Practice Tips: Electronic devices – encryption and client confidentiality issues
by Dave Bilinsky, Practice Management Advisor
One of the more dreadful things for a lawyer to discover is that his or her electronic device — desktop computer, laptop, Blackberry, PDA, portable hard drive or USB flash drive — has gone missing, taking confidential client information with it. A family lawyer’s laptop could hold reams of financial disclosure documents containing bank accounts and deposits, SINs, investments and other highly personal information. A corporate lawyer’s Blackberry could carry details of a proposed merger or corporate purchase: a disastrous leak. An IP lawyer’s laptop could contain research memos advising clients on their possible infringement of other patents. Indeed, there are few areas of the law where lawyers have not been entrusted with the safekeeping of their clients’ secrets as a function of providing legal advice.
We advise lawyers who have suffered a theft of an electronic device containing client information to inform those clients as soon as possible that their confidential information may have been compromised. There is a real possibility that the disclosure of client personal information could result in “identity theft” for the client — resulting in false credit cards issued in their name, unauthorized access to their bank or financial accounts and other sources of funds and the like. The clients are entitled to take such action as they deem necessary to protect the privacy of their affairs from the disclosure that may result from the theft or “disappearance.”
On the other hand, if the lawyer could tell those clients that all the information on that stolen computer had been encrypted using a “whole disk encryption” application — imagine the reassurance felt by everyone concerned! I emphasize “all” because there are certainly ways to encrypt single files and discrete folders on computers. However, in the words of Bruce Schneier, founder and CTO of BT Counterpane Security: “The reason you encrypt your entire disk, and not just key files, is so you don’t have to worry about swap files, temp files, hibernation files, erased files, browser cookies or whatever. You don’t need to enforce a complex policy about which files are important enough to be encrypted. And you have an easy answer to your boss or to the press if the computer is stolen: ‘no problem; the laptop is encrypted.’?”
Whole disk encryption applications typically extend to all removable and portable media, such as portable hard drives and USB flash drives. Note that this is not a solution for files that have been emailed to other computers, PDAs or Blackberries, which are typically sent “clean” or unencrypted. While there are ways to transmit these files in an encrypted fashion, they are usually unencrypted when read and stored on these external devices. Note that Blackberry’s advanced content protection features are deactivated by default. Accordingly, lawyers and law offices should consider policies on whether they should be sending confidential data via these devices and whether or not their security features should be activated.
These whole disk encryption applications work in the background, transparent to the user. They work on both Mac and Windows machines. Typically they also incorporate secure file deletion algorithms — meaning that once a file is deleted, it is well and truly gone. They can be established as enterprise solutions with multiple levels of security, ensuring that if any computer is stolen — within or outside the office — the information contained therein is protected.
There is one other consideration. If you are travelling outside Canada in such places as the US, the UK, Singapore and Malaysia, border officials may legally demand to examine the contents of any encrypted electronic device. In these circumstances, lawyers are well advised to carry a “clean” laptop — equipped with software to reach the office network remotely via a secure link, but containing no other information. The lawyer can link to the home office via the secure link as required, storing all work on the home office servers and saving nothing on the laptop. In this way, if the laptop is inspected by the authorities or stolen, no confidential information is compromised.
In the final analysis, any lawyer wants to be secure, knowing that there isn’t anyone out there whispering his or her client’s secrets.