Peer to Peer Magazine

24 PEER TO PEER: THE QUARTERLY MAGAZINE OF ILTA | FALL 2017 FEATURES Codes and Keys: What, How and Why To Encrypt original data (such as password). Identical data will also create an identical hash, ensuring that something has not changed. Common hash functions include SHA-2, SHA-256 and MD5. Why Adopt Encryption? Confidentiality is the obvious reason that firms need to adopt encryption. As firms deal with information that can be highly sensitive, ensuring that the information is protected from unauthorized access is paramount. Data should be protected in transit, in use and in storage. When data is transmied between two parties, whether between aorneys or between the firm and its clients, the data should be protected from interception and inadvertent disclosure. Utilizing technologies such as transport encryption (e.g., Transport Layer Security) and file-level encryption can help mitigate some of this risk. When data is stored, on a device, such as a laptop or mobile phone, it should also be protected. As most firms use Windows already, BitLocker is likely available to provide encryption capabilities to computer hard disks. In Windows 8, 8.1 and 10, BitLocker is available on Professional Edition and above. In Windows 7, at least Enterprise Edition is required, so a firm must be entered into an enterprise agreement (EA) with Microso. There is also a hardware requirement of a trusted platform module (TPM), but most modern business-class laptops and desktops include these. BitLocker To Go can be used to encrypt removable media, such as USB flash drives and external hard drives. Although the same edition limitations exist to encrypt the drive, they can be read on all editions of Windows 7 and above. Utilizing BitLocker or other similar encryption technologies means that if an asset is lost or stolen, the information is safe. Regulations such as HIPAA and HITECH in the United States mandate that all protected health information (PHI) is appropriately safeguarded through the use of encryption and other controls. The U.S. Department of Health & Human Services notes that the HIPAA breach notification rule mandates that a notice must be provided following the breach of unsecured protected health information. This extends to all HIPAA-covered entities and their business associates, including law firms. If a USB drive, laptop or phone is lost and it contains PHI data but the data are appropriately safeguarded through encryption and strong passwords, a notification might not be required. Although encrypting data on storage devices helps mitigate leakage and potential regulatory breaches in the event of a lost or stolen asset, it also protects the data when the device is decommissioned, disposed of or repaired. One other advantage of encryption is nonrepudiation and validation. As the incidence of scams using email rises, the ability to validate the integrity of an email can be handled through encryption technologies. This is especially useful in scams where instructions to perform a financial transaction might be given. Using public key infrastructure and digital signatures, the legitimacy of an email can be verified to provide a level of comfort that the request is valid. When Encryption Goes Wrong There are many upsides for implementing cryptography, but there are also some downsides that can occur, including: A False Sense of Security: Thinking you are protected when you are not is a frequent occurrence. There are many reasons why this might occur, and they typically include: » Bad key management (including compromised keys) » Poor choice of encryption or hashing algorithms (such as flaws and poor design) » Poor password policies Using public key infrastructure and digital signatures, the legitimacy of an email can be verified to provide some level of comfort that the request is valid.

• Cover