The eMag Link Monthly Articles
September Edition
View previous articles
Innovative encryption methods secure data being transported during discovery
Innovative encryption methods secure data being transported during discovery*
Concern about the security of sensitive data during transport has never been higher. Attorneys from coast to coast have watched the headlines and read countless articles about files and tapes that have been lost or stolen while being moved from Point A to Point B - during legal discovery activities, perhaps, or to satisfy compliance requirements.
As a result, law firms and corporate in-house counsel are investigating more dependable methods for securing information during transit, when it is at its most vulnerable. Many have concluded that encryption provides the greatest protection throughout the chain of custody and can be achieved at a reasonable cost.
Typically, corporations and law firms encrypting data employ one of two methods. Some choose to rely on programs that are built into individual backup software packages or tape drives. Alternatively, other organizations select emerging applications that provide single, unified encryption for diverse types of data.
The advantages offered by the latter option are many. An integrated approach provides greater assurance that all files have been securely encrypted. Plus, this innovative encryption strategy eliminates the need to manage multiple proprietary keys that expose custodial parties to the risk that the keys could be misplaced or become obsolete.
Federal, state laws require data security
The sanctity of confidential information has never been more closely guarded, as evidenced by the plethora of laws and regulations enacted in recent years. This year marks the 10th anniversary of the Health Insurance Portability and Accountability Act (HIPAA), for instance, which makes healthcare organizations responsible for the security of clinical and administrative information relating to patients. Four years ago, Congress passed the Sarbanes-Oxley Act (SOX), instituting financial reporting regulations designed to shield consumers from misconduct or fraud. Individual states have also tightened confidentiality policies. California, for example, recently adopted the California Security Breach of Information Act (SB 1380) that compels all types of organizations to inform individuals if the security of any personal data that the organization maintains is violated in any way.
At the same time, there has never been as much publicity surrounding security breaches as there is today. Consider these incidents involving unencrypted data, which occurred during the first half of 2006:
- The Department of Veterans Affairs reported the May theft of a laptop computer, which contained identifying information like Social Security numbers affecting about 26 million of veterans. Authorities have since reported that they recovered the laptop on June 29, and that a preliminary review of the equipment by computer forensic experts determined that the database remained intact and had not been accessed since it was stolen. A more thorough forensic examination of the recovered computer equipment is underway, however.
- The IRS disclosed a similar episode just a few weeks later, when confidential information concerning nearly 300 IRS employees and job applicants was stolen. In this case, the data (including fingerprints, names, Social Security numbers and dates of birth) was stored on a laptop computer that vanished during a commercial airline flight.
- The Bank of America also announced last spring that back-up tapes being transported for archiving were missing and had likely been stolen. These tapes contained information on 1.2 million federal employees, and included Social Security numbers and bank account information.
- In a similar incident in March, Time Warner revealed that tapes being shipped to a highly regarded storage facility were missing. These files contained the names and Social Security numbers on 600,000 current and former employees.
- At about the same time, Citibank notified 3.9 million customers about the loss of computer tapes with account information, payment histories and Social Security numbers. The tapes were in a box being shipped cross-country via UPS.
The price to pay for ignoring these warnings can be high. Fines and penalties may be levied if the problems were due to noncompliance with security regulations. Victims often instigate costly lawsuits that could result in steep compensatory awards for damages. Plus, the negative publicity may hound a law firm or corporations for years.
Encryption secures confidential data
To ensure they are able to meet expectations for increased data security, law firms and corporate counsel are analyzing "best practices" that emphasize how to most effectively manage data that must be transported for discovery purposes. The vast majority has determined that encryption provides the security they seek.
As they review the options available to them, legal professionals must deliberate on the benefits of symmetric versus asymmetric cryptography - or, alternatively, if it is best to employ a combination of the two.
Symmetric cryptography is the more traditional approach, and is characterized by the use of a single password - in other words, both encryption and decryption is done with the same "key." Data professionals note that this methodology exposes law firms and corporations to unacceptable levels of risk when employed as a stand-alone system. If the key is appropriated by the wrong party, the security of the data is immediately compromised. To ensure this does not occur, custodial parties must invest significant resources in key management.
This problem is eliminated with asymmetric, or public key infrastructure (PKI), encryption, which utilizes both a public and private component to the encryption process. The originator devises this dual level of digital encryption keys, which are created by a hash of the data - a "fingerprinting" technique that compares and verifies the volume of data at both the onset and completion of the process to ensure it has not be altered. The resultant public encryption "read" key can then be shared as required, while access to the private decryption key is restricted. In a sense, the public key locks the data, while the private key releases it. The private key is sent to the recipient separate from the actual data. Alternatively, it can simply be stored until the data needs to be decrypted.
Use of PKI encryption grants parties who are concerned with the confidentiality of data four levels of assurance:
Confidentiality - Protection of data against unauthorized access/disclosure
Authenticity - Verification of an individual identity (PIN/PASSWORD)
Integrity - Protection of data against unauthorized modification or
substitution
Non-Repudiation - Combination of confidentiality and authenticity that is provable
to the 3rd party.
Single-key applications simplify encryption
In addition to evaluating these methodologies, legal professionals must also consider the level of encryption that meets their needs. Many have turned to application-level encryption found in more recent versions of back-up software. These packages offer automatic encryption - whenever data is backed up, the software initiates an inherent encryption sequence.
However, industry experts note that this approach has disadvantages. Management of the process is highly complex, for example, because every program has a different and distinct encryption key. This requires that the custodian of the data manage multiple keys - keeping records of each key so that it can be applied to the corresponding release or generation of each specific program. If the keys are misapplied, misfiled or outdated, they will be unable to decrypt the relevant data.
The next generation of encryption methods, however, offers custodians the ability to apply a single key to multiple types and versions of software. The firm or organization is able to write its own proprietary encryption key to decrypt all formats or files. With that in place, a small computer system interface (SCSI) device automatically encrypts data during duplication at no additional costs and with no delay.
Once the data is secured, it can be transported with virtually no danger of a security breach. Even if the physical media is lost or stolen, no party other than the one holding the decryption key can access the data. The key is sent separately from the data and, once both components have reached their destination, the recipient uses the "read" key to retrieve the data.
The result? Users eliminate the need for multiple keys, which reduces the opportunities for loss and the exposure to risk. Plus, the originating organization operates more efficiently, since it has simplified the management of encrypted data.
The use of PKI encryption is only the first step to increased data security. Already vendors are introducing native tape-drive based applications with greater capacity that greatly increase throughput offered by current systems. With these types of innovations available, legal professionals can be assured that data transported for discovery can encrypted for maximum security - easily, efficiently and inexpensively.
* The following article was written by Chuck Bokath, eMag's VP of Software Development, and it originally appeared in Law Journal Newsletters' e-Discovery Law & Strategy newsletter www.ljnonline.com/alm?edisc.
Back to top