The Cryptic Nature of Encryption: E-discovery and Protected ESI
How secure is the content of your hard drive? Do you
routinely protect confidential documents by assigning a password? Does your company run an encryption program on employee email? Do you use encryption on mobile storage – thumb drives?
There are several levels at which communications and document content can be encrypted for security, and many reasons to consider doing so. Attorney client privileged communications are an obvious reason. (yet, in a recent ABA survey, only 36% of law firms reported regular use of encryption.) Encryption tools can be confusing and cumbersome; combine that with the human tendency to think “it’s not going to happen to me", and that likely explains the slow adoption.
However, growing data privacy laws are driving increased use of data protection tools. Several industries and a handful of states have legislation addressing the use of encryption or other secure methods of transporting information. HIPAA addresses medical/health data security, Sarbanes Oxley addresses compliance and identity management, and several states have laws requiring use of encryption in specific situations. For these reasons, in addition to a general growing concern in the media about data privacy, the use of encryption is now increasing at a rate of about 20% per year.
Encryption or password protection can be done on an individual file. Container files, such as a .zip file containing multiple documents, can also be encrypted or password protected. System level encryption makes all data contained on a desktop or laptop computer inaccessible or illegible without a passkey, regardless of the application in which the file was created.
If you have not yet encountered protected data in an e-discovery situation, odds are you will at some point. What should you consider when approaching an e-discovery process that will involve protected content? Be sure that the tools and processes to be used by your team or by a service provider can accurately identify protected content, can unlock or decrypt the files, and can track and report the steps that were taken, for the sake of process auditing and defensibility.
Though encryption technology and password protection on data files has been around for years, the capabilities of e-discovery processing tools vary widely. Some software programs sweep the information about secured data under the proverbial rug, along with corrupt files or unrecognizable file types, increasing risk without advising you that a potential problem exists.
At Digital WarRoom, our approach is pretty straightforward for identifying and dealing with password protected and encrypted content:
- As the Digital WarRoom software processes the dataset, it identifies and flags password protected or encrypted containers. At the completion of processing, an exception report provides details on password protected containers, and facilitates their easy export.
- This exception report providing details on password protected containers can then be used to determine which, if any, warrant additional effort - a cost and risk management decision. If the source or other details about the file warrant a closer look, we export them for further analysis. On many occasions, a password may be obtained from the custodian. File ‘password cracking’ tools may also be used to open the file. After successfully decrypting or opening an encrypted or password protected file, the resulting file content can then be processed for review in the standard manner.
- One last important consideration: use a tool that retains information that relates the accessed container content and its parent dataset; this can be useful in managing and tracking processed data. Digital WarRoom automatically captures the details of every processing step in a log that allows you to track and explain all activity, and that connection between the reviewed documents and their original container file is retained as well.
If you know or suspect that ESI collected for your matter may contain protected data, ascertain the capabilities of your provider before the project begins, to avoid any unpleasant surprises.