, in the Code of Professional Conduct for British Columbia it is stated:

 

A lawyer at all times must hold in strict confidence all information concerning the business and affairs of a client acquired in the course of the professional relationship and must not divulge any such information unless:

(a)        expressly or impliedly authorized by the client;

(b)       required by law or a court to do so;

(c)        required to deliver the information to the Law Society, or

(d)       otherwise permitted by this rule.

(Code of Professional Conduct for BC, s. 3.3-1)

 

If a lawyer fails to take reasonable steps to prevent client confidential information being disclosed to unintended recipients that would constitute a breach of the confidentiality duties owed to the client the information pertained to. For example, if a lawyer left confidential client documents on a coffee shop table available for others to review, that would be a breach of the obligation to protect client confidential information. Similarly, if a lawyer left a laptop with no password protection in a coffee shop such that anyone could review the data on that laptop, that would be a breach of the obligation to protect client confidential information.

 

But what if the papers, or laptop, were left in a vehicle which was then broken into. Depending on the content of the paper documents, it may well be a breach of duty for leaving them in the vehicle in the first place. In the case of a laptop which may be more commonly left in a vehicle (or some other place it may be stolen), if it contains client confidential information on it then not having, at the very least, a password on it would seemingly be a breach of duty. However, although many lawyers would not know this, a device password offers little protection on a device such as a laptop where the data storage unit (e.g. the hard drive) can be physically removed from the device and plugged into another device to which the snooping eyes do have the password i.e. if the data on a hard drive is not encrypted then a thief can take the hard drive out of your laptop and put it in his laptop and see all of the data on that hard drive. Therefore, device passwords are not sufficient but rather the data on the storage unit should be encrypted.

 

What is encryption

Encryption is the process of encoding information in such a way that only authorized persons can interpret it.

 

One basic method of encrypting plain text, for example, is to convert each letter of the alphabet into a number (e.g. A = 1, B = 2, …) and then apply a secret sequences of steps to replace each character with a different number (e.g. add 21, multiply by 10) such that the resulting string of information appears to a human reader to be an incoherent jumble of information.  Only if the sequence of steps needed to unwind the jumble is known can the jumble be undone i.e. decrypted.

 

Fortunately, it is possible to encrypt data on a device such that anyone without the decryption password sees only the jumbled information, and anyone with the password sees the data in unjumbled format and can work with it without being troubled too much by the fact it is encrypted.

 

There are many situations in which one may want to encrypt files. For example:

 

There are two methods for encrypting data: software encryption and hardware encryption. Each of these methods are discussed below. 

 

A common way to encrypt data is to place a software program between the operating system and the drive on which data is stored. Such encryption software will only run when a password is entered, and the software encrypts all data written to the drive, and decrypts the data when it needs to be read from the drive. The decryption keys are held by the software so removing and plugging the drive into another computer will not allow access to the data on the drive in a readable format.

 

The following describes different options for software encryption.

 

 

Windows BitLocker is a software encryption tool included with the Pro, Enterprise, and Education editions of Windows 10, although not the Home version.

 

For Windows Bitlocker to run on your computer it is required that your computer have as part of its hardware a special computer chip called a Trusted Platform Module, but most modern computers with reasonable specifications will include this chip.

 

Windows Bitlocker may not have the very strongest level of encryption, but given its adequacy and ease of access given that it is already installed in Windows, it is a good option for convenient encryption and laptop owners should seriously consider turning it on.

 

To turn on BitLocker:

 

You will be required to enter a password to be used by Bitlocker, and will be required to enter this password when logging on to your computer. Be sure to use a long and strong password.

 

Depending on how powerful your computer is you may notice a minor performance decline when running encryption software such as Bitlocker because each time data is read from, or written to, the hard drive it needs to be decrypted / encrypted by the encryption software, and this uses up computing resources.

 

An alternative to Bitlocker, and an option for users who do not have Bitlocker built into their version of Windows, is Cipher which is an encryption tool built into all modern versions of Windows, including Home editions. However, Cipher must be run from the Command Line of Windows which is too daunting for many users, and as well the ability to quickly and selectively encrypt and decrypt folders and subfolders is limited using Cipher. Most users who do not have Bitlocker included in their version of Windows should consider one of the standalone encryption software options discussed below.

 

Encryption software made by FS Pro Labs in 2008 that allows quick an easy encryption of a folder by (after installing the software) simply right clicking on the folder and then selecting “Protect with FlashCrypt”:

 

Selecting “Protect with FlashCrypt” from the Right Click Menu will bring up a dialog box that allows you to enter a password to unlock the encrypted folder that will be created:

After clicking the “Protect” button (see screenshot above) the folder will be encrypted:

Flashcrypt is useful if one wants to protect a folder to be sent by email, or on a USB key to be sent by mail / courier, although it is necessary for the recipient to have Flashcrypt installed on their computer.

 

Flashcrypt is also useful for encrypting data backups to be saved on your computer, external hard drive, or in the cloud.

 

Because encryption and decryption does not happen on the fly as small bits of data are needed but rather in one big batch operation, encryption and decryption can take a few minutes and so Flashcrypt is not the best software to use for encryption / decryption of daily working data on a hard drive i.e. Flahshcrypt is good if you want to wrap up a bundle of data to be shared, or stored for a long time, but other software options (see below) are better for managing and using encrypted data on a daily basis.

 

Flashcrypt was created by FSPro Labs in 2008 and although not available for download from FSPro Labs website, https://fspro.net/, it is still available for download from Softpedia: https://www.softpedia.com/get/Security/Encrypting/FlashCrypt.shtml.

 

FSPro Labs currently prefer to offer other, paid, encryption software on their website.

 

VeraCrypt, https://www.veracrypt.fr/en/Downloads.html offers free encryption software (donations encouraged) that allows creation of vaults (called “volumes”) that can contain encrypted data. The software is first used to create the container file (which will act as a vault / volume), and then the vault/volume is opened as if it is a standalone additional drive on the computer. The process of opening the vault / volume and setting it up as an additional drive is called “mounting”.

 

A password is required to mount the vault/volume as a drive, and once mounted as a drive the vault can be accessed like any other drive on the computer, and data copied into it. After work is complete, the vault can then be “dismounted” with the data safely in it, with only the password holder able to access it.

 

VeraCrypt can be used to create a large vault on the hard drive of your computer and all of your data can be stored in that vault. When starting work on your computer you will be required to mount the vault, and then dismount it when finished working, but apart from these minor inconveniences the user experience of using the computer should be similar to without encryption.

 

A further option with VeraCrypt is that one can create an encrypted vault on a USB key (or other storage medium such as an external hard drive) and the encryption software saved on the USB key side by side with the encrypted fault. This allows any USB key to be turned into a secure archive that can be sent by mail / courier without concern for the data being accessed by a thief along the way, and without the recipient needing to install any special software on his or her computer i.e. the encryption software is on the USB key and all the recipient needs is the password to unlock the vault and some instructions on how to operate the decryption software.

 

The following explains the process for creating, and accessing an encrypted vault using VeraCrypt.

 

It is recommended to download from https://www.veracrypt.fr/en/Downloads.html the “portable” version of VeraCrypt, which will provide a library of files such as the below, including an executable file (VeraCrypt.exe) which can be used to run VeraCrypt:

 

Running VeraCrypt.exe (by double clicking on it) will open up the VeraCrypt control window, shown in the top half of the screenshot below. To create a vault / volume:

 

As part of the vault / volume creation process you will, at a screen as shown in the screenshot below, be asked to “select” a file to be the volume:

 

 

The “Select file” button might be better named “Create file / volume container” because the above process does not involve selection of any pre-existing file, but rather involves:

For example, the screenshot below shows how (after clicking the “Select file” button in the screenshot above) to create a vault named “my secret stuff” in a currently empty folder on a USB key:

 

 

After specifying the location and name for the volume / vault to be created, follow the further prompts until you get to a screen as shown in the screenshot below, at which point you will be required to wiggle the mouse about randomly to generate random data to be used in the encryption process. When the bar at the bottom of that window turns green (as shown in the screenshot below) you can then click the “Format” button and finish the volume / vault creation process.

 

After you have created the volume / vault, you can open it by again running the “VeraCrypt.exe” file (referred to above) and performing the following steps (number references as shown in the screenshot below):

 

 

Once the vault / volume is mounted as a drive you can access it like you can any other drive. When finished working with the data in the vault / volume, you can dismount it in the VeraCrypt control window.

 

If you wish to send an encrypted vault / volume on external media like a USB key (or an external hard drive, etc.) such that the recipient can open it without having to install any software on their computer, do the following:

 

The above described process for creating vaults and adding data to them, and then later opening them as needed, is certainly more inconvenient than not bothering with encryption at all. However, the effort required for encryption is worthwhile when dealing with sensitive data, just like locking the front door of your house is worthwhile, although more inconvenient than leaving the door wide open so you can waltz in and out.

 

Other encryption software options are available, such as FSPro Labs, the makers of Flashcrypt, discussed above; they offer paid encryption products, which can be reviewed on their website, https://fspro.net/.

 

Axcrypt, https://www.axcrypt.net/, is the maker of another popular encryption software with a free version with basic functionality, and a paid version (on a subscription model) with many additional features.

 

An alternative to software based encryption is to use a drive with hardware based encryption, which essentially involves the drive having a special computer chip which encrypts the data as it is written to and read from the drive.

 

Such hardware encryption is often available on modern sold state hard drives i.e. drives that have the data stored on computer chips, as distinct from traditional hard drives that have data stored on a spinning metal platter with a magnetic coating. Such sold state drives may be built into a computer (particularly laptops), or may be external hard drives which can be plugged into any computer. It is also possible to purchase USB keys which have hardware based encryption on them, although they can be a little harder to come by than one might expect.

 

The screenshot below shows the unlock screen for a WD Passport solid state external hard drive that has encryption; a password must be entered to access the decrypted data:

 

The fact that a hard drive has self encryption capabilities is not always clearly advertised, but look out for the following terms:

Although some details of a few encryption options are discussed above, exhaustive review of the many available encryption software programs is beyond the scope of this discussion. This discussion is primarily intended to raise the issue of encryption as something to consider, especially for laptops and external storage devices, and to provide an overview of the types of procedures involved to encrypt and decrypt data.

 

Note that once a decryption password is entered to give access to the data on the drive then the data is freely accessible to the user of the computer, but also to viruses or malware that infiltrates the computer. In other words, it important to understand that encryption is not an alternative or substitute for a firewall or antivirus, but encryption primarily prevents wrongful access to data prior to valid entry of the decryption password for the encrypted vault.

 

Although the above steps to be completed to encrypt data may seem a bit overwhelming at first, after experimenting with them for a short time most lawyers will find using software such as Veracrypt quite manageable, and this option should be considered in particular by lawyers who keep confidential client information on laptop computers or other devices at high risk of being lost or stolen.