3 Use Encryption

There was once a time when, because of complexity, it was probably reasonable not to use encryption.  That time has past for any modern business owner.  If you are storing confidential or personal, private information on a device, that device needs to be encrypted.  Fortunately, encryption has become extremely simple to use and to implement.

A timeline showing availability of encryption and password support

A timeline showing availability of encryption and password support

What to Use

If you are a lawyer using a current Apple or Windows-based computer, an iPhone, iPad, or Android device, you can use encryption.  In many cases, particularly with all of the Apple products, it is built into your operating system.  iPhones and iPads are automatically encrypted and Macs have something known as File Vault IIAndroid devices have encryption built into the operating system as well.  Once you access your Settings and Security options, you will see your encryption options.

Unfortunately, since it is the most common operating system in law firms, Windows is the least straight forward.  From Windows Vista through Windows 7 to Windows 8 and 10, you can buy different editions of Windows.  The Home, or consumer, editions do not come with encryption built into the operating system.  Many of the business editions – Ultimate, Enterprise, etc. – have Microsoft’s Bitlocker encryption available.

If you are using a computer that does not have Microsoft’s Bitlocker on it, there are secure open source alternatives like Veracrypt.  You need to install them but they will work the same way as Bitlocker and File Vault II.

How it Works

There are two ways to use encryption: partial disk or file-specific, and full disk.  Essentially, you are either encrypting the entire device or just some part of it.  Because it is easier to ensure everything is protected by encrypting the entire device, I’d recommend always using full disk encryption.

Encryption works by wrapping all of your data – and operating system – within a protected shell.  When the encryption is activated, no-one can penetrate that shell.  If you lose a computer or phone or USB thumb drive that is in its encrypted state, the data on there is protected.  Even if you can’t recover your device, your confidential information should remain confidential.

Decrypt Your Device

But no-one can access encrypted data, not even you.  To use your computer or phone or files on that USB drive, you need to decrypt the device.  In most cases, this involves typing in a password.  The encryption software verifies that the password is correct and then turns off – decrypts – the device encryption.

When you activate full disk encryption, you will be prompted for a password to decrypt your device as soon as it starts up.  On phones and tablets, you will use the normal unlock screen.  Remember that, once you have unlocked your phone or computer, it is unlocked for everyone who has access to that device.  If you walk away from a decrypted laptop, or lose a phone that is unlocked and not set to lock automatically, your data is not encrypted!

To make sure your data remains protected, shut down your computer when you are not using it and force your phone or tablet to go to its lock screen.  If you are still using your computer, you can lock it as well.  For example, on Windows computers, hit the Windows key and L.  This will automatically lock the screen.  Since you will have a password to log into Windows, even though your data is still decrypted, it’s inaccessible to the curious passerby.

However, if someone gets your password or has physical access to your computer, they will probably be able to access your files, even if your computer is in hibernation mode.  When the device is not going to be under your control, power off the computer or phone or tablet to make sure the encryption is turned back on.

Encrypt Your Communications

That’s all you need to do to encrypt a device.  In most cases, just turn on the encryption.  Encrypting your communication and other internet activity, is a bit trickier.  There is a widespread move towards encrypting all online communication but it is not universal yet.  Be aware of when you are transmitting client confidential and private information over the internet, whether sending an e-mail or uploading a document.

Most online e-mail services, like Google’s G Suite or Microsoft’s Office 365, will provide so-called end-to-end encryption.  When you connect to their service, just like when you access your bank account, the entire transaction is encrypted.  Here’s where your professional responsibility kicks in:  you should be aware which services do not encrypt your traffic.

It’s easy to do.  I’ve written more extensvely about this but here’s a quick way to check: look for the https at the front of the web site address line.  Here’s how:

If you’re like most people, you sometimes find yourself at the Google web search engine. Ever typed in something related to a client in Google? If you did that over an unencrypted coffee shop (or home!) wireless network, your search is being transmitted in plain text. Google now offers encrypted search, so that the search query you use – and the results you look at – are transmitted securely. It’s easy as adding an “s”:

http://www.google.com becomes https://www.google.com

If your web browser defaults to this page, you won’t have to remember to type it in each time. You will get a visual reminder that you are searching securely because a small yellow lock will appear in your web browser. Microsoft Internet Explorer 8 and Google Chrome display the lock right next to the web address. Mozilla’s Firefox places it in the bottom right hand corner of your Web browser, on the status bar.

The s in the web address indicates that you’re using a secure layer. It means that you are transmitting securely. It does not mean that either your computer or the computer with which you’re communicating are secure. When you type a search into Google and click on a result, you may not be leaving the protection of the encrypted Google search. Selecting a search result from a web search engine also sends your search terms and other information to the site you visit: Smith & Jones, LLP in Tampa visited from Google after searching for “lurgan corporate financials”. Someone at that site may be able to see that information, so be aware that there are limits to encrypted search. You have more control over your own computer’s security and who can tell what you’ve been searching.

You can’t always see that your communications are encrypted.  Your web browser will show you but your e-mail program won’t.  You will want to ask your ISP or your technical support person whether, when you send and receive e-mail, it is encrypted.

It’s worth going back to the previous topic, though.  If your router or other systems have been exploited, it is possible for someone to decrypt your communications without you knowing it.  This can create what’s called a man-in-the-middle attack.

Imagine that, every time you sent an email, someone else had to receive it and then forward it to your recipient.  That doesn’t make much sense so that’s not normally how e-mail works.  But if your connection has been exploited – and some apps do this on purpose – then it may be that someone is stepping into the middle of your communication.  There is a certain amount of trust required to communicate digitally; you can do your part by keeping your hardware and software current.