• United States



Encryption and Self-Incrimination

Feb 09, 20083 mins
Data and Information Security

When a man tried to cross the U.S.-Canadian border recently, he placed himself at the center of one of the most important legal issues confronting consumers and lawmakers: protecting privacy in the digital age. The man was suspected of having child pornography on his laptop. While the facts are sketchy, it appears the border guards initially found certain incriminating files. But when the guards went back to review them, they found the files were encrypted and Inaccessible. Prosecutors have sought to compel the man to reveal the encryption key, but the man has refused on the grounds that doing so would violate his Fifth Amendment right against self-incrimination. So far, the court involved in the case has sided with the Fifth Amendment, refusing to compel the man to reveal the encryption key. While it will likely be some time before a final decision is rendered in this case, it highlights the problem businesses face when employees use encryption in the workplace.

There have been several instances in which employees, seeking to protect their jobs or inflict harm when they are fired, have encrypted critical business information and then refused to reveal the key to their employers. Those cases seldom make it to court. Rather, the parties generally reach some negotiated agreement – generally to avoid the company having to go public with the embarrassing situation. But if the situation cannot be resolved informally and the business must seek intervention by the courts to protect its rights, what protections will the business have? 

As shown by the child pornography case above, if a criminal action is filed, the defendant may seek protection under the Fifth Amendment to avoid revealing the encryption key. Does this mean the business is left without a remedy? No, the business can forego a criminal action and sue the employee for damages. In a civil action, the Fifth Amendment does not apply. If the employee refuses to follow a court order to reveal the encryption key, the court has broad powers to force compliance. The court can hold the employee in contempt, impose monetary sanctions, and even instruct the jury to make assumptions about what would be found if the files could be decrypted. For example, if the employee is suspected of misappropriating company trade secrets and refuses to decrypt the files containing the alleged information, the court may do all or any of the following: fine the employee for each day he refuses to reveal the key, instruct the jury to conclude the files do, in fact, contain the trade secrets, and/or, most significantly, immediately direct a verdict against the employee finding that he misappropriated his employer’s trade secrets.

Given the danger presented by encryption in the workplace, businesses should adopt strict policies against employees using encryption software not specifically authorized by the business. In addition, the business should have master access to all information encrypted using company-approved encryption software.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author