Resource Center

What Every Lawyer Needs to Know About Encryption

Authors: Jeffrey S. Krause, J.D., Solfecta, LLC

What is Encryption?

In its simplest form, encryption is the process of encoding messages or information in such a way that only authorized parties can read it. In order to read the message, the authorized party needs to possess the key to unlock or decode the message.

Encryption – A Brief History

Encryption grew out of cryptography, the science of secret communication. Secret communication via ciphers has been around nearly as long as written communication. Julius Caesar is said to have used a simple cipher to send messages to his generals over 2000 years ago. A Caesar cipher simply shifts the letters of the alphabet so that A=B, B=C, etc. To decode the message in this example, Caesar’s general wo

uld have to know that the “key” is 1. While Secretary of State, Thomas Jefferson used an elaborate mechanical cylinder that could be used to create coded messages. The recipient needed to possess an identical device in order to decode the message. Perhaps the most well-known example from history is the famous Enigma machine which the German military used in World War II to send messages. The Allies spent years working to decrypt the coded messages and by the end of the war could read over 90% of Enigma messages within 24 to 48 hours.

These examples should demonstrate several things. First, the desire to protect communications has been around for a long time. Second, historically, there were physical or mechanical limits to any cipher because even the most elaborate mechanical device can only create a limited number of random combinations. Third, both parties needed the same key in order to easily decipher the message. Fourth, creating an effective cipher system required a lot of time and effort and was often very complicated. Finally, once the key was stolen, captured or reverse engineered, the message was no longer secure.

In effect, secret communication has always been a balancing act between the how secure a message had to be and how easy it was to encode and decode.

All of these factors play a role in Encryption today.

Why Encryption Matters to Lawyers

Encryption and Ethics

Reading these historical examples, a lawyer may note that they are not trying to secretly cross the Rubicon or invade France. On the other hand, you are trying to send and maintain confidential information about your clients. You are also trying to protect your ability to earn a living. Failing to use encryption where appropriate jeopardizes both.

You don’t have read very far into the ABA Model Rules for an example of where encryption might play a role. ABA Model Rule 1.6(c) states:

“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of the client.”

Does this require lawyers to use encryption regularly for all email communication and storage of client information? Probably not, at least for now. On the other hand, publicity about data breaches and the relative ease with which data can be encrypted may be changing thinking on this.

Recently, the State Bar of Texas addressed this issue. In Opinion 648 (2015), it identified several instances where encrypting email may be appropriate. Regarding email, they said,

In general, considering the present state of technology and email usage, a lawyer may communicate confidential information by email. In some circumstances, however, a lawyer should consider whether the confidentiality of the information will be protected if communicated by email and whether it is prudent to use encrypted email or another form of communication. Examples of such circumstances are:

1. Communicating highly sensitive or confidential information via email or unencrypted email connections;

2. Sending an email to or from an account that the email sender or recipient shares with others;

3. Sending an email to a client when it is possible that a third person (such as a spouse in a divorce case) knows the password to the email account, or to an individual client at that client’s work email account, especially if the email relates to a client’s employment dispute with his employer (see ABA Comm. on Ethics and Prof’l Responsibility, Formal Op. 11-459 (2011));

4. Sending an email from a public computer or a borrowed computer or where the lawyer knows that the emails the lawyer sends are being read on a public or borrowed computer or on an unsecure network;

5. Sending an email if the lawyer knows that the email recipient is accessing the email on devices that are potentially accessible to third persons or are not protected by a password; or

6. Sending an email if the lawyer is concerned that the NSA or other law enforcement agency may read the lawyer’s email communication, with or without a warrant.

Clearly, whether email should be encrypted is a question that is being asked with increasing frequency, most often in the context of highly confidential information or less secure situations.

Encryption and State Law

If a lawyer’s obligation to protect confidential information was not enough, there are many state laws that provide penalties for breaching or leaking personally identifying information, health information, financial information, or data that can lead to identity theft.

At present 47 states (all states except Alabama, New Mexico and South Dakota) have consumer protection law relating to data breaches. Fourteen states have provisions that can lead to a private cause of action against an entity who leaked information leading to an injury such as identity theft.

Like Ethics rules on cloud computing use, most of these laws are several years old, and some are undergoing updates, additions, and in some cases recodification. In 2013, 23 states introduced legislation to create or modify these laws. In 2015, 32 states had legislation proposed to amend existing consumer protection legislation (Alabama introduced a bill to create such a statute, but the bill failed). Typically, new bills are making easier to meet the definition of what data constitutes a breach, expanding when notification is required, and increasing the potential penalties surround a breach leading to harm.

It’s important to note that it’s not just client data covered here. It could be staff, consultant, contractor, or Of Counsel personal information that leads to a breach, notification, cause of action or fine. North Carolina allows for a fine of up to $5,000 per breach. In Oklahoma penalties can range up to $150,000.

Fortunately, EVERY state that has a consumer protection breach law also has a safe harbor provision for encrypted data. If data is intercepted or leaked in a properly encrypted form (most states simply require a form that renders the data unintelligible, although some states like Washington require AES encryption to qualify for the safe harbor) the statues requiring notification aren’t triggered.

Encryption in the Digital Age

At Rest Data vs In Transit

Modern Encryption has to take into account two different types of data, at rest and in transit. The terms are self-explanatory. At rest data is any type of data that is stored in a location short or long term. In transit data is in the process of being moved, copied or transmitted. At rest data needs encryption so that it is protected long term against persons attempting to access the data. In transit data needs encryption so that it is protected against eavesdropping by someone who might intercept it.

Symmetric vs Asymmetric Key Algorithms

There are two primary forms of encryption used today, Symmetric key algorithms and Asymmetric key algorithms. The simplest way to describe the difference between them is to say that a Symmetric key algorithm requires the same key be used to encrypt and decrypt, while Asymmetric uses a different key.

While actual encryption is much more complicated, imagine I send you a box that I padlocked. If I now have to call you and give you the combination, I am using something akin to Symmetric key algorithm. If, on the other hand, I send you a box with an open padlock and tell you to place something important in the box, lock the box and send it back to me, I am the only one who knows the combination to the box. This is a very basic way to look at it but this is closer to a Asymmetric key algorithm. Essentially, you locked the box in one way and I have to open it in another way.

There are a lot of combinations to the padlock but, if I am careless with the combination, it is relatively easy for the contents of the box to be compromised. Sending you the combination increases the vulnerability. On the other hand, if I forget the combination, the box can never be opened unless I try every possibility and stumble across the right combination.

Secure Sockets Layer (SSL) for Transferred Data

Most people have heard of Secure Sockets Layer or SSL. SSL is the protocol used to secure web transactions. SSL works by establishing a private connection and each end of the connection is authenticated before transfer begins. Data traveling between these endpoints can only be decrypted by the intended recipient by using unique decryption keys.

SSL uses a combination of Symmetric and Asymmetric key algorithms. It works like this:

1. Your browser requests a secure page when you start the url with https://

2. The web server then sends back a public key (an open box) along with its certificate

3. Your browser checks the certificate to verify that it was issued by a trusted source and remains valid

4. Your browser uses the public key (the open box) and encrypts it with a random symmetric key (closes the padlock with a random combination) with the encrypted URL and other data

5. The web server uses its own private key to decrypt the symmetric key (determines the combination you used) and then uses the browser’s key to decrypt the URL and data (opens the padlock)

6. The web server sends back the required information encrypted with the same symmetric key used by they browser (places the requested information in the box and closes the lock again)

7. The browser receives the displays the returned information using its symmetric key (opens the padlock and examines the contents)

8. Etc. etc.

Key Length

Another consideration is key length. The easiest way to understand key length is to know that longer keys provide more possible combinations. Going back to our padlock example, there are 64,000 (403) combinations to a padlock with 40 numbers, assuming you must select three numbers in sequence. For physical security, this is pretty secure. Anyone trying to open the lock must try every combination until they stumble across the right one. If they try non-stop and at a rate of one combination per minute, it could take them almost 45 days to try every combination. However, the odds are that they would come across it sooner (about 22.5 days). Conceivably, they could get really lucky and be right on their first try.

Digital encryption is a little different because data is stored in binary bits. In other words, there are only two possible choices for each bit. However, it is still true that the complexity of a key increases exponentially with the key length. For example, 4-bit encryption has 24 or 16 combinations. In other words, a potential hacker only has 16 combinations to guess before they have exhausted all of the possibilities. On the other hand, 256 bit encryption has 2256 or 115,792,089,237,316 (followed by 60 zeros) possible combinations.

For comparison purposes, the padlock described above is roughly equivalent to 16-bit encryption.

Hackers and Encryption

In theory, hacking a padlock or encrypted data is the same thing and is very easy. You try every combination until one works. This is referred to as a brute force attack. In practice, it is much harder. Physically trying every combination of a padlock until you get it right would be very difficult to do in 45 days. It would require multiple people working around the clock as well as a system for checking off each combination as they were tried. It can be done but it is a daunting task.

For a computer, these things are much easier. Microsoft Excel could probably tell us every possible combination on the padlock within a few seconds. And if there was some way it could physically check each combination, it could probably open the lock relatively quickly. Computers keep getting faster and faster but increasing the key length exponentially adds to this time necessary for a brute force attack to work. Just going from 16 to 17-bit encryption would double the number of combinations and today’s standards are 128 and 256-bit. Imagine how long it would take to brute force attack something protected with 128-bit or 256-bit encryption.

Even for a super computer, this is impossible. If you combine every computer on Earth, there is not enough storage capacity to store every possible combination. Even if you could store every combination, it would take at least a few nanoseconds to try each one. Everyone desiring to brute force decrypt the data or who remembers why it was being decrypted would be dead long before it was finished.

Encryption Tools for Lawyers

If a) lawyers have a duty to protect client information, and b) encryption can protect data so well that it would take a super computer hundreds or thousands of years to crack, why isn’t every lawyer using encryption? Perhaps the answer is that encryption seems so complicated and difficult. Algorithms? Key lengths? Do you need to know everything about these things in order to use encryption and if human beings have spent thousands of years unsuccessfully trying to protect communications, how can you possibly hope to?

Fortunately, today’s tools make it very easy for anyone to use encryption.

Encrypting Your Desktop or Laptop

Lost and stolen devices are one of the most common ways for confidential data to be compromised. If your laptop is stolen in the airport security line, how safe is the data on that laptop? You might think that your password protects you but this is not necessarily the case. True, without your password, the thief cannot login as you. However, they can simply remove the drive and connect it as the second drive on another PC. It’s not much different than connecting an external drive or a flash drive.

Microsoft includes encryption on Windows 7 Pro, Ultimate and Enterprise in the form of BitLocker. The catch is that it was not turned on by default and has some minimum hardware requirements in Windows 7. In Windows 8.1 and Windows 10, BitLocker is turned on by default. You need to keep your password safe. Without it, it will be very difficult to get to your data. Make sure you configure your Microsoft account properly including using the two factor authentication when you initially set it up.

Macs also come with built in encryption in the form of FileVault but you have to turn it on.

Files and Folders

It is also very easy to encrypt individual folders and files in Windows 7, 8 or 10. Simply right click on the folder or file, select Properties, then General then Advanced. In a Windows directory listing, encrypted files and folders will appear with green text (as opposed to the normal black).


The first thing to know about document encryption is that protecting a Word document with a password is not enough. There are dozens of applications available that either remove the password from a Word document in seconds. In other words, they may temporarily frustrate someone who does not know the password but they will not deter a determined hacker.

If you really want to encrypt a Word document, you have to use the encryption features described in Files and Folders above or store it in an encrypted location.

External Storage

External storage devices are easy to misplace. To protect these devices you can use BitLocker or the disk utilities that come with the device, if any. You can also purchase pre-encrypted drives from many well know manufacturers. IronKey manufactures pre-encrypted flash drives. Pre-encrypted devices cost more but add a lot of protection.

Smart Phones

Another easy to lose device is a smartphone. Most people protect their phone with a four digit pin which will not deter a determined hacker for long. The good news is that there many tools for encrypting texts and calls. There are also apps that wipe your phone with a single remote command.


Frankly, email should probably be our biggest concern when it comes to encryption. True, many emails are not all that sensitive or confidential. However, many are. In these cases, much like Caesar sending courier messages to his generals, you are taking a highly sensitive communication and placing it in danger of interception by someone who you do not want reading it. Also, note how the Texas opinion referenced earlier was specifically about email and the circumstances under which it should be encrypted.

Fortunately, there are also solutions that allow you to easily encrypt emails.

Citrix ShareFile

Encrypting Email

Citrix ShareFile makes it extremely easy to encrypt email messages. In fact, it is as simple as one click. Simply turn the encryption on.

Custom options allow you to choose whether the recipient can authenticate with just their name and email address or by logging into ShareFile. You can also request a notification when the email is read and set an expiration date.

The email recipient receives an email informing them of the encrypted email and requesting that they login to ShareFile to view it.

Finally, once they have logged in through the client portal, the email is displayed.

Yes, it really is that easy.

Emailing with Attachments

If you need to send an encrypted email with attachments, the process is the same. Just click the Attach Files button on the Outlook Message toolbar. The attachments are not part of the email. Instead, the recipient will receive a link to download the files from an encrypted location.

Similarly, you can request files. The recipient is the prompted to upload files to the secure site.

Revoking Access to an Email

After you send an email, you are notified and given the opportunity to revoke access with a single click.

ShareFile Security

As you can see, ShareFile is extremely easy to use but don’t let that fool you. The steps above use SSL protocols with 128-bit encryption while the email and files are in transit and AES 256-bit encryption when the files are stored on ShareFile’s servers.

And you thought encryption was difficult.


Lawyers have a duty to protect information about their clients and their representation of clients. This duty extends to client data and encryption protects data. Why aren’t you using it? True, it might not be required (at least not yet) and, yes, the science behind encryption is complicated enough to give you a headache. However, the reality is that encryption is readily available, affordable and very easy to use. Encryption is something that should be in the technology arsenal of every law firm.


Appendix A
State Consumer Protection Laws Regarding Data Breaches



Notification by access

Notification to State Agency

Private Cause of Action

Risk of Harm Analysis

Encryption Safe Harbor


Alaska Stat. § 45.48.010 et seq.


If an entity determines after an investigation that the breach does not create a reasonable likelihood that harm to the consumers has or will result, it must document this determination and provide notice of the determination to the Attorney General.

A person injured by a breach may bring an action against a non-governmental agency under the Unfair or Deceptive Act or Practices




Ariz. Rev. Stat. § 44-7501




Ark. Code § 4-110-101 et seq.




Cal. Civ. Code §§ 1798.29, 1798.80 et seq.


Any person who notifies more than 500 California residents as a result of a single breach must electronically submit a single sample copy of the notification letter to the Attorney General. (California Dept of HHS must be notified within 15 buisness days of an unauthorized access of medical information)

Any customer injured by a violation of the general breach notification statute may institute a civil action to recover damages.




Colo. Rev. Stat. § 6-1-716




Conn. Gen Stat. § 36a-701b, 2015 S.B. 949, Public Act 15-142


If state law requires notification to individuals, notice must also be made to the Attorney General. All licensees and registrants of the Connecticut Insurance Department are required to notify the Department of any information security incident which affects any Connecticut residents as soon as the incident is identified, but no later than five calendar days after the incident is identified.




Del. Code tit. 6, § 12B-101 et seq.




Fla. Stat. §§ 501.171, 282.0041, 282.318(2)(i)


A covered entity shall provide notice to the Florida Attorney General’s Office of any breach of security affecting 500 or more Florida residents. Such notice shall be provided as expeditiously as practicable, but no later than 30 days after determination of the breach or reason to believe a breach has occurred.




Ga. Code §§ 10-1-910, -911, -912; § 46-5-214




Haw. Rev. Stat. § 487N-1 et seq.


If the breach involves over 1000 persons, the Hawaii Office of Consumer Protection must be notified of the timing, content and distribution of the notice.




Idaho Stat. §§ 28-51-104 to -107


Public entities only




815 ILCS §§ 530/1 to 530/25


Any state agency that collects personal information and has had a breach of security of the system data or written material shall submit a report within five business days of the discovery or notification of the breach to the General Assembly listing the breaches and outlining any corrective measures that have been taken to prevent future breaches of the security of the system data or written material. Any agency that has submitted a report under the statute shall submit an annual report listing all breaches of security of the system data or written materials and the corrective measures that have been taken to prevent future breaches.




Ind. Code §§ 4-1-11 et seq., 24-4.9 et seq.


Attorney General must be notified in the base of a breach




Iowa Code §§ 715C.1, 715C.2


For a breach of security requiring notification of 500 or more Iowa residents pursuant to Iowa law, written notification must be provided to the director of the consumer protection division of the Iowa Attorney General within five business days of notifying any Iowa residents regarding the breach.




Kan. Stat. § 50-7a01 et seq.




KRS § 365.732, KRS §§ 61.931 to 61.934




La. Rev. Stat. §§ 51:3071 et seq., 40:1300.111 to .116


When notice must be given to Louisiana citizens, the entity must provide written notice detailing the breach of the security of the system to the Consumer Protection Section of the Attorney General’s office. Notice shall include names of all Louisiana citizens affected. Notice to the state Attorney General shall be timely if received within 10 days of the distribution of notice to LA citizens. Each day notice is not received by the state Attorney General shall be deemed a separate violation.

A civil action may be instituted to recover actual damages resulting from the failure to disclose in a timely manner to a person that there has been a breach of the security system resulting in the disclosure of a person’s personal information.




Me. Rev. Stat. tit. 10 § 1347 et seq.


The Attorney General or Department of Professional and Financial Regulation if the entity is governed by that body must be notified regarding a breach.




Md. Code Com. Law §§ 14-3501 et seq., Md. State Govt. Code §§ 10-1301 to -1308


The Attorney General must be notified prior to notification of individuals.

Consumers may bring actions under Title 13 of the Maryland Code, the Unfair and Deceptive Trade Practices Act.




Mass. Gen. Laws § 93H-1 et seq.


The Attorney General, Director of Consumer Affairs and Business Regulation, must be notified regarding a breach. Upon receipt of notice, the Director of Consumer Affairs and Business Regulation will identify any relevant Consumer Reporting Agency or state agency that needs to be notified to the notifying party.

Massachusetts consumers may seek damages under Chapter 93A, which allows for certain instances of treble damages.




Mich. Comp. Laws §§ 445.63, 445.72


If 1,000 or more persons are affected, then the Attorney General must be notified regarding the timing, distribution and content of notice to individuals.




Minn. Stat. §§ 325E.61, 325E.64




Miss. Code § 75-24-29




Mo. Rev. Stat. § 407.1500


If 1,000 or more persons are affected, then the Attorney General must be notified regarding the timing, distribution and content of notice to individuals.




Mont. Code §§ 2-6-1501 to -1503, 30-14-1701 et seq., 33-19-321


Any person, business, or state agency required to make a notification must also simultaneously submit an electronic copy of the notification and a statement providing the date and method of distribution of the notification to the Montana Attorney General's Consumer Protection Office, excluding any information that personally identifies any individual who is entitled to receive notification. If notification is made to more than one individual, the notification must indicate the number of individuals in the state who received notification.




Neb. Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807




Nev. Rev. Stat. §§ 603A.010 et seq., 242.183



New Hampshire

N.H. Rev. Stat. §§ 359-C:19, -C:20, -C:21; 189:66


A person engaged in trade or commerce shall notify the regulator which has primary regulatory authority over such trade or commerce. All other persons shall notify the Attorney General’s office. Notice to the Attorney General’s office must include the anticipated date of the notice to the individuals and the approximate number of individuals in the state who will be notified. The names of the individuals entitled to receive notice do not have to be disclosed.

Persons injured as a result of a violation may bring an action for damages and for
such equitable relief as the court deems necessary and proper. A prevailing
plaintiff shall be awarded the costs of the suit and reasonable attorney’s fees.
An aggrieved individual whose health records were wrongly disclosed may bring a
civil action under RSA 332-I:4 or RSA 332-I:5 and, if successful, shall be awarded
special or general damages of not less than $1,000 for each violation, and costs
and reasonable legal fees.



New Jersey

N.J. Stat. § 56:8-161, -163


The Division of State Police in the Law Department of Law and Public Safety must be notified regarding a breach prior to notifying customers.



New York

N.Y. Gen. Bus. Law § 899-aa, N.Y. State Tech. Law 208


The Attorney General, Consumer Protection Board, and the state Office of Cyber Security and Critical Infrastructure must be notified regarding a breach via form notice



North Carolina

N.C. Gen. Stat §§ 75-61, 75-65


The Consumer Protection Division of the Attorney General’s Office must be notified of the nature of the breach, the number of consumers affected, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice via form notice.

Provides a private right of action only if individual is injured as a result of the violation. Damages set at a maximum of up to $5,000, per incident, and provides for treble damages within this range. Injunctive relief also available.



North Dakota

N.D. Cent. Code §§ 51-30-01 et seq., 51-59-34(4)(d)


Any person that experiences a breach of the security system must disclose to the North Dakota Attorney General by mail or email any breach of the security system which exceeds 250 individuals. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and to restore the integrity of the data system.




Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192




Okla. Stat. §§ 74-3113.1, 24-161 to -166




Oregon Rev. Stat. § 646A.600 to .628, 2015 S.B. 601, Chap. 357


The Oregon Attorney General must be notified regarding a breach, either in writing or electronically, if a breach affects 250 Oregon residents or more. Notice must also be made to consumer reporting agencies when the breach affects at least 1,000 Oregon residents and provide the notice any police report number assigned to the breach of security.

Compensation can be ordered by the state upon a finding that enforcement of the rights of consumers by private civil action would be so burdensome or expensive as to be impractical.




73 Pa. Stat. § 2301 et seq.



Rhode Island

R.I. Gen. Laws § 11-49.2-1 et seq., 2015 S.B. 134, Public Law 2015-138, 2015 H.B. 5220, Public Law 2015-148


In the event that more than five hundred (500) Rhode Island residents are affected by a breach, the Rhode Island Attorney General and major credit reporting agencies must be notified as to the timing, content and distribution of the notices and the approximate number of affected Rhode Island residents. This notice should be made without delaying notice to affected Rhode Island residents

A resident of SC who is injured by a violation of this section, in addition to and cumulative of all other rights and remedies available at law, may: institute a civil action to recover damages in case of a willful and knowing violation; institute a civil action to recover only actual damages resulting from a violation in case of a negligent violation; seek an injunction to enforce compliance; and recover attorney’s fees and court costs, if successful.



South Carolina

S.C. Code § 39-1-90, 2013 H.B. 3248


If 1,000 or more persons are affected, the Consumer Protection Division of the Department of Consumer Affairs must be notified regarding a breach.




Tenn. Code § 47-18-2107; § 8-4-119 (2015 S.B. 416, Chap. 42)


A violation under the data breach notification statute may also be a violation of the
Tennessee Consumer Protection Act, which could give rise to a private cause of




Tex. Bus. & Com. Code §§ 521.002, 521.053; Tex. Ed. Code § 37.007(b)(5); Tex. Pen. Code § 33.02


A violation under the data breach notification statute may also be a violation of the Texas Deceptive Trade Practices Act, which could give rise to a private cause of action.




Utah Code §§ 13-44-101 et seq.; § 53A-13-301(6)




Vt. Stat. tit. 9 § 2430, 2435


Once notice is made to consumers, the Attorney General must be notified of the number of Vermont consumers affected and provided a copy of the notice. A second copy of the consumer notification letter, with personally identifiable information that was subject to the breach redacted, can also be provided to the attorney general which will be used for any public disclosure of the breach.




Va. Code § 18.2-186.6, § 32.1-127.1:05, § 22.1-20.2


The Office of the Attorney General must be notified following discovery of a breach of personal information.

Though generally enforced by the Attorney General, nothing in the data breach notification statute will preclude recovery of economic damages.




Wash. Rev. Code § 19.255.010, 42.56.590, 2015 H.B. 1078


Any person or business that is required to issue notification under RCW 19.255.010 and 42.56.590 to more than 500 Washington residents as a result of a single breach must, by the time notice is provided to affected consumers, electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Washington Attorney General. The person or business must also provide to the Washington Attorney General the number of Washington consumers affected by the breach, or an estimate if the exact number is not known.

Any customer injured by a violation may institute a civil action to recover damages.



West Virginia

W.V. Code §§ 46A-2A-101 et seq.




Wis. Stat. § 134.98




Wyo. Stat. § 40-12-501 et seq.



District of Columbia

D.C. Code § 28- 3851 et seq.




9 GCA § 48-10 et seq.


Puerto Rico

10 Laws of Puerto Rico § 4051 et seq.



Virgin Islands

V.I. Code tit. 14, § 2208


Learn more about how ShareFile provides secure file sharing for attorneys and law firms, and try it free!