With End-to-End Encryption, Compliance Trouble Brewing for Legal
An almost air-tight protection, end-to-end encryption can stop internal compliance or e-discovery efforts dead in their tracks.Though the debate over absolute…
September 06, 2017 at 12:57 PM
4 minute read
The original version of this story was published on Law.com
An almost air-tight protection, end-to-end encryption can stop internal compliance or e-discovery efforts dead in their tracks.
Though the debate over absolute encryption rages on, encryption is fast becoming a must-have security item in a growing number of law firms and legal departments. But as encryption usage grows, many are finding that it can cause more problems than it solves. End-to-end encryption, for example, can often cripple a legal team's compliance and internal e-discovery efforts.
Shaun Murphy, founder and CEO of SNDR, a secure messaging platform, explained that end-to-end encryption is essentially “encryption in transit,” which secures data when it transfers “between phones or computers, or even web browsers and servers.”
End-to-end encryption is perhaps most widely used in electronic messages, whether sent by applications like WhatsApp and Signal or email servers. Murphy explained that the essential benefit of such encryption is that “every message is encrypted separately.”
“So the theory is that if anyone were to break some level of encryption, they would only get one message, and they would have to go through the whole process again to breach other messages as well,” he said.
For the time being, end-to-end encryption is one of the most secure protections on the market. “At this point there is really no known big [security] defect for that cryptography in these systems,” Murphy noted, adding that the only way to break such encryption is through “side challenge attacks” such as stealing a user's access credentials.
But while a near infallible protection, end-to end-encryption is the bane of many compliance and e-discovery efforts, given that by its very nature, such encryption restricts access with little, if any, flexibility for outside parties.
“For legal professionals, and pretty much any business, you have to look at what your compliance requirements are,” Murphy said. “Because once you have end-to-end cryptography between the sender and recipient how do you go back and do compliance, how do you look at those message?”
Potentially having to manually unlock every single encrypted message can be so cumbersome and time-consuming it becomes almost infeasible. But one solution is to limit the extent to which encryption is deployed in-house in the first place.
Writing in Legaltech News, Ricoh USA's David Greetham, vice president of e-discovery sales and operations, and David Levine, vice president of information security and CISO, noted that legal professionals always need to “balance the level of encryption against the need for ease of use and accessibility.”
“Some types of encryption can be so cumbersome that they interfere with the operation of the firm. Use of an email encryption service, for example, can require users to log in to the service for every single email sent and received,” they wrote.
In addition to finding such a balance, law firms and legal departments need to account for the use of shadow IT—unauthorized applications used by employees—that includes end-to-end encryption functions as well.
“Organizations and e-discovery practitioners should be proactively surveying employees about their usage of encryption applications and technologies in advance of an actual discovery need,” Adam Feinberg, senior vice president of professional services at legal information management company BIA, told Legaltech News.
“Your e-discovery provider vetting process should include questions about that organization's experience in identifying, collecting and handling cloud and encrypted data sources,” he advised.
Such oversight is necessary, because for the time being, encryption and internal compliance are two mutually exclusive processes.
“There are not that any tools out there that have end to end cryptography with some level of compliance, legal hold, or e-discovery,” Murphy said.
But there may be some hope on the horizon. “The next two or three years will see a shift for cloud services that [serve] industries like legal or medical to enable compliance while providing encryption,” he added.
Murphy also predicted that organizations and law firms will start looking into the feasibility of a “hybrid solution,” where messages and documents are kept in a secure internal server in-house. The content will only become encrypted, he explained, once it leaves that internal server, which can be accessed readily by compliance and e-discovery teams.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllFatal Shooting of CEO Sets Off Scramble to Reassess Executive Security
5 minute readBen & Jerry’s Accuses Corporate Parent of ‘Silencing’ Support for Palestinian Rights
3 minute readShareholder Activists Poised to Pounce in 2025. Is Your Board Ready?
Regulatory Upheaval Is Coming. How Businesses Prepare and Respond Will Separate Winners and Losers
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250