LITIGATION SUPPORT TIP OF THE NIGHT

The public comment version of the Sedona Conference's Commentary on Law Firm Data Security was released this month. It includes a questionnaire that clients can use to assess a law firm's ability to keep data secure.

The six sections of the questionnaire focus on:

1. General - an information security program; security certifications; document retention and destruction policies; and third party assessments.

2. Risk Assessment - information segregation; business continuity; disaster recovery; event reporting; incident response plan; and network updates & security patches.

3. Asset Security - device and software inventory; internal vulnerability assessments; physical security; malware defenses; and firewall configurations.

4. Communications - data encryption; monitoring of audit logs; protection of wifi; use of transport layer security for email; restricted access to websites that can be used to exfiltrate data; use of intrusion detection systems.

5. Identity and Access Management - user access control.

6. Security Operations - confidentiality agreements; training programs.

It's generally known that email is not the most secure way to transfer data. You're better off sending data in an encrypted zip file via FTP, then sending the same files as attachments to an email. Why is this the case?

- Email was not designed to be secure. The internet protocol for email transmission, Simple Mail Transfer Protocol (SMTP), doesn't include any provisions for security - emails are sent in plain text. SMTP allows emails to be intercepted and changed by third parties.

- Emails sent between different networks will typically involve routers operated by different owners.

- Most email clients will store messages as plain text to enable searching through emails, and also in the case of web based providers like Gmail to facilitate advertising.

Microsoft Exchange uses Transport Layer Security (TLS) to encrypt emails sent between internal servers. Exchange enables a certificate for inbound and outbound connections. However, as noted in Microsoft's documentation for Exchange, "This default configuration allows Exchange to provide opportunistic TLS on all inbound and outbound SMTP connections. Exchange attempts to encrypt the SMTP session with an external messaging server, but if the external server doesn't support TLS encryption, the session is unencrypted." Emails sent with Microsoft exchange will be encrypted on the server hosting the messages, and they will be transmitted in an encrypted tunnel.

Asymmetrical Encryption is used in blockchain transactions. It involves the use of both a public key and a private key. This technique allows anyone to confirm the existence of the transaction, but the content of the transaction can only be accessed by the participating parties.