Securing The Package Before It Goes Out: A Guide To Encryption
By James B. Salla (LinkedIn)
Preparing a production to opposing counsel is no longer a simple matter of Bates labeling paper documents, making copies of them, and putting the copies in a FedEx box. The advent of electronic discovery has made the production process much more complicated. You have to determine the format in which to deliver your data – TIFF images, PDF files, native files, or some combination of the three – and decide which database fields (author, date, title, text, etc.) you are going to make available to the other side. Load files come in different flavors too. If opposing counsel is going to put the production into a review platform like Concordance or Summation or Relativity, they will probably want the load files you deliver to be compatible with their system.
These are the sorts of things you’re supposed to talk about at the meet-and-confer, but another production issue, also important but often not discussed, is whether to encrypt the productions for added security and exactly how to do so. If you are producing particularly sensitive data, encrypting the production may be a sensible precaution even though it will add time to the production process. A hard drive that is misplaced or delivered to the wrong address could be a nightmare of worry for a law firm and its client because anyone who finds the package and has a computer would, in theory, be able to get access to its contents. An encrypted hard drive, on the other hand, even if lost or misplaced, would simply be a rather ugly paperweight on someone’s desk.
There are also situations in which you are required to encrypt data before production. If you are producing patient medical records, the Health Insurance Portability and Accountability Act (HIPAA) may mandate that precautions be taken to ensure their protection from anyone not involved in the lawsuit. You may want to produce any “Attorneys’ Eyes Only” productions in encrypted form. In addition, sometimes clients will require, as a matter of general policy, that their attorneys secure their data with an encryption program no matter what the contents are. Formal productions are not the only time to think about this. You should also consider some form of encryption when arranging to send your original client data to an outside vendor for processing if there is any reason to think the shipment may be intercepted.
Just as there are several different review platforms for productions, there is more than one way to scramble a set of files into gibberish so only someone with the password can un-scramble back from gibberish into working order. You may want to ask the other side for their preference, but, if you don’t know which method they prefer, the simplest method is to use WinZIP. WinZIP is probably the most common data-compression program out there, it’s a successor to the venerable DOS-era PC-Zip program, and almost everyone seems to have a working copy available on their computer. If they don’t, a trial version can be downloaded from the manufacturer’s web-site.
WinZIP can take a large group of files and compress them into a single, smaller file with a .zip extension. That is its primary purpose, to make data sets smaller and more manageable for shipping and storage, but it also has an optional encryption feature. When you start to compress a set of files, click on the “Encrypt added files” option in the first dialogue box:
When you click on “Add,” a second box will come up that will let you put in your password. Check the “Hide the password” box if anyone is looking over your shoulder.
This, by the way, is an example of a particularly bad password because it is so easy for someone to guess. For greater effectiveness, passwords should be more than a dozen characters long and include numbers and even punctuation marks as well as letters. No one is going to guess “asf18r6_99tr2?” or “&boretmy77fowruvc,” but “Password1,” the name of your client, the name of your firm, etc., are to be avoided. People frequently use words or phrases as the passwords they use to log into their computers or their bank accounts because they are going to be doing that all the time and they want something easy to remember, but a production is only going to be going out once and you should make the password you use as obscure as possible.
When the other side gets your WinZIP production and opens it, each file that has been encrypted with be followed by an asterisk. They will have to enter the password, which you should send to them in a separate communication, before they can decompress and view the files:
If you are going to be producing an especially large amount of data, and the receiving party is technologically sophisticated, you may want to compress your production into encrypted .rar files instead. An .rar file is alternate compression format to the .zip file. They are created using a program called WinRAR, which can also create .zip files, and can hold substantially more data in less space. Although they are less well-known, I often use .rar files to transfer data to ESI vendors, who certainly will have the technology to open them up.
Like WinZIP, WinRAR gives you the option to require that a password be entered before your files can be extracted. It also lets you choose from a variety of encryption algorithms to do this.
Sometimes the other side will be concerned about security too and will propose using a popular freeware program called TrueCrypt. TrueCrypt’s claim to fame is that its source code is available to the public; anyone with programming experience can look at the code verify that there are no backdoors into the software. It can be used two ways: either by creating a file of fixed size (500 MB, 1 GB, 2 GB, etc.) that is, in effect, an encrypted vault, or by protecting an entire flash drive or hard drive. Anything copied into the encrypted space while the program is running is automatically encrypted.
The first method is probably easier to use, particularly because you can then provide the program’s executable file on the drive as well.
In order to use TrueCrypt, you have to “mount” the encrypted vault file by telling the program to connect it to one of the unused drive letters on your computer.
When you put in the password, that drive letter (“I” in this case) will be like a new hard drive temporarily installed in your computer. Copying the production to I:\ will put it into the encrypted TrueCrypt vault.
Be sure you click on the “Dismount” button before disconnecting your drive and sending it out. The receiving party for your production can use exactly the same process to decrypt the data at their end.
One note of caution: While there are many good reasons to encrypt your productions, and many options out there to choose from, it is important to remember encrypting data takes time and will be an extra step you have to go through at the very end of the production process. Be sure that you keep your drop-dead shipping deadline in mind when planning the production and take into account the time you will have to spend zip-ing or rar-ing or TrueCrypt-ing your data. It may be a good idea, when you have a free hour, to run a test encryption on a large block on data just to see how long the programs take to handle, say, 1 GB or 2 GB on your system, and then use that as a benchmark for actual productions.