New technology tools make confidential data less secure

Issue June 2006 By Roberta Holland

What you don’t know could hurt you when it comes to safeguarding confidential data in this increasingly digital age.

While technology has allowed lawyers to do more with less, those same advances open up lawyers to new and evolving security risks, including viruses, spyware and unwitting transmission of hidden confidential data.

“A lot of the information you get from a client is confidential,” said Andrew Beckerman-Rodau, a professor and co-director of the Intellectual Property Law Concentration at Suffolk University Law School in Boston. “Now it’s all on computer and a real issue is how secure it is if you’re not knowledgeable about potential ways digital data can get out.”

Most unauthorized access of confidential data occurs internally rather than from someone hacking into a system from outside, Beckerman-Rodau said. And yet, many law firms are lax in doing background checks on their IT personnel, who have access to Social Security numbers and all kinds of information. That type of theft, which involves copying electronic files, often goes unnoticed, he said. In an age when many people still stick computer passwords on notes next to their screen, cleaning crews also could access sensitive computer records.

“It’s increasingly become a major issue,” said Beckerman-Rodau, who lectures on the topic around the country.

Most lawyers would cringe at the thought of getting hit by a computer virus that took random documents off their hard drive and e-mailed them to everyone in their address book.

“People can just commandeer your computer and do all kinds of harm to it,” said David Hricik, associate professor of law at Mercer University School of Law in Macon, Ga., and frequent lecturer on the topic of technology security. “There are real risks. It’s not happening all the time to lawyers everywhere, but we have to take care.”

With advances comes risk, Hricik noted. “You can now have on a keychain stuff it would take a file room to store,” said Hricik, referring to USB drives. “This digitalization allows a lot of harm to occur” with one careless act, he said.

Lawyers should think carefully about what data they put on devices and protect it with passwords or encryption. While that won’t fool everyone, at least it acts as another hurdle someone must jump over before accessing the information, Hricik said.

Fred Pretorius, director of information services for Mintz, Levin, Cohn, Ferris, Glovsky and Popeo PC, heads up a staff of 45. When he started in 1999, he was focused mainly on infrastructure issues involving servers and the like. Now he also works on the more complex problems of protecting the firm against hackers, viruses and spyware.

Pretorius said the department also works to eliminate spam, which he called a huge drain on attorneys’ time.

“We conduct training for all new employees, and it’s customized for attorneys,” Pretorius said. “The security systems are only really as good as the users.”

The IT staff is always weighing convenience and ease of use versus security. “It’s a difficult balance to strike,” Pretorius said.

One of the biggest IT challenges for lawyers now is the existence of metadata and other embedded data contained in popular word processing programs. The embedded information can reveal deleted material, who worked on a particular document and comments inserted by people reviewing the document. Recipients of the file can access the embedded data, initially hidden from view, with a few mouse clicks or by using special mining tools.

Because many popular software programs track changes, lawyers could unknowingly send opposing counsel confidential data or key pieces of bargaining strategy.

Hricik and others said many lawyers are shocked to learn of the risk.

During a recent lecture “none of them had the faintest idea this stuff was in a Word document,” Hricik said. While he has heard plenty of anecdotes about lawyers inadvertently sending out confidential or disadvantageous information, Hricik said he is not aware of any case law on whether metadata can be used in court. But he believes it is just a matter of time.

“It’s a question of when, not if, we’ll get a case about it,” Hricik said.

Many lawyers protect themselves by copying information into the PDF format, which contains less metadata than a word processing file, or by buying and installing tools to “clean” a file before it is sent out. Computer settings also can be changed to limit the amount of embedded material.

Mintz Levin’s IT staff has trained all the firm’s personnel on its metadata removal system. “You might not want someone to see a particular document was marked up from a previous version,” Pretorius said. “Sometimes it’s helpful; sometimes it can hurt you.”

Ethical dilemmas surround metadata; when and where it is acceptable to “clean” a document and whether lawyers should use metadata they inadvertently receive.

In that regard, Pretorius believes other industries have an easier time setting IT policies than the legal field. “In the corporate setting you can define a policy,” Pretorius said. “In law firms, it’s difficult to draw that common denominator.”

The Florida Bar Association, for example, recently came out with a statement telling lawyers it is unethical to look at metadata.

The Florida Bar Association’s pronouncement “is the fair thing right now,” said Hricik, who pointed out that most lawyers still don’t know about its existence. “I think you have to put the burden on the recipient. Maybe five years from now it will be different.”

The flipside of the metadata issue is whether lawyers receiving such unintended information have an obligation to use it as part of zealous representation, said Jerry Cohen, a partner with Burns & Levinson LLP.

While bar associations and the courts are struggling with how to treat metadata, the current consensus is you notify the other side you have the information and intend to use it, which then can be taken before a judge, Cohen said.

“That’s an evolving thing. I think where it will settle down is to notify (the other side) you’ve got it,” Cohen said. “The prevailing practice has been to return a document and not take advantage of it, but life is getting to be a little harder edged.”

It may not be enough to plead ignorance if a security lapse occurs.

“It’s clear lawyers’ obligation of confidentiality is stronger” than other professions, Cohen said. Mishandling of personal data could open a lawyer up to anything from disciplinary action to malpractice claims. Yet it happens, Cohen said.

“I’ve run into situations where lawyers have made honest mistakes,” Cohen said.

Bar associations and courts are now tackling the issue of whether lawyers have an obligation to inform clients if confidentiality is breached. So far the Supreme Judicial Court has not set a definitive policy for attorneys here in the Bay State, Cohen said.

“I think it’s a growing obligation of lawyers to become tech-savvy,” Cohen said. “Certainly the bar associations and CLEs are doing their best to push lawyers to become tech-savvy.”

Now with some courts requiring documents to be filed electronically, the technology issues are inescapable, Cohen said.

But Cohen points out that security concerns are not a new phenomenon. When cell phones first became prevalent, there were decisions that lawyers could use them but with caution. The same situation happened with e-mail. Even before then, lawyers have had to be cautious with documents sent in the mail and disposal of trash.

“People have learned to cope and they do adopt (new practices) much faster these days,” Cohen said.

For solo practitioners or smaller firms lacking the resources to have IT personnel on staff, consultants can be hired to set up and secure computer systems.

“It’s hard for lawyers to say they weren’t aware of the problem, but how many are doing something about it,” Beckerman-Rodau said. “We’re not talking about a law firm having to spend tens of thousands of dollars. It’s just a cost of doing business. I’m not sure you can avoid it.”

Sharon D. Nelson, a lawyer and president of Sensei Enterprises Inc. in Fairfax, Va., said one of the biggest mistakes small firms make is not budgeting enough money for technology or training to use the technology they purchase. Nelson’s consulting company, which supports about 150 law firms, provides assistance ranging from basic networking needs to sophisticated computer forensics work.

“Most small and medium firms are still blown (away) by technology; by the cost; by the learning curve,” said Nelson, a former tax attorney originally from Marshfield. “We lecture that 25 percent to one-third of their budget should be dedicated to technology investment.”

And Nelson advises small firms to hire consultants familiar with the very specific needs of a law firm compared to another business.

“The ‘Geeks ‘R Us’ folks are a disaster for legal folks,” Nelson said. “If you’re spending $75 an hour on IT, your thinking is all wrong.”

Firms should be spending between $120 and $300 an hour, depending on their needs, Nelson said.

Technology has been a mixed blessing for smaller firms and solo practitioners, enabling them to be more efficient and nimble, Nelson said.

“The only way to level the playing field with larger firms is to use technology,” Nelson said. “They hate it, but they can’t get away from it.”