Computer Malpractice Easier Than Ever
Todd C. Scott is vice president for member services at Minnesota Lawyers Mutual. He may be reached at firstname.lastname@example.org.
Digital information is fluid. It can leak out. It can be tapped into. It can be spoiled. Every day, lawyers and their staffs convert confidential client information into data and put it on their networked computers. If they do nothing to secure it, however, it will eventually make its way out into the world, and it will be vulnerable to corruption.
Most attorneys are very aware of our duties to protect the confidential information on our hard drives. We think of it when we are doing our network backups or planning to throw away an old PC. But rapidly changing technology can make a network vulnerable to hackers and cripple a firm’s entire system. Worse yet, some of these vulnerabilities can lead to scenarios in which your client’s private information is exposed to the outside world. Being pro-active can ensure that protective systems in the firm’s computer network are kept up to date—and are used regularly, by everyone.
Computer maintenance should be as much a routine as car maintenance. And just as work on your auto becomes more necessary and complicated over time, so does the maintenance of your network security. You may not be the one physically performing all the work on your business computers, but a basic understanding of what’s necessary will help ensure that you’re asking all the right questions.
Computers and Malpractice
The computer can be used as a risk management tool to avoid many common errors that lead to legal malpractice. In a 2003 ABA study, malpractice insurers were asked what types of errors their insureds were alleging in claims. Almost half (47 percent) of the lawyers reported claims involving a substantive error, 15 percent involved a client relations issue, and 10 percent were labeled intentional wrongs. What is notable in this study is that 28 percent of lawyers reporting malpractice claims reported a claim that began with an administrative error—a system breakdown that led to the client’s seeking redress from the lawyer.
Insurers have long known that a law firm with good systems will have fewer claims. That’s why most lawyers applying for insurance are asked at some point in the process whether they utilize risk management systems—for example, one that checks for conflicts of interest. A firm that has good systems but doesn’t keep them up to date is equally vulnerable to malpractice claims from angry clients. Even the most basic systems law firms use, such as word processors, have inherent design flaws that may expose the client to harm and potentially destroy a case.
But you needn’t be a specialist in computer information systems to understand these dangers and the hazards they pose. Even an overview of potential problems can greatly help to prevent a disaster with client data—and to impress upon employees or IT staff the seriousness of potential security breaches.
One of the biggest obstacles lawyers have with understanding metadata’s potential to do harm is its name: metadata—it sounds like a technical issue that should immediately be delegated to the IT staff to deal with. If it had a more descriptive moniker—“Accidental, Unintentional Dissemination of Confidential Client Information”—metadata might get more attention from lawyers.
The concept of metadata has been around for some time, but present-day examples still remain elusive to some. Metadata is the data that lurks below the surface of a file or e-mail, usually hidden from the viewer unless specific features of the word processor are deliberately activated. An easy example of metadata occurs in every Microsoft Word document; under the File menu, click Properties, and detailed information about the document will appear: time the document was created or updated, name of the author who licensed the software, and more.
But metadata can reveal more dangerous details than simply the name of the person who drafted a summons or complaint. In March 2004 the SCO Group, a seller of Unix software, filed lawsuits against DaimlerChrysler and AutoZone, but a quick peek into the metadata within the pleadings informed the defendants that the plaintiff also had prepared a complaint against Bank of America. As reported by CNETNews.com, the metadata also revealed the exact date and time the bank was removed as a defendant, the original venue where the plaintiffs intended to file the suit, and allegations the plaintiffs had been relying upon for building a case against the dropped defendant. (See http://news.com.com/2100-7344_3-5170073.html.) This hidden information revealed potential weaknesses in the plaintiff’s case and tipped off the defendant to other venues where the plaintiff’s matter could be successfully moved.
Tracking changes made to a document can be invaluable when you’re drafting a lengthy piece or collaborating on a draft. But to save you from checking and rechecking security properties, consider installing a software program that scrubs metadata from documents.
One of the most widely used metadata scrubbers is the Metadata Assistant ( www.payneconsulting.com, $79). This program offers a variety of options for removing private data from Microsoft files and integrates with e-mail programs to clean attachments and even data management systems.
When faced with computer security issues, lawyers often ask: Why would anyone want to hack into my boring legal documents? For the same reason that hackers pierce their tongues—they think it’s fun.
Most successful hackers take advantage of security vulnerabilities that haven’t been patched or disabled and are routinely spread and shared within the hacker community—like port scanners that find vulnerable IP addresses. Once a hacker gets an initial toehold into an unprotected system, other tools come into play, for example, rootkits and sniffers, which find backdoor entrances into sites, gather user IDs and passwords, and then hide their tracks. Other gizmos are no doubt invented every day—searching Google for “hacker tools” yields more than 16 million hits.
Practitioners or firms that use high-speed Internet access should secure their confidential client data with a firewall—a software tool that acts as a gatekeeper for the data coming and going through the data line to the outside world. Firewalls also enable you to fine-tune established security levels, establish multiple stages of security, and restrict access to some or all of the data packets coming into your network system.
It’s hard to beat the price of ZoneAlarm’s award-winning firewall software—it’s free to most individual users ( www.zonealarm.com)—and it’s a top pick in most user polls. If you’re the proprietor of a small law firm, you might want to step up to the ZoneAlarm Internet Security Suite for $49. It offers not only the firewall protection to keep out hackers but also anti-virus and anti-spyware software to take care of any predators that might slip by.
Spyware is simply a software application installed in your computer by an outsider, which gathers information about your computer use for that outside source. It’s a particularly troublesome element in the rogue technology class in that, because it arrives in your computer as a legitimate piece of software, ordinary anti-virus software has no way to distinguish it from the legitimate software products already in the system.
Many of the most common spyware applications are designed to secretly gather marketing data and forward it to the outside source. Unfortunately, the spyware often was introduced to your computer by you in the course of downloading something seemingly unconnected to spyware. Users routinely download programs such as Kazaa, Gator, Web Accelerator, or Weather Bug, but with them they get spyware that takes up valuable computer resources delivering marketing data to and from your PC. If your computer is sluggish but checks clean for viruses, you may have a spyware application working for an outside source. In addition, some purported anti-spyware programs on the market are actually rogues and add additional spyware to your computer system. Stick with well-known products or do some research about these on your own; two prolific websites that expose rogue programs are http://spywarewarrior.com/rogue_anti-spyware.htm and www.spybot.com/en/spybotsd/index.html.
Fortunately, you can buy products that will rid your system of spyware applications, and you can download many of them directly from their websites: Spybot Search and Destroy ( www.spybot.com), Ad-Aware ( www.lavasoft.com), and Spy Sweeper ( www.webroot.com), are safe and popular brands. The first two offer free downloads for their basic versions. Many people use the product weekly to check for parasite applications that suck away computer resources.
Portable Storage Devices
Data storage devices are becoming more portable, and lawyers are discovering great benefits to storing loads of information on devices the size of a disposable cigarette lighter. This portability, however, can also lead to more opportunities to accidentally disseminate (or lose) confidential information.
Flash drive devices are available at bargain prices and are designed to fit in the USB port of any computer or flat-panel screen. Because they are so portable and a typical $49 device can store a gigabyte or more of data, some lawyers have even started using them as part of their routine daily backup rotation and transferring all of the drive documents to offsite storage.
An additional way to protect your clients is to purchase flash drive devices that already contain embedded password protection and encryption software. Many of the flash drives are partitioned so that a user can easily access some data but must enter a password to access more confidential data.
If you want to secure a flash drive you currently use but it doesn’t contain encryption software, TrueCrypt ( www.truecrypt.com) can help. It’s a free, open source product that allows you to encrypt any storage device, including portable flash drives.
The single most effective way to keep intruders from gaining access to client data is to password-protect your data. Unfortunately, in a world where every newspaper or airline website requires a login and a password, many of us are getting bogged down with having to create and remember unique passwords for every site. To compound the problem, IT professionals recommend creating only “strong” passwords that combine upper- and lower-case letters, symbols, and numbers—as well as changing these passwords regularly.
Password Safe ( www.sourceforge.net) is an example of a password-securing tool that acts like a little file cabinet that stores all the passwords you use. The program also comes with a random case-sensitive password generator that works instantly to create the strong types of passwords IT personnel recommend. With a device like Password Safe, the only password you’ll have to remember is the one that opens that application. Password-saving tools are also commonly found on some flash drive devices as a part of free software with purchase.
Even though it sometimes seems that hackers have the upper hand, these products will help you match wits with the best. Installing them is easy—the biggest problem you may have is convincing yourself to make their use a regular part of your obligation to secure client information in all available formats.