We hear you’re looking to buy a law practice or have had enough and want to sell your own practice. There are many considerations to bear in mind, some of which will depend on whether you’re going to be the buyer or the seller. But one area that is often overlooked by those on both ends of the sale is the technology owned or leased by the law practice in question. Surprises here are not good and can lead to misunderstandings—or lawsuits. You must think about how you will handle this facet of the sale and negotiate who is going to do what and for what cost.
So, how do you deal with the technology of a law practice when planning the change in ownership? We hope this article will help you assess some of the ethical and technical issues involved and make the transition a less painful process.
Selling a Law Practice
Before addressing individual pieces of technology, you must first tackle the most important decision: What client data will be transferred? Transferring all client data to the new firm is by far the most straightforward approach. But what if you are retaining some of the clients, perhaps several old friends or “plum” clients that you have agreed will remain yours? This means carving out their data, no easy task (as we’ll describe below).
And how do you actually transfer the data? Paper files are simple. Box up the ones that go to the new firm, retain those as may be required for ethical or business reasons, and destroy the rest. You need to do a similar process for the electronic information associated with a client, but it can be more difficult to cull and remove information from an existing system.
Ultimately, your decisions concerning what client data to transfer will affect your transition plans for each of the systems discussed below.
Copiers. Let’s start with a common piece of equipment for most businesses. Copiers have been around for some time, and the latest models are full-featured productivity devices. There isn’t a lot you can do with analog copiers. Frankly, if you still have a working analog copier, it’s wholly obsolete. The analog copier doesn’t store any data, so you’re pretty safe no matter what you decide to do with the equipment.
Digital copiers are a different story. They have a hard disk (or multiple disks) that can contain images of received faxes, converted PDF scans, or confidential client materials that you’ve copied. This means that you need to keep the hard disk yourself or wipe the drive of any data. Keeping the drive may be an issue for some, especially those who lease the equipment. It may cost you extra money, but see if the lessor will let you have the hard disk. If you can’t figure out how to remove it yourself, a call to the service technician should do the trick. Another option is to wipe the drive while it is still in the machine. Several manufacturers have this feature built in. In our own Konica Minolta copier, you find the option by hitting the Utility/Counter button and navigating to Administrator Settings > Security Settings > HDD Settings. You have several choices under the HDD Settings to overwrite data, format the hard disk, configure hard disk encryption, etc. Understand that if you delete all data, you may blow away the operating system as well. This would render the copier useless until a new operating system is loaded. If you plan to transfer ownership of the copier to the purchaser of your practice, make sure the new owner understands what may happen when you delete the data. Even if you sell the copier to someone else or turn it back to the lessor, it’s always a good idea to make sure the data on the hard disk is deleted. Of course you won’t have to deal with any data removal if all clients transfer to the new lawyer(s).
Computers and software. Just like digital copiers, computers have at least one hard disk. If the computers are going to stay with the new firm, then there is little you need to do. The exception is dealing with the software licenses. Not all licenses can transfer to a new owner. Make sure you read the licenses to see what options are available (if any) for ownership transfer. If you are like most lawyers we know, you have no clue where the software license is located to review it. Contact the makers of the software and talk to their customer service folks. Assuming you can transfer ownership of the licenses, be prepared to pay a transfer fee. Not all vendors charge a fee, but it is fairly modest for those that do.
If the new owners are only interested in the hardware, then your job is even easier. First, copy off any data that you want to save, assuming you have a legal right to the data. Next, wipe the hard drives. There are many commercially available products to accomplish this, but we find most solo and small firm attorneys to be very cost conscious. How does free sound to you? Darik’s Boot and Nuke is a free product that will wipe all sorts of devices that hold data, including the hard disk in the computer. You only need to do a single pass wipe. Don’t believe all those urban legends that say three-letter agencies can recover disks through several layers of wiping. A single wipe is good enough and renders any data inaccessible, even to those three-letter agencies.
Servers and data. Servers can be more difficult to handle. Most likely the new owners will want to bring in their own server running the applications they are familiar with. What they really need is your client information to place on their server. If they don’t want your current server as part of the deal, then you would handle it just like the computers. Copy off any data that needs to be preserved and wipe the drive(s).
Now for the hard part: getting your client data—really the most valuable asset of your practice—onto the new firm’s practice/case management system. The data could comprise some combination of Microsoft Outlook information, Microsoft Word documents, case management databases, and billing information. You’ll potentially have to deal with all of it. It is unlikely that the new firm is using the same practice/case management system as you, or that they don’t have any current client data already loaded. So what does this mean? It means that you will need to import your client data while preserving their client data. You may need to hire a consultant or acquire the services of case management provider(s). What we see most often is the exporting of the client data to a CSV (comma separated values) file, which most applications can import. You may have to manipulate the CSV file prior to importing to the new case management system to insert required values or change data format. You may be able to use Microsoft Excel for this type of data manipulation, assuming there isn’t a huge volume of records and the changes are straightforward. If the manipulation is complex, you’ll want to get a programmer involved.
The same process holds if you are transferring billing data. If the receiving billing application cannot directly read your current information, you may have to do the export/import using CSV files as previously described. It may be more cost effective not to bring over any historical billing information and just import the client data needed for future billings. This may not be an option, especially if there are a lot of trust account balances that need to transfer. Speaking of trust accounts: Don’t forget to address how they will be handled as part of the sale of the practice.
Fortunately, transferring any data in Outlook is a simple matter even if you have an Exchange server. The easiest way is to use Outlook’s own feature and export any required data to a PST file. You can then import the PST file from one of the new attorneys’ mailboxes. The new firm may want to reorganize it later, but at least the firm will have the data.
The client electronic files are also easy to copy and move around. You will probably use an external USB hard drive to effect the transfer of the data. You would merely copy the appropriate Word, Excel, etc., files to the USB drive and then copy them to their final destination with any new computer system. If the new firm will be using a document management system such as Worldox, the documents should be re-indexed. This will ensure that the system knows the correct (and possibly new) location of the information.
Voice communications. You’ll also need to address any devices that are used for voice communications. This could include a traditional phone system, VoIP equipment and phones, and even cellular phones. If you have a traditional phone system and it is transferring as part of the sale, it will need to be reprogrammed. If you are going to dispose of the system, it needs to be cleared of any configuration values and reset to factory defaults. This is especially true if the phone system includes voice mail. You need to make sure that any identifiable information is removed prior to disposal or sale to a third party. Think of the phone system as a specialized computer that makes phone calls.
Cellular phones need to have the data removed as well. If it is a regular feature phone, then reset it back to factory defaults. You should be able to find instructions on how to do that from the Internet. If not, then take the phone to your carrier and their employees can reset it. Smartphones should be wiped and reset to factory defaults, too. Wiping may be done remotely or through a menu choice on the phone itself. Don’t forget to wipe and/or remove any memory expansion cards that may be inserted in the phone. There could be data on those as well.
Cloud services. What about any data that might reside in the cloud? Cloud services may be cost effective for solos and small firm attorneys, but they can also be a royal pain when it comes time to shut them down or change providers. Unfortunately, attorneys do not always read their service providers’ terms of service or understand the potential costs and consequences of putting their data in the hands of a third party. This can prove problematic when planning an “exit strategy” from the service. What happens if a lawyer wants to change cloud providers or (in this case) transfer the data to someone else? In what format can the data be retrieved? Is there a cost for exporting the information? Who owns the data? These are all questions that should have been answered when originally contracting for the service. The last thing you want during a sale is to be held hostage because of the difficulty or cost of getting your own data back.
Certainly the easiest way to handle the transition is for the purchaser to take over your account. New login credentials would be created, and business would continue as normal. If this is an option, take it. It will be the easiest and least costly way to hand over client information. This assumes that all of the client data migrates to the new owner. If not, then you will have to purge those records that shouldn’t transfer prior to the account changing hands.
If the current cloud provider will no longer be utilized, then you’ll have to get the data out of the system prior to shutting down. This could mean some sort of data export similar to that discussed above. The CSV format seems to be the most common type of export among various vendors. Some vendors will give the entire database on an optical disk (assuming it fits) or on a hard disk. As an example, a leading CRM (customer relationship management) provider will provide the entire database in SQL format for a fee of $150. You can then write your own scripts to extract the data in whatever layout is required.
Backup data. You must also address any backup data that may exist. This includes any backup data that may be held in the cloud. Normally, any backup data that is contained in tapes, hard disks, or other media is archived for potential future access. Make sure that the encryption keys are provided along with the backup data so that it can be decrypted should the need arise.
Backup data in the cloud is probably easier to deal with once it has been restored to some local area. In that way, it can be decrypted upon restoration and then parsed as needed. The new owners can then use their own technology and methods to back up the restored data as they see fit.
Electronic communications. What happens to the firm’s domain name? How will you handle any e-mail that is addressed to the old firm name? These are decisions that should be dealt with in the sales document. Unless you plan to set up shop again in the future, most firms just transfer ownership to the buyer. This makes it easier to maintain a smooth transition of communication with current and past clients.
Disposal. Let’s assume that you will actually have to dispose of some equipment and media (including paper) that may contain confidential client information. There are guidelines and statutes for the retention of certain information, so make sure you follow the applicable laws regarding destruction of data.
Shredding. It sounds like such a simple task, doesn’t it? Well, not if you want to do it right. Many of us have shredders in our offices that we use to destroy paper. Some are even capable of ripping through staples, paper clips, and optical media. Most solo and small firms will have a strip shredder because of the low cost. These are not sufficient to render the data inaccessible. A recent security challenge from the U.S. Defense Advanced Research Projects Agency (DARPA) presented images of what amounted to shredded paper from various shredding techniques. The pieces of paper that were created with a strip shredder were the easiest to reassemble and read the resulting documents.
What you really need to destroy the paper documents is a cross-cut shredder with the smallest possible cut size. Some cross-cut shredders leave fairly large chunks of paper, which is marginally better than the low-level strip shredders. Expect to pay a few hundred dollars for a good cross-cut shredder, but it is well worth the money and peace of mind to know the documents are actually destroyed.
Shredding isn’t just for paper, either. How would you destroy large volumes of backup tapes or even hard drives? There are companies that will shred pretty much anything. One of our favorites is a company called Back Thru the Future. They will quote costs to destroy backup tapes (just give them the tape type and quantity) and hard disks. They follow the entire chain of custody from receipt to destruction and provide you with documentation including a picture of the shredded matter for your scrapbook. It can actually be more cost effective to have media shredded than to spend the time and money to wipe disks and eradicate tape media.
Electronic equipment. Electronic disposal can also be a problem. Many jurisdictions now have laws about dumping computers, monitors, or any electronics into a landfill. This means you will need to properly dispose of any unwanted electronic equipment. It could be costly to pay a recycler to haul away any monitors or computers that are no longer needed. Check around to see if you can donate the equipment, thereby saving any recycle fees. Also see if there are free electronic recycle days in your area, when you can take any television, computer, monitor, printer, or other electronic device to the recycle center for no charge. Make sure you sanitize any hard drive or other device that carries data prior to recycling.
Closing remarks. Besides being a bad pun, closing day is the point by which you should have addressed all the items dealing with the sale of your practice. Most people are aware of the potential data that resides on computers but often forget the information on flash drives, backup tapes, and even smartphones. Your security alarm system may even contain data about the users and their access codes. The simplest methodology is to convert all the transferable data to paper and then destroy all your current equipment and storage. Hybrid transitions are more complicated because you have to pick and choose what data to destroy. No matter which path you select, spend some time to identify all the data and where it is held.
Buying a Law Practice
Are there different considerations when you are the buyer, rather than the seller? Many of the technical concerns are the same, but there are certain considerations of particular importance to those who will be receiving, rather than sending, the client data and office equipment.
The agreement. This is a bad time to be your own lawyer. Make sure another attorney has reviewed the purchase agreement particularly with regard to the acquisition of hardware, software, or data. In today’s electronic world, many mergers and acquisition attorneys are well versed in the steps that should be taken to ensure that you are handling the technology and data properly. In many cases, you will be acquiring a practice that may not be terribly sophisticated in technology matters. The purchase agreement should clearly lay out the steps that the seller must take to securely transfer the technology and data, including all software licenses. The seller may not know much about how some of the data is held and how to convert it into a format that you can import. What seems like a simple data transfer may not be simple at all—and it may involve costs. Who will pay these costs? If the data is in the cloud, who does it belong to? Do you need to see agreements regarding the data prior to signing the sales document? More than once, we’ve seen vendors hold data hostage, which will be frustrating to both buyer and the seller. It’s best that you understand all possible problems from the outset.
Are you buying the firm’s URL? What about its social media sites? These days, it isn’t just client data that may be integral to the purchase of a practice.
You’ll want to take special care with the trust account, of course, and transfer of these records. You may want to put a provision in the agreement that the trust account electronic data (including the reconciliations) for the last several years be provided in order to receive assurance that you’re not buying into problems. If you are buying the entire practice, life is simpler as you can purchase all the data, the software licenses (if desired), and all domain names, social media sites, etc. If the data has to be parsed into that which the seller is keeping and that which is due you, the process will be harder.
Malware detection. It should go without saying that any information received in digital form must be scanned for viruses, Trojan horses, spyware, and other malware infections. This is particularly important if you will be introducing the data into your existing computer systems. How will you be receiving the data? If the data is on a flash drive or hard disk, make sure you scan it for malware before you transfer the data to your server or other computer system. If it is sent electronically, such as in an e-mail attachment, it should also be approached like any other suspect attachment.
It will be safer if the data is converted to a CSV file first. This text-based file format is less likely to be infected by nasty malware.
Computer systems. As the buyer, you must decide if you want to keep the seller’s computer systems or start from scratch. Most firms will elect to transfer only client data and not take over the technology from the acquired firm. You probably already have well-established procedures and equipment in place. That’s why you’ll probably put your time and energy into the data import process. This also means you won’t have to deal with the disposal of electronic devices, which can be a big pain in some parts of the country.
You may elect to keep some subset of the acquired computer systems, depending on the format and type of data at issue. As an example, you may keep one computer to access the billing system, but enter all new billing information into your existing system. This is one alternative to provide for a smooth transition of the practice and still keep the data accessible.
There’s also the matter of taxes. We’re not accountants, but there may be tax consequences of getting computers, telephones, copiers, etc., as part of the sales transaction. The equipment may have to be categorized as a capital asset.
The Accidental Disclosure of Data
No matter what method is used for the transfer of data (flash drive, hard disk, optical media, etc.), both parties should insist that the data be encrypted when placed on the media. This will protect the information while it is in transit. It doesn’t matter if you are only carrying the data down the hall. Always encrypt the data while it is transit so that it is inaccessible to anyone other than the intended recipient. This pertains to data that is electronically transmitted as well. Encrypt the file prior to attaching it to an e-mail message. If you password-protect a Word document or a PDF file, it will automatically be encrypted as a result. Putting a password on a Zip file will also encrypt the contents. There really isn’t any excuse not to encrypt the data as it is so easy to accomplish.
So what if, despite the best efforts of both sides, some client data is exposed? This is most likely to happen to the seller, who is likely to have trouble correctly parsing the data from all software and devices.
The sales agreement should certainly contain a provision that data discovered to have been inadvertently transferred will be promptly returned. Although there may be a technical ethical violation, so long as proper precautions have been taken, you’re probably okay, especially if the ABA Commission on Ethics 20/20 draft proposals are adopted by the states. The revised proposals, as issued in 2011, are really very practical. The proposal revision of Model Rule 1.6 says that “a lawyer shall make reasonable efforts to prevent the unintended disclosure of, or unauthorized access to, information relating to the representation of a client.”
The factors to be considered in determining the reasonableness of the lawyer’s efforts are:
- the sensitivity of the information;
- the likelihood of disclosure if additional safeguards are not employed;
- the cost of employing additional safeguards;
- the difficulty of implementing the safeguards; and
- the extent to which the safeguards adversely affect the lawyer’s ability to represent clients.
Mere disclosure, by itself, does not trigger discipline. As you can see, the standard of reasonableness in the buying or selling of a law practice is very likely to be based on the size (and therefore presumed relative sophistication and resources) of the law firm.
The technology considerations for the transfer (sale or purchase) of a law practice are pretty much the same no matter which side of the fence you are on, buyer or seller. As with all technological subjects, advice about the technological implications of buying or selling a business will change over time. Just look at how cloud computing has required a reexamination of a lawyer’s obligations. The best advice when buying or selling a law practice is to seek a truly knowledgeable attorney in this area—one who keeps up with technology and its legal implications. This is not a good DIY project.