Comment: Safeguarding data – secure, private and accessible
Privacy between a lawyer and their client has, traditionally, been sacrosanct but new legal rulings and increased data vulnerability through employees using their own computer devices threatens security and confidentiality. Thomas Chappelow, managing director of Nimbox, examines these threats and explains what can be done to ensure that files are securely encrypted and can be shared by colleagues anywhere in the world…
Secret documents released by the security services during a legal case in November 2014, show that they have allowed their operatives to intercept communications between lawyers and their clients. Extracts of documents from MI5, MI6 and GCHQ were released as part of legal action brought by lawyers from the campaigning charity Reprieve on behalf of two Libyan men and follows disclosures on mass surveillance by former CIA contractor, Edward Snowden.
Telephone taps and e-mail surveillance, implemented since at least October 2002, go against the principle of legal professional privilege. Cori Crider, a director at Reprieve, said: “It’s now clear the intelligence agencies have been eavesdropping on lawyer client conversations for years. The documents clearly show that MI5’s and GCQ’s policies on snooping on lawyers have major loopholes.”
In addition, the Data Retention and Investigation Powers Bill, supported almost unanimously in pre-publication by the big three political parties, was passed into law in July 2014 as an ‘emergency law’ to combat terrorism. The European Court of Justice had ruled against such powers in April saying: “the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data”.
Firms also face huge threats to the security of their data with the expansion of the BYOD phenomenon, with staff bringing their own devices to work. With smartphones, tablets, laptops and even desktop PCs making their way into the workplace, and the uptake of home working and remote access, information security policies and controls have been left extremely porous.
The importance of protecting client information in the face of these challenges is clear. Firms who fail to do so risk fines of up to £500,000 under the Data Protection Act. More importantly, they risk their reputation.
So in these testing times, what can be done to safeguard information while allowing flexible working patterns and effective collaboration over the internet?
End-to-end encryption is the first rule, ensuring uninterrupted protection of any data travelling between two parties. This involves the originating party encrypting data to be readable only by the intended recipient, with no involvement in the encryption by third parties. This prevents intermediaries such as internet providers or application service providers from accessing confidential communications.
Typical server-based communications systems, such as Dropbox, Google Drive, Talk, Yahoo Messenger and, of course, Facebook, can only guarantee protection of exchanges between clients and servers, not between the communicating parties themselves. Some systems that normally offer end-to-end encryption, for example Skype, have been discovered to contain a ‘back door’, which causes negotiation of the encryption key between the communicating parties to be subverted – letting anybody read the contents of the communication.
Full security is achievable however, using expertise from clued-up data holding and information security services companies who use industry-leading encryption, robust procedures, and security controls. Clients’ data should be encrypted both in transit and at rest, with the service company’s portal able to ensure that only the client’s account can access stored data.
Custom-built software and equipment allows IT service companies to retain full control over their platform and offer clients the best defence for their data. Use of source-based encryption in all cloud drives, remote appliances and end-point software agents can effectively create a Virtual Private Network (VPN) for cloud storage, in which the customer has full control over who can access and read their files.
Highly secure encryption algorithms are available such as enterprise-grade AES-256, approved for protecting U.S. Government classified material, and widely used by financial institutions across the world. Users should also have the option of encrypting local volumes on appliances, further protecting their data in case of physical theft.
In addition to encrypting the data itself, all cloud traffic should be transmitted over a transport level security (TLS) connection. TLS protects data from being read or intercepted en-route to the online backup platform. Business files should not only be shared effectively between users, but also securely replicated to the cloud, using a backup service so that, should a firm need to invoke disaster recovery plans, a designated user can simply initiate the data recovery process.
Following best practice, users should be able to choose either a private key derived from a personal encryption passphrase, or accept an automatically generated key. The system administrator should have full control over the choices of encryption keys given to users, according to the security policies of the organisation. SHA-2 (Secure Hash Algorithm) can be used to ‘fingerprint’ the data sent to the cloud, ensuring that the data set reaching its destination has not been tampered with.
As a firm grows and its data requirements extend to those of a multinational, the storage and sharing landscape changes. The firm is usually faced with the challenge of managing multiple small NAS systems that are really designed for the small-business market, or having to swallow the costs of a complicated enterprise-grade system.
It should be possible for any size of firm to have this system without the complication or cost, so that files can be accessed from anywhere in the world. All that is needed is a device with an Internet connection. Data can be hosted on highly available enterprise platforms, with virtually 100% availability and constant expert monitoring. Access is unrestricted, allowing users to securely access, edit or share their encrypted files in the cloud from a web App, desktop agent or mobile App. Cross-platform integration can also allow files to be synced on Windows, Mac, iOS, Windows Phone and Android.
The widespread adaptation of cloud computing services has given rise to a new wave of privacy concerns. Simply, if you upload your data to ‘the cloud’ – where is it physically stored? Outside of the EU? North America? Asia?
Not knowing where your data is stored can create major legal issues; it is open to a wide range of regional privacy and data disclosure laws, which are often conflicting, but none-the-less legally binding. In the American federal court system alone your data could be subject to any number of provisions including: CALEA, CCRA, CIPA, COPPA, EFTA, to name a few, as well as the infamous USA PATRIOT Act, rushed through the US Senate just six weeks after the 9/11 attacks in 2001. Among other powers, this allows the FBI to search telephone, e-mail, and financial records without a court order, in addition to giving law enforcement agencies expanded access to business records.
In response to this breakdown of traditional geopolitical barriers and the plethora of legal challenges, many European countries have enacted new privacy and compliance legislation that requires customer data to be kept within the borders of the country to which it relates. Verifying that your data exists in the location in which you need it to can be difficult, requiring you to trust your storage provider. Data holding and information security services companies should provide clients with mutual confidentiality agreements and guarantee that data, personal and financial information will stay in the UK and never be transferred out of its borders.
Minimal data retention
IT service companies have a duty to comply with government requests for data so, to protect clients they should design their services to hold a minimum amount of information – just what is needed to maintain functionality. Ideally the company should not hold the encryption keys to data and should be unable to decrypt files under any circumstances. Any Word document, image, CAD file or backup that is uploaded should be encrypted from the client’s own device to the cloud drive, and not decrypted until downloaded by them. If a service company has no access, it is not in a position to disclose information.
As advances in technology create opportunities for organisations to work more flexibly and collaboratively than ever before, legal companies in particular should be fully aware of the very real threat that is posed to security and confidentiality. A proactive approach which seeks to educate staff and implement a fully protected system will ensure that data is kept secure, private, and accessible.
Note: This post first appeared on Legal IT Insider