Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

On the Case

By Chuck Bokath
October 30, 2006

Security is big business these days. Everyone from celebrities to private citizens, and organizations from the Academy of Motion Picture Arts and Sciences (it awards the Oscar) to the U.S. Army hires security.

In e-commerce, in general, and e-data manipulation and storage in particular, credit card and Social Security Numbers and personally identifying data on up to 33 million people have been compromised in recent high-profile e-databank compromises.

And in the legal realm, concern about the security of sensitive data during transport has never been higher. Attorneys from coast to coast have watched the headlines and read countless articles about files and tapes that have been lost or stolen while being moved from Point A to Point B ' during legal discovery activities, perhaps, or to satisfy compliance requirements.

As a result, law firms and corporate in-house counsel are investigating more dependable methods for securing information during transit, when it is most vulnerable. Many of these experienced denizens of e-data have concluded that encryption provides the greatest protection throughout the chain of custody, and that this locked-door method of data security can be achieved at a relatively reasonable cost.

Typically, corporations and law firms encrypting data employ one of two methods. Some choose to rely on programs that are built into individual backup software packages or tape drives. Alternatively, other organizations select emerging applications that provide single, unified encryption for diverse types of data.

The advantages offered by the latter option are many. An integrated approach provides data managers and attorneys greater assurance that all files have been securely encrypted. Plus, this innovative encryption strategy eliminates the need to manage multiple proprietary keys that expose custodial parties to the risk that the keys could be misplaced or become obsolete.

Federal, State Laws Require Data Security

The sanctity of confidential information has never been more closely guarded. The panoply of laws and regulations enacted in recent years bears this out. This year marks the 10th anniversary of the Health Insurance Portability and Accountability Act (HIPAA), for instance, which makes healthcare organizations responsible for the security of clinical and administrative information relating to patients. Four years ago, Congress passed the Sarbanes-Oxley Act (SOX), instituting financial-reporting regulations designed to shield consumers from misconduct or fraud. Individual states have also tightened confidentiality policies. California, for example, recently adopted the California Security Breach of Information Act (SB 1380) that compels all types of organizations to inform people if the security of any personal data that the organization maintains is violated in any way.

At the same time, there has never been as much publicity surrounding security breaches. Consider the following incidents involving unencrypted data that occurred during the first half of 2006.

  • The Department of Veterans Affairs reported the May theft of a laptop computer that contained identifying information like Social Security Numbers ' a breach that could potentially have affected about 26 million of veterans. Authorities recovered the laptop on June 29, and a preliminary review of the equipment by computer-forensic experts determined that the database remained intact and had not been accessed since it was stolen.
  • The Internal Revenue Service disclosed a similar episode just a few weeks later. The tax agency revealed that confidential information concerning nearly 300 IRS employees and job applicants was stolen. In this case, the data (including fingerprints, names, Social Security Numbers and dates of birth) was stored on a laptop computer that vanished during a commercial airline flight.
  • The Bank of America announced last spring that backup tapes being transported for archiving were missing and had likely been stolen. These tapes contained information on 1.2 million federal employees, and included Social Security Numbers and bank-account information.
  • In a similar incident in March, media giant Time Warner revealed that tapes being shipped to a highly regarded storage facility were missing. These files contained the names and Social Security Numbers of 600,000 current and former employees.
  • At about the same time, Citibank notified 3.9 million customers about the loss of computer tapes with account information, payment histories and Social Security Numbers. The tapes were in a box being shipped cross-country via UPS.

The message is clear: Unencrypted data is highly vulnerable during transport. The intensity of media attention surrounding these breaches ' combined with regulations addressing data security ' means that all parties along the chain of custody must take full responsibility for ensuring that confidentiality of private and proprietary information is preserved.

The price of ensuring this can be high ' but the price to pay for ignoring these warnings will be higher. Fines and penalties may be levied if the problems were due to noncompliance with security regulations. Victims often instigate costly lawsuits that could result in steep compensatory awards for damages. Plus, the negative publicity may hound a law firm or corporation for years.

Encryption Secures Confidential Data

To ensure that they are able to meet expectations for increased data security, law firms and corporate counsel are analyzing best practices that focus on how to most effectively manage data that must be transported for discovery purposes.

As they review the options available to them, legal professionals must deliberate on the benefits of symmetric versus asymmetric cryptography ' or, alternatively, if it is best to employ a combination of the two.

Symmetric cryptography is the more traditional approach, and is characterized by the use of a single password; in other words, encryption and decryption are done with the same 'key.' Data professionals note that this methodology exposes law firms and corporations to unacceptable levels of risk when employed as a stand-alone system. If the key is appropriated by the wrong party, for instance, the security of the data is immediately compromised. To ensure this does not occur, custodial parties must invest significant resources in key management.

But the single-key problem is eliminated with asymmetric, or public key infrastructure (PKI), encryption, which uses a public and private component to the encryption process. The originator devises this dual level of digital encryption keys, which are created by a hash of the data ' a fingerprinting technique, more or less, that compares and verifies the volume of data at the onset and completion of the process to ensure that it has not been altered. The resultant public encryption 'read' key can then be shared as required, while access to the private decryption key is restricted. In a sense, the public key locks the data, while the private key releases it. The private key is sent to the recipient separately from the data.

Use of PKI encryption grants parties concerned with the confidentiality of data four levels of assurance.

1. Confidentiality. Protection of data against unauthorized access or disclosure, or both.

2. Authenticity. Verification of an individual identity (pin/password).

3. Integrity. Protection of data against unauthorized modification or substitution.

4. Non-repudiation. Combination of confidentiality and authenticity that is provable to the third party.

Single-key Applications Simplify Encryption

In addition to evaluating these methodologies, legal professionals must consider the level of encryption that meets their needs. Many have turned to the application-level encryption found in more recent versions of backup software. These packages offer automatic encryption ' whenever data is backed up, the software initiates an inherent encryption sequence.

Industry experts note, however, that this approach has disadvantages. Management of the process is highly complex, for example, because every program has a different and distinct encryption key. This requires that the custodian of the data manage multiple keys ' keeping records of each key so that it can be applied to the corresponding release or generation of each specific program. If the keys are misapplied, misfiled or outdated, they will be unable to decrypt the relevant data.

The next generation of encryption methods, however, offers custodians the ability to apply a single key to multiple types and versions of software. This ability allows the firm or organization to write its own proprietary encryption key to decrypt all formats or files. With that mechanism in place, a small computer system interface (SCSI) device automatically encrypts data during duplication at no additional cost, and with no delay.

Once the data is secured, it can be transported with virtually no danger of a security breach. Even if the physical medium is lost or stolen, no party other than the one holding the decryption key can access the data. The key is sent separately from the data and, once both components have reached their destination, the recipient uses the read key to retrieve the data.

The result? Users eliminate the need for multiple keys, which reduces the opportunities for loss and the exposure to risk. Plus, the originating organization operates more efficiently, because it has simplified the management of encrypted data.

The use of PKI encryption is only the first step to increased data security. Already, vendors are introducing native tape-drive based applications with greater capacity that greatly increase throughput offered by current systems. With these types of innovations available, legal professionals can be assured that data transported for discovery can be encrypted for maximum security ' easily, efficiently and inexpensively.


Chuck Bokath is vice president of software development for Atlanta-based eMag Solutions, an electronic discovery company specializing in accessing data from a variety of archived sources. Reach him at [email protected].

Security is big business these days. Everyone from celebrities to private citizens, and organizations from the Academy of Motion Picture Arts and Sciences (it awards the Oscar) to the U.S. Army hires security.

In e-commerce, in general, and e-data manipulation and storage in particular, credit card and Social Security Numbers and personally identifying data on up to 33 million people have been compromised in recent high-profile e-databank compromises.

And in the legal realm, concern about the security of sensitive data during transport has never been higher. Attorneys from coast to coast have watched the headlines and read countless articles about files and tapes that have been lost or stolen while being moved from Point A to Point B ' during legal discovery activities, perhaps, or to satisfy compliance requirements.

As a result, law firms and corporate in-house counsel are investigating more dependable methods for securing information during transit, when it is most vulnerable. Many of these experienced denizens of e-data have concluded that encryption provides the greatest protection throughout the chain of custody, and that this locked-door method of data security can be achieved at a relatively reasonable cost.

Typically, corporations and law firms encrypting data employ one of two methods. Some choose to rely on programs that are built into individual backup software packages or tape drives. Alternatively, other organizations select emerging applications that provide single, unified encryption for diverse types of data.

The advantages offered by the latter option are many. An integrated approach provides data managers and attorneys greater assurance that all files have been securely encrypted. Plus, this innovative encryption strategy eliminates the need to manage multiple proprietary keys that expose custodial parties to the risk that the keys could be misplaced or become obsolete.

Federal, State Laws Require Data Security

The sanctity of confidential information has never been more closely guarded. The panoply of laws and regulations enacted in recent years bears this out. This year marks the 10th anniversary of the Health Insurance Portability and Accountability Act (HIPAA), for instance, which makes healthcare organizations responsible for the security of clinical and administrative information relating to patients. Four years ago, Congress passed the Sarbanes-Oxley Act (SOX), instituting financial-reporting regulations designed to shield consumers from misconduct or fraud. Individual states have also tightened confidentiality policies. California, for example, recently adopted the California Security Breach of Information Act (SB 1380) that compels all types of organizations to inform people if the security of any personal data that the organization maintains is violated in any way.

At the same time, there has never been as much publicity surrounding security breaches. Consider the following incidents involving unencrypted data that occurred during the first half of 2006.

  • The Department of Veterans Affairs reported the May theft of a laptop computer that contained identifying information like Social Security Numbers ' a breach that could potentially have affected about 26 million of veterans. Authorities recovered the laptop on June 29, and a preliminary review of the equipment by computer-forensic experts determined that the database remained intact and had not been accessed since it was stolen.
  • The Internal Revenue Service disclosed a similar episode just a few weeks later. The tax agency revealed that confidential information concerning nearly 300 IRS employees and job applicants was stolen. In this case, the data (including fingerprints, names, Social Security Numbers and dates of birth) was stored on a laptop computer that vanished during a commercial airline flight.
  • The Bank of America announced last spring that backup tapes being transported for archiving were missing and had likely been stolen. These tapes contained information on 1.2 million federal employees, and included Social Security Numbers and bank-account information.
  • In a similar incident in March, media giant Time Warner revealed that tapes being shipped to a highly regarded storage facility were missing. These files contained the names and Social Security Numbers of 600,000 current and former employees.
  • At about the same time, Citibank notified 3.9 million customers about the loss of computer tapes with account information, payment histories and Social Security Numbers. The tapes were in a box being shipped cross-country via UPS.

The message is clear: Unencrypted data is highly vulnerable during transport. The intensity of media attention surrounding these breaches ' combined with regulations addressing data security ' means that all parties along the chain of custody must take full responsibility for ensuring that confidentiality of private and proprietary information is preserved.

The price of ensuring this can be high ' but the price to pay for ignoring these warnings will be higher. Fines and penalties may be levied if the problems were due to noncompliance with security regulations. Victims often instigate costly lawsuits that could result in steep compensatory awards for damages. Plus, the negative publicity may hound a law firm or corporation for years.

Encryption Secures Confidential Data

To ensure that they are able to meet expectations for increased data security, law firms and corporate counsel are analyzing best practices that focus on how to most effectively manage data that must be transported for discovery purposes.

As they review the options available to them, legal professionals must deliberate on the benefits of symmetric versus asymmetric cryptography ' or, alternatively, if it is best to employ a combination of the two.

Symmetric cryptography is the more traditional approach, and is characterized by the use of a single password; in other words, encryption and decryption are done with the same 'key.' Data professionals note that this methodology exposes law firms and corporations to unacceptable levels of risk when employed as a stand-alone system. If the key is appropriated by the wrong party, for instance, the security of the data is immediately compromised. To ensure this does not occur, custodial parties must invest significant resources in key management.

But the single-key problem is eliminated with asymmetric, or public key infrastructure (PKI), encryption, which uses a public and private component to the encryption process. The originator devises this dual level of digital encryption keys, which are created by a hash of the data ' a fingerprinting technique, more or less, that compares and verifies the volume of data at the onset and completion of the process to ensure that it has not been altered. The resultant public encryption 'read' key can then be shared as required, while access to the private decryption key is restricted. In a sense, the public key locks the data, while the private key releases it. The private key is sent to the recipient separately from the data.

Use of PKI encryption grants parties concerned with the confidentiality of data four levels of assurance.

1. Confidentiality. Protection of data against unauthorized access or disclosure, or both.

2. Authenticity. Verification of an individual identity (pin/password).

3. Integrity. Protection of data against unauthorized modification or substitution.

4. Non-repudiation. Combination of confidentiality and authenticity that is provable to the third party.

Single-key Applications Simplify Encryption

In addition to evaluating these methodologies, legal professionals must consider the level of encryption that meets their needs. Many have turned to the application-level encryption found in more recent versions of backup software. These packages offer automatic encryption ' whenever data is backed up, the software initiates an inherent encryption sequence.

Industry experts note, however, that this approach has disadvantages. Management of the process is highly complex, for example, because every program has a different and distinct encryption key. This requires that the custodian of the data manage multiple keys ' keeping records of each key so that it can be applied to the corresponding release or generation of each specific program. If the keys are misapplied, misfiled or outdated, they will be unable to decrypt the relevant data.

The next generation of encryption methods, however, offers custodians the ability to apply a single key to multiple types and versions of software. This ability allows the firm or organization to write its own proprietary encryption key to decrypt all formats or files. With that mechanism in place, a small computer system interface (SCSI) device automatically encrypts data during duplication at no additional cost, and with no delay.

Once the data is secured, it can be transported with virtually no danger of a security breach. Even if the physical medium is lost or stolen, no party other than the one holding the decryption key can access the data. The key is sent separately from the data and, once both components have reached their destination, the recipient uses the read key to retrieve the data.

The result? Users eliminate the need for multiple keys, which reduces the opportunities for loss and the exposure to risk. Plus, the originating organization operates more efficiently, because it has simplified the management of encrypted data.

The use of PKI encryption is only the first step to increased data security. Already, vendors are introducing native tape-drive based applications with greater capacity that greatly increase throughput offered by current systems. With these types of innovations available, legal professionals can be assured that data transported for discovery can be encrypted for maximum security ' easily, efficiently and inexpensively.


Chuck Bokath is vice president of software development for Atlanta-based eMag Solutions, an electronic discovery company specializing in accessing data from a variety of archived sources. Reach him at [email protected].

Read These Next
COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

How Secure Is the AI System Your Law Firm Is Using? Image

What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

Generative AI and the 2024 Elections: Risks, Realities, and Lessons for Businesses Image

GenAI's ability to produce highly sophisticated and convincing content at a fraction of the previous cost has raised fears that it could amplify misinformation. The dissemination of fake audio, images and text could reshape how voters perceive candidates and parties. Businesses, too, face challenges in managing their reputations and navigating this new terrain of manipulated content.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.