The Massachusetts Data Protection statutes and rules compel encryption in certain scenarios; and, a modern interpretation of the Massachusetts Rules of Professional Conduct would suggest that encrypting data is the appropriate move in certain circumstances; but, beyond that, it’s also a pretty good idea, as a general practice, to encrypt your clients’ sensitive data. Fortunately, it is not all that difficult to encrypt your files. In fact, as suggested by the title of this post, it’s as easy as 1-2-3.
When you’re determining a process for encrypting your law firm data, you’ll need to ask yourself three basic questions: (1) What are you encrypting? (a single document, a DVD, a device, etc.) (2) How often will you need to encrypt? (one document every so often, document packages, pretty much every email you send, etc.) (3) Which encryption platform will you use? (a PDF conversion tool, email encryption, whole disk encryption, etc.)
The most useful way to flesh out the practical responses to your encryption choices is to examine six scenarios, based on the above-relayed factors, and to determine a course of action respecting each. The more often you encrypt, the more automated a solution you should seek. The following situations represent the most common encryption questions we receive at LOMAP:
If You’re Encrypting One Document at a Time . . . You’ll be able to encrypt your documents in as few as four simple steps: select security option, create password, reenter password, save document. Popular options for encrypting single files include Adobe Acrobat and Microsoft Word, through which you can lump additional document security on top, if you wish. If Acrobat and Word are too expensive for your tastes, there are a number of cheaper document creation tools out there, including: Open Office and Libre Office; on the PDF side, there are, among others: Nuance PDF Converter, CutePDF and PDF Forge.
If You’re Encrypting Document Packages . . . You’ll be able to use the same tools listed above; but, you should wait to apply your encryption to the document package until the entire package has been completed; though, certainly, you could, and likely should, encrypt individual inclusions, if you will maintain those separately.
If You’re Encrypting Emails . . . If you’re sending few emails with matter that should be encrypted, it’s probably easier to just encrypt the document(s), or the document package(s), that you send. If you send email that needs to be encrypted on the regular, it probably makes more sense to use a tool built into your email system, that will allow you to encrypt on-the-fly, often via the use of a trigger word of some kind, to turn on (or turn off) the encryption protocol. There are a number of options in this line, likely not to cost you more than $10/month/email account. An alternative would be to use a completely encrypted email system, like Hushmail; but, that only works with other Hushmail users; and, modern business uses generally require a wider flexibility than that.
If You’re Encrypting Devices . . . If you have a significant number of files that must be encrypted, and that are saved to your device, there are paid services (like Symantec’s PGP) and freeware options (like TrueCrypt) that will allow you to apply encryption to your entire device. Some systems feature built-in encryption tools, such as Microsoft Office’s BitLocker. Smartphones remain an outlier, as the platforms on which those devices run utilize different encryption protocols. Inquire with your provider as to what might work best respecting your particular phone.
If You’re Encrypting Folders . . . If you don’t want to encrypt your entire device, you could only encrypt those folders that contain sensitive documentation, or place all of your sensitive documentation into one folder that you would then encrypt — though, that latter method could conceivably wreak havoc upon your file organization. Most of the tools available to encrypt devices would allow you to encrypt individual folders, as well.
If You’re Storing to the Cloud . . . Most of the reputable cloud providers will provide something like ‘government-level’ encryption, in much the same way that carmakers used to offer the application of ‘space age polymers’ to their construction plans. With any data retention system, the application of a secure password is essential; but, that requirement takes on a further importance in relation to cloud-based systems, where access is almost completely predicated on password manipulation. Turn on two-factor authentication if it is offered by your provider. But, keep in mind that, if you rely on vendor encryption, the vendor will apply and know (in most cases) the encryption codes for your documents. If you want to overturn the tables, and take back that power, I’ve written on a number of methods for accomplishing that, representing various sorts of usage frequency, and automation levels; that’s here.
It’s inarguable that encryption technologies provide an additional lawyer of security for electronic business documents; but, objections to the use of encryption remain, mostly centered around the administrative burden created by the steps required for applying encryption protection. But, even though encryption does often require at least one extra step, the benefit of securing your client’s data is worth it. In any event, the application of the correct tools, specific workflows and general process can reduce the time spent handling individual tasks.