Data Security Tools

No matter what jurisdiction we’re in, Lawyers have an obligation to protect the property of our clients. This includes communications between ourselves and our clients. We have a duty to keep this property and these communications private and confidential. Rule 1.6 of the ABA Model Rules of Professional Conduct. And we have a duty to protect them from destruction or harm Rule 1.15 of the ABA Model Rules of Professional Conduct. And, in this day and age, we will likely need to use sufficient data security tools to accomplish this purpose.

When dealing with the client’s physical property, it is not so difficult for us to understand how to protect it. We usually lock it up in a place that is protected from flood, fire, or other types of damage. Additionally, we make sure that there are no prying eyes or ears around when we are communicating with our clients. 

Protecting a client’s digital data, on the other hand, can sometimes be more difficult to conceptualize. It can be difficult for us to understand the lengths we need to go to in order to keep our clients safe. Luckily, there are many data security tools out there purporting to help us with that task. Unfortunately, however, it is not always easy to figure out which ones are worth using.

Data Security Tool Features

Generally, data security tools protect your information in one of two ways. They either keep people out of the information all-together, Authentication. Or they protect that information from a third-party who we assume has access to that information, Encryption. 

Authentication

When we talk about Authentication, for lawyers and law firms, we usually mean passwords and two-factor authentication (2FA) methods. Which are both part of the same scheme. For this part, we have tools that help you create and keep track of appropriately complex passwords (password vaults and organizers), Authentication Apps, and USB Authentication Keys. Each of these serves a slightly different purpose, and should be used in tandem with each other.

Encryption

It is good to think of encryption as happening at two different places. We want to encrypt our information while it is being sent (in Transit), and we want to encrypt our information while it is sitting on your computer or in a server somewhere (at Rest).

In Transit

When protecting our information in Transit, we are generally talking about Email, Video Conferencing, Phone Calls, Text Messages, and Instant Messaging (i.e. Slack/MS Teams). Here, the highest level of protection is End-to-End Encryption (E2EE). When we are communicating any sort of sensitive or confidential information, we need to make sure that our connection is E2EE. If we cannot do that, like in the case of email, then we need to make sure that the actual communication package (email along with its attachments) is, itself, encrypted.

At Rest

If the machine on which your information is being stored is connected to the internet at-large (or is connected to another machine that is connected to the internet at-large) you should assume that a third-part can access it. Given enough time and resources, any network can be exploited. Accordingly, you must take extra steps to protect your sensitive information from the prying eyes of third parties by encrypting it while it sits on your machine (your laptop, the office server, your phone, etc … ). This can be accomplished by encrypting an entire machine, certain folders on the machine, specific files, or even particular portions of specific files. One can use tools like Encypt.me, or simply hide columns and password protect an excel spreadsheet.

Keep in mind, that encryption at Rest should be used in conjunction with strong Authentication methods. Most encryption is connected to a User profile, so if a third-party gains access to your system through your User account, they will generally have access to your encrypted files as if they are you.

How to Choose a Tool