To Encrypt or not to Encrypt? Can an Attorney Afford Not To?

As an attorney in today's modern world we are equipped with the latest in technology permitting us to work from virtually anywhere. From Laptops, Blackberries, PDA's to external hard drives, we routinely access personal and confidential client data from the open unsecured Wi-Fi environment at the local coffee shop, hotel or from home; all the while exposing this valuable data to the sophisticated data thief. Add to this "data in transit" risk the fact that a single flash drive can store as much sensitive data as what used to be stored on an entire "data base farm" and you begin to appreciate the risk we face every time we travel with our portable office.

It is the proliferation of these mobile devices with their extraordinary capacity to store valuable sensitive personal data which has fueled the exponential increase in data breaches through loss or theft. Critical data "in- transit" and "at rest" is a lucrative target for today's tech savvy thief. When you consider a single bank account number typically sells for $400.00 on the US black market, it becomes obvious why more than 245 million data records have been reported stolen or lost since January of 2005[i].

While most of us haven't yet experienced the nightmare of a stolen or lost hard drive, it is the "it won't happen to me" approach to data security that creates the greatest risk. Surely the data analyst at the VA who in May of 2006 took a digitized database containing the records of 28.6 million active-duty-troops home to work on didn't think it would be stolen. While the government recovered the stolen laptop, the cost of the theft has been estimated at half a billion dollars.

For years TJ Maxx felt comfortable using a wireless network that had less protection than most home systems. Unfortunately, this antiquated system allowed hackers to use a simple telescope antenna and a laptop to steal an estimated 47.5 million credit and debit card numbers and other personal data belonging to approximately 500,00 customers. The scope of this scandal continues to expand and the subsequent wave of class action litigation continues to be reported upon. Not surprising since the estimated cost to the company is expected to exceed one billion dollars[ii].

Certain members of the Democratic Party would have considered themselves fortunate to have found the reportedly unencrypted Republican National Committee Blackberry used by Karl Rove which was reported lost.

These incidents underscore the fact that the cost of an attorney's lost or stolen mobile device extends far beyond the loss of personal data or the cost of replacing the device. It is the loss of sensitive confidential client data which could financially destroy a firm.

As of September 16, 2008, 44 States, including Michigan[iii], along with the District of Columbia and Puerto Rico require each customer whose data has been lost or stolen be notified of the data breach. The cost of this notification is not inconsequential. It is estimated that in 2008, the average per record cost of notification was $197.00; up 30% from the year before.[iv] The single largest component of this cost is related to lost customer revenue. Compounding this cost to the practitioner is the fact that once a security breach notification becomes public, other nonaffected clients and potential future clients may also question their willingness to entrust their sensitive data to the firm.

In addition to data breach notification costs associated with State disclosure laws, attorneys may be required to comply with the specific data security mandates imposed by other regulatory agencies. [v]

From the foregoing it should be clear that traveling with one of the firm's most valuable assets, client data is an extraordinarily risky business. Asking attorneys to leave their mobile devices locked up in the office is neither a practical nor cost effective solution.


Data encryption is becoming the fastest proactive solution to protect against the accidental loss or intentional theft of sensitive and confidential data, whether "at-rest" or "in-transit". Not only does encryption provide the last bastion of protection against a data breach, an organization which suffers the loss or theft of encrypted data is, in most cases, exempt from client notification requirements.

While not widely reported, with the proper encryption algorithm, i.e. one incorporating a hash algorithm, an appropriate expert can verify whether previously encrypted electronic data has or hasn't been altered after its decryption; an invaluable tool in the era of today's electronic discovery. When you consider 20% of companies surveyed reported that employee emails had been subpoenaed for use in court proceedings, the use of a hash algorithm would simplify the authenticity challenges in both State and Federal Courts[vi].


There are a variety of data encryption applications to fit the needs of any user.

One application permits the encryption of specific files and folders. This is useful for securing specific documents or folders on a flash drive, external hard drives or for emailing encrypted attachments.

Full disk encryption secures all data contained on the hard drive, which is an ideal solution for laptops, external hard drives and other portable storage devices. Most hard drive encryption solutions should be designed to permit the systems administrator to set the encryption parameters and establish custom user interfaces.

Email encryption is an essential part of any security protocol. Studies show that nearly 20% of all outgoing email contains content which poses a legal, financial or regulatory risk. Encrypted email not only provides peace of mind but also enables an attorney to electronically deliver sensitive information that was previously transmitted by traditional methods such as fax and "snail" mail. An appropriate encryption solution should permit the secure transmission of the message text, the attachment or both.

Encrypted external hard drive systems incorporating a hash algorithm are ideal for storing electronic data obtained from clients in anticipation of or during litigation. Such a system permits a party to say with authority that the data as input and encrypted hasn't been altered following decryption; an important step in admitting evidence at the time of trial. This function is made all the more important considering the changes to Rules 16 and 26 of the Federal Rules of Civil Procedure[vii].

Waiting and hoping to avoid being a victim of a data breach is no longer an acceptable alternative to proactive data protection. Implementing encryption protocols is not only a sound business decision; the return on investment will be measured in part by increased client confidence.

[i] The true number of data breaches that result in identity theft is really unknown because most victims don't know how their personal information was obtained. reports data breaches which included among other things, social security numbers and other information important to identity thieves.

[ii] It appears that the root of all evil in the TJ MAXX Marshalls security breach was the use of weak encryption (WEP) in wireless access points. Despite a market capitalization of almost $13b, the company apparently couldn't afford to secure its wireless network with anything more robust than the sadly inadequate Wired Equivalent Privacy (WEP) protocol.


[iv] The Ponemon Institute

[v] The Health Insurance Portability and Accountability Act (HIPPA), Gramm Leach Bliley Act (GLBA), Sarbanes Oxley (SOX), SEC 17-4A, and ISO 17799 (While not a law, it may be cited in legal proceeding under a "best practices" theory) to name just a few.


[vii] The new rules require that as part of the parties' initial "meet and confer" to plan discovery, they must specifically address electronic discovery issues—including, for example, what steps they and their clients will employ to preserve dynamic electronic information and what format they will utilize for electronic production. The Rules Committee suggests that the precise sub issues addressed will "depend on the nature and extent of the contemplated discovery and of the parties' information systems." Accordingly, it will be "important for counsel to become familiar with those systems before the conference."