Protect client data with encryption
Attorneys have a lot of data about clients. A lot of this may be no your computer, especially if you have gone paperless to any extent. And hard drives are only as secure as the lock on your office door. Paper can’t be encrypted–another downside to paper–but digital data can.
While I don’t think an attorney’s ethical obligation to protect client data goes further than locking the office door, attorneys who fail to protect client data could very well face liability if their clients’ identities are stolen from a hard drive. Let’s face it, opposing counsel probably isn’t hiring thugs to break into your office, but identity thieves are swiping laptops and buying old computers by the pallet-load at local auctions, looking for personal information. And you can’t necessarily trust your computer repairman, either.
This should be especially worrisome if you carry client data on a laptop, whether in the form of e-mails or actual digital files. Laptops are mobile and easy to steal. And all an identity thief has to do is pop out your hard drive and start looking around.
So, let’s talk encryption.
Encryption basics
Data encryption works a lot like the Little Orphan Annie decoder ring from A Christmas Story. Using a key–the ring–a sentence like “Be sure to drink your Ovaltine” is transformed into other characters. A might be encoded as T, etc. Obviously, data encryption must be more complicated. Modern encryption algorithms are practically unbreakable by any “brute force” technique, and all anyone browsing your hard drive will see is a file full of random-looking characters.
Encrypting your files
As a side note, both OSX and Windows Vista come with built-in encryption features. I won’t go into them in detail, since Lifehacker has already given a detailed breakdown of Vista Bitlocker and OSX FileVault.
There are encryption options for Linux, as well, but I will go into those another day, as I am still sorting them out myself.
Today we are talking about encrypting files in Windows XP. XP Pro does have some built-in encryption, but it is only partial encryption. Folders and filenames are still visible to the casual user. We’re going for total lockdown.
For total lockdown, we are going to use TrueCrypt, a free, open-source, on-the-fly-encryption application. TrueCrypt is a very good piece of software, with a very high level of security.
Step one: Back up your data. Now is as good a time as any, and you should back up before doing any real work under the hood of your computer. You should plan to encrypt all files with personal information, whether yours, your business’s, or your clients’.
Step two: Visit www.truecrypt.org, download TrueCrypt, and install it.
Step three: Decide what kind of encrypted volume you want to use. TrueCrypt works by taking a piece of your hard drive and encrypting it. Then, it mounts the data as a virtual hard drive you can access just like any other drive. You can only read the data when the virtual drive is mounted. You can either encrypt a partition or a file. I think encrypting a partition works best, but if you are using Windows, you probably don’t have any other partitions on your drive. However, do a little Googling, and you’ll have little trouble creating a partition for your data.
Otherwise, TrueCrypt uses a single file of a definite size to reserve the necessary space. If you want to go this route, make a file of any kind (a text file is easiest), and name it with the extension “.tc.”
Step four: Open TrueCrypt, and click on “Create Volume.” You can do a hidden volume or not; look through the help file for more on the difference. You probably don’t need to use the hidden volume, unless you are an undercover CIA operative and you might be tortured for your password. Or you are unreasonably paranoid.
Now, either navigate to the file or partition you want to encrypt, and select it. The next few screens will vary depending on the method you have chosen. If you are using a file, choose a size large enough to hold all your data for the foreseeable future. TrueCrypt has good documentation, and the dialogs are helpful. I am not going to step through each one, but I recommend you give it a try with a test file before you do the “real thing.”
Use a good password. TrueCrypt will recommend a password of 20 characters or more. I recommend you use randomly-generated passwords, or at least words, letters, and numbers (misspelled or with letters replaced with numbers as you can) that are not likely to show up on anything you tend to carry with you or on a background check. Memorize this number. Without it, your data will be irretrievable.
If you have trouble, consult the help file or post to the comments. I’ll try to sort you out. It really is pretty self-explanatory, though, and eventually you will have either a prepared partition or file.
Step five: Mount your virtual hard drive. Back in the TrueCrypt main screen. Select the drive letter you want to use. Below, click either the “select file” or “select device” button and navigate to the file or partition you prepared. Click “mount.” Voila! If you go to Start > My Computer, you should see your new, virtual hard drive. It will be empty, so fill it up with your sensitive data.
Step six: There are a few configuration tweaks you will want to do to make using TrueCrypt easier. First, while your volume is mounted, go to Volumes > Save Currently Mounted Volumes as Favorites. Then, in the main window, go to Settings > Preferences. Enable TrueCrypt as a background task. Set it to start when Windows does, and to mount favorite volumes. Under “auto-dismount” check all the boxes except for the timeout box, unless you want the extra protection. I would also have it wipe cached passwords at every opportunity.
With those tweaks, TrueCrypt will automatically prompt you to mount your protected volume whenever you log in.
NTFS file permissions
Now you will need to change your NTFS file permissions, or else any other user of your computer will have access to the encrypted data when it is mounted. First, if you are not on a domain (the “security” tab does not appear when you right-click and select “properties” on your mounted drive), disable simple sharing. Then, open the mounted volume properties again and click on the “security” tab. In the window, remove all the groups or usernames except “SYSTEM” and your own username. (If your username does not appear, click the “add” button and type your username into the text area, then click “OK.”) In the lower box, make sure that both your username and “SYSTEM” have full control and that all boxes are checked “allow.”
Once you have your encrypted virtual drive mounted and running, centralize your data so that everything that might contain sensitive client, business, or personal data is kept on the encrypted volume.
By the way, you already know to shred old files before throwing them out. Do the same thing with your hard drives, using a digital hard drive “shredder” like Darik’s Boot & Nuke. Do the same for hard copy machine hard drives.
There you go. You can rest assured that a thief stealing your laptop is highly unlikely to be able to read anything off the hard drive unless he or she has access to computers not designed or dreamed of at the present date.
Great article. The thought occurred to me that if I were encrypting on a Windows machine, I would probably just add another hard drive (unless it’s on a laptop - but why trust all your data to a laptop?) and just encrypt the whole thing, instead of placing a new partition on an existing Windows hard drive.
You can’t encrypt the whole hard drive, actually. You have to have a partition to run the OS from, including TrueCrypt. Otherwise, yes, you would do just as well encrypting a second hard drive. I always use a partition for my home directory to make backup (and encryption) easier.
As for the laptop, I just don’t see the point in owning a desktop anymore. It ties me to an office, and I’d rather work sitting on my porch. Just like anything else, it’s all about backup. Twice a day to an external drive, and once a day offsite.
[...] recently mentioned encryption, but what do you do when it comes time to throw out a hard drive? Wipe it clean. Why go to the [...]
[...] If the data on that hard drive was encrypted, rather than sitting out there for anyone to see, the headline might have been entirely different. All the thief would be able to see would be a file, partition, or drive full of gobbledygook (that’s a technical term). Encrypt your data. [...]
[...] software for encrypting files and disks. For a tutorial on getting started with TrueCrypt, see this post from last April. If and when I experiment with full-system encryption, I will post a new tutorial and [...]
[...] first-time encrypters, last year I posted a tutorial on creating encrypted file containers with TrueCrypt. It is a bit old, since I was using TrueCrypt 4 for Windows, but it appears it is still accurate [...]
[...] Every week, it seems, we hear of another laptop lost with hundreds or thousands of individuals’ personal information on it. The worst part is that this is so easily prevented. All operating systems come with at least basic encryption. [...]