WASHINGTON D.C. -- Any organization that manages large volumes of electronically stored information (ESI) may be tempted to cut corners on data encryption, but according to one expert, that's a dangerous mistake.
To get security news and tips delivered to your inbox,
At the Computer Forensics Show this week, speaker James F. Dawson, former corporate forensic investigations expert with New York-based MetLife Inc., discussed the pain points of managing ESI in support of the insurance conglomerate's litigators.
While it's difficult to manage dozens of concurrent e-discovery matters for an enterprise with approximately 22 petabytes (or more than 22,500 terabytes) of data worldwide, Dawson said that's no excuse not to employ encryption, both at the file level and in the transport layer.
no longer an optional technology: Unravel the ins and outs of how your organization should
Should open source disk-encryption software be used? When it comes to IT security, Michael Cobb recommends encryption devices or software that provide the most effective product for the threat being mitigated.
He said desktop encryption programs have evolved to the point where they are cheap to purchase and easy for the typical end user to work with after only minimal training.
In fact, Dawson's former organization practices what he preaches. "Any data that moves around, even within MetLife, gets encryption," he said, noting that transporting data from one business unit to another often means sending data across national or international borders.
But even if the encryption process is less burdensome for end users, that doesn't mean managing encrypted data is easy for a large organization. At MetLife, Dawson said when an e-discovery process begins and potentially relevant data is found, it's then encrypted, transported to data analysts, decrypted and analyzed. Then pertinent data is re-encrypted, moved to portable media, shipped and then finally decrypted again.
Still, Dawson said, it's worth the trouble to keep sensitive ESI safe and avoid a potentially embarrassing data leak.
"In New York," Dawson said, "you don't want to appear in the Post because someone found the unencrypted disk and was able to check out your data."
Dawson noted that shipping data via courier is particularly troublesome, as up to 5% of shipments typically never reach their destination. While that makes encryption important, he said the process is for naught if encryption passphrases are written on a piece of paper and sent along with the package.
As a best practice for transporting encrypted data, Dawson advised providing passphrases by voice via phone or in a voicemail. Or, if a passphrase must be mailed, send it separately, prior to sending the data itself, and have it delivered to a different recipient or address.
For those IT organizations or teams that regularly work with encrypted data as part of a legal or e-discovery process, Dawson recommended setting up a buddy system between technologists and attorneys. That way, he said, IT can learn more about what the litigation team needs, while lawyers get a better sense of what IT can and can't do.
Dawson said that kind of communication also helps attorneys avoid making encryption-related mistakes.
"Attorneys still send email with native email application encryption schemes," he said. "Your kid could practically break that with the decoder ring in a cereal box."