Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with Facebook Sign In with Google Sign In with OpenID Sign In with Twitter
Welcome to the LAB! Before you start posting, you should probably take a moment to read our posting guidelines. (You can dismiss this message by clicking the X in the corner.)

It Should Be Unethical to Go Without Laptop Encryption

samgloversamglover Minneapolis, MN
edited October 2013 in Legal Ethics

If you aren't encrypting your laptop, you are committing malpractice. According to me. As far as I know, there is no ethical authority that agrees with me, but they should. Here's why.

Encrypting a laptop is now trivial. Seriously. Here is how to do it:

  • Windows Vista Ultimate and 7 Ultimate. Control Panel > Bitlocker. Turn it on. (Using a "home" version of Windows for your law practice should be unethical, too, but that's another post.)
  • Windows 8 Pro. Start typing "bitlocker" at the Start screen. Turn it on.
  • OS X 10.3 (Panther) and newer. Go to System Preferences > Security & Privacy > FileVault. Turn it on.

In other words, with 2–3 clicks, you can encrypt your laptop, securing the information on your hard drive from prying eyes (the NSA, malicious hackers, identity thiefs, etc.). It won't even slow down your computer in any noticeable way, unless you are doing resource-intensive things like high-end video editing.

If you have a laptop running an operating system that makes encryption this easy (i.e., Windows 8 or any version of OS X dating after 2003), you should be sanctioned if you have not turned it on.

When the cost of encryption — however you calculate that cost — approaches zero, and the risk is so great, there can be no legitimate excuse for failing to encrypt.

If you don't encrypt, and you misplace your laptop, or someone walks off with it, you can safely assume your clients are at high risk for identity theft, at a minimum. If this happens to you, go ahead and buy all your current and former clients whose information was stolen a year of credit monitoring.

Or, you could take less than a minute, encrypt your laptop, and stop worrying about it.

(You should also, by the way, ensure that your laptop asks for your password when you wake it up from sleep.)

Why laptops, in particular? Because they can leave your office. The computer(s) locked up in your office are probably fine, but any data that can move is at risk, and you should secure it. That starts with encryption. Turn it on.

Post edited by samglover on

Comments

  • samgloversamglover Minneapolis, MN

    @gyitsakalakis said: consider TrueCrypt

    I did a tutorial on setting up TrueCrypt a while back. It's an old tutorial, but I don't think TrueCrypt has changed much, since then. Here it is: http://lawyerist.com/encryption-enabling-basic-client-file-security/

  • DrewmcgDrewmcg Ann Arbor, MI

    Great recommendation. I use two Dell laptops--each encrypted. The one with a TPM (chip on board) I use with Bitlocker. The one without a TPM chip, I used TrueCrypt for entire ssd ("hard") drive.
    Question: Is the windows logon the only password that de-encrypts the drive with Bitlocker? With the TrueCrypt laptop, I have a fairly knarly password at bootup (or after I put the laptop to sleep), which I am pretty confident would be hard to break. With the Bitlocker laptop, I use only my Windows logon screen, and have a fairly simple password there. I kind of like the two-level security of the TrueCrypt solution better (knarly password for when I really want to lock down; use the Windows login screen just to keep prying eyes off my screen--e.g., after 5 minutes of inactivity). Thanks, Drew.

  • Any suggestions for protecting the data on USB flash drives? Way easier to misplace one of those than a laptop.

  • samgloversamglover Minneapolis, MN

    @Drewmcg said: Question: Is the windows logon the only password that de-encrypts the drive with Bitlocker?

    Yes, so use that gnarly password.

    @Robert Lanham said: Any suggestions for protecting the data on USB flash drives?

    Bitlocker will let you encrypt external drives, but probably the best way to encrypt external drives is using TrueCrypt encrypted containers.

    And while you definitely might want to do this, I want to draw a distinction. The reason I think it is unethical not to encrypt your laptop is that encrypting it is as trivial as checking a box. When it is that simple, there is literally no excuse for not doing it.

    But encrypting USB drives and email is still clunky, and so while I think lawyers ought to learn how to encrypt those things, I don't call it malpractice.

  • Couple questions:

    1) does encrypting your laptop mess up sync services at all? Or is it all decrypted while in use, so there is no problem...

    2) does using File Vault, for example, slow down the computer at all?

  • samgloversamglover Minneapolis, MN
    1. No. Files are decrypted on the fly for the logged-in user. It should not mess with file sync services. (I've had no trouble with Dropbox, Google Drive, or BitTorrent Sync.)
    2. Yes, using on-the-fly encryption makes a difference to performance. The difference is small enough that you probably will not notice it unless you are doing resource-intensive tasks like video gaming or editing huge images in Photoshop. It won't be nearly on the order of anti-virus software on Windows.
  • samgloversamglover Minneapolis, MN

    FYI, user accounts on Chromebooks are encrypted and walled off from other user accounts. Which means that, if you have a Chromebook, you've got some of the best security available, at least for your local information.

    That's the rub, of course. Using a Chromebook means keeping your data in the cloud, so you need to be satisfied with the security of wherever you store your information, too. Of course, most people who aren't using a Chromebook store at least some data online, anyway, so that's a concern we all have.

    I really like having a Chromebook for mobile computing, in part because the security is so robust, and baked in.

  • thedanshermanthedansherman Maple Plain, MN
    edited October 2013

    2) does using File Vault, for example, slow down the computer at all?

    A few years ago encrypting your drive with TrueCrypt actually sped it up because the TC drivers were better optimized than the default Windows ones. Not enough that you would notice, but a couple percent.

    These days, it's not even a factor.

    Post edited by thedansherman on
  • Reminds me of these long-ago discussions: (1) Is it malpractice NOT to Shepardize electronically? (2) Should NALP have a website? (I chaired the committee that answered that question.)

    These and other tech-related questions are "burning issues of our time" until everyone catches up and says "but of course."

  • attyedkellyattyedkelly London cruising 24/7

    I have a few contrary beliefs on the levels of encryption we find on electronic media. Some electronic files deserve higher security than others. I fear too often we LOCK DOWN electronic media too tightly with no good reason and neglect other non-electronic materials. How far do we need to go? Do we put locked bracelets and chains to all our briefcases like diplomatic couriers? Its hard to tell when we are going too far on e-security when we can leave open files on office desks or briefcases in a car or vehicle trunk, or unlocked file rooms a cleaning person could see. It definitely is not malpractice to have non-encrypted laptops ... just IMHO.

  • samgloversamglover Minneapolis, MN
    edited November 2013

    I'm happy to agree that encrypting laptops does not solve the entire security problem. That's hardly a reason not to do it.

    Post edited by samglover on
  • edited November 2013

    Agree completely. This was one of the reasons we have been moving away from laptops and more toward cloud solutions. I use an ipad as my laptop and it has little to no client data on it. With Basecamp (like Clio et al) and other cloud solutions I don't keep any client data local. For those who still carry all there client files with them on a laptop I agree its malpractice not to have it encrypted.

    Post edited by mckinneylaw on
  • paulspitzpaulspitz Cincinnati, OH

    So as a practical matter, do we need to enter that really long decryption key to get access to our own computer?

  • samgloversamglover Minneapolis, MN

    Huh? No, just your password.

Sign In or Register to comment.