Securing The Package Before It Goes Out: A Guide To Encryption

by Foley & Lardner LLP

[author: James Salla, Litigation Support Project Manager]

Preparing a production to opposing counsel is no longer a simple matter of Bates labeling paper documents, making copies of them, and putting the copies in a FedEx box. The advent of electronic discovery has made the production process much more complicated. You have to determine the format in which to deliver your data – TIFF images, PDF files, native files, or some combination of the three – and decide which database fields (author, date, title, text, etc.) you are going to make available to the other side. Load files come in different flavors too. If opposing counsel is going to put the production into a review platform like Concordance or Summation or Relativity, they will probably want the load files you deliver to be compatible with their system.

These are the sorts of things you’re supposed to talk about at the meet-and-confer, but another production issue, also important but often not discussed, is whether to encrypt the productions for added security and exactly how to do so. If you are producing particularly sensitive data, encrypting the production may be a sensible precaution even though it will add time to the production process. A hard drive that is misplaced or delivered to the wrong address could be a nightmare of worry for a law firm and its client because anyone who finds the package and has a computer would, in theory, be able to get access to its contents. An encrypted hard drive, on the other hand, even if lost or misplaced, would simply be a rather ugly paperweight on someone’s desk.

There are also situations in which you are required to encrypt data before production. If you are producing patient medical records, the Health Insurance Portability and Accountability Act (HIPAA) may mandate that precautions be taken to ensure their protection from anyone not involved in the lawsuit. You may want to produce any “Attorneys’ Eyes Only” productions in encrypted form. In addition, sometimes clients will require, as a matter of general policy, that their attorneys secure their data with an encryption program no matter what the contents are. Formal productions are not the only time to think about this. You should also consider some form of encryption when arranging to send your original client data to an outside vendor for processing if there is any reason to think the shipment may be intercepted.

Just as there are several different review platforms for productions, there is more than one way to scramble a set of files into gibberish so only someone with the password can un-scramble back from gibberish into working order. You may want to ask the other side for their preference, but, if you don’t know which method they prefer, the simplest method is to use WinZIP. WinZIP is probably the most common data-compression program out there, it’s a successor to the venerable DOS-era PC-Zip program, and almost everyone seems to have a working copy available on their computer. If they don’t, a trial version can be downloaded from the manufacturer’s web-site.

WinZIP can take a large group of files and compress them into a single, smaller file with a .zip extension. That is its primary purpose, to make data sets smaller and more manageable for shipping and storage, but it also has an optional encryption feature. When you start to compress a set of files, click on the “Encrypt added files” option in the first dialogue box:


When you click on “Add,” a second box will come up that will let you put in your password. Check the “Hide the password” box if anyone is looking over your shoulder.


This, by the way, is an example of a particularly bad password because it is so easy for someone to guess. For greater effectiveness, passwords should be more than a dozen characters long and include numbers and even punctuation marks as well as letters. No one is going to guess “asf18r6_99tr2?” or “&boretmy77fowruvc,” but “Password1,” the name of your client, the name of your firm, etc., are to be avoided. People frequently use words or phrases as the passwords they use to log into their computers or their bank accounts because they are going to be doing that all the time and they want something easy to remember, but a production is only going to be going out once and you should make the password you use as obscure as possible.

When the other side gets your WinZIP production and opens it, each file that has been encrypted with be followed by an asterisk. They will have to enter the password, which you should send to them in a separate communication, before they can decompress and view the files:


If you are going to be producing an especially large amount of data, and the receiving party is technologically sophisticated, you may want to compress your production into encrypted .rar files instead. An .rar file is alternate compression format to the .zip file. They are created using a program called WinRAR, which can also create .zip files, and can hold substantially more data in less space. Although they are less well-known, I often use .rar files to transfer data to ESI vendors, who certainly will have the technology to open them up.

Like WinZIP, WinRAR gives you the option to require that a password be entered before your files can be extracted. It also lets you choose from a variety of encryption algorithms to do this.

Sometimes the other side will be concerned about security too and will propose using a popular freeware program called TrueCrypt. TrueCrypt’s claim to fame is that its source code is available to the public; anyone with programming experience can look at the code verify that there are no backdoors into the software. It can be used two ways: either by creating a file of fixed size (500 MB, 1 GB, 2 GB, etc.) that is, in effect, an encrypted vault, or by protecting an entire flash drive or hard drive. Anything copied into the encrypted space while the program is running is automatically encrypted.

The first method is probably easier to use, particularly because you can then provide the program’s executable file on the drive as well.

In order to use TrueCrypt, you have to “mount” the encrypted vault file by telling the program to connect it to one of the unused drive letters on your computer.


When you put in the password, that drive letter (“I” in this case) will be like a new hard drive temporarily installed in your computer. Copying the production to I:\ will put it into the encrypted TrueCrypt vault.


Be sure you click on the “Dismount” button before disconnecting your drive and sending it out. The receiving party for your production can use exactly the same process to decrypt the data at their end.

One note of caution: While there are many good reasons to encrypt your productions, and many options out there to choose from, it is important to remember encrypting data takes time and will be an extra step you have to go through at the very end of the production process. Be sure that you keep your drop-dead shipping deadline in mind when planning the production and take into account the time you will have to spend zip-ing or rar-ing or TrueCrypt-ing your data. It may be a good idea, when you have a free hour, to run a test encryption on a large block on data just to see how long the programs take to handle, say, 1 GB or 2 GB on your system, and then use that as a benchmark for actual productions.

View This Blog

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley & Lardner LLP | Attorney Advertising

Written by:

Foley & Lardner LLP

Foley & Lardner LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.