August 2005
Volume 1, Number 4
Table of Contents

Practicing Safe Computing:
Security Tips, Products and Services to Protect Your Small Firm

By Ross L. Kodner, Esq

Electronic security and disaster prevention are facts of legal life today. With new computer viruses and daily security breaches, protecting client confidences and firm information is challenging. There are very real malpratice risks, as well as ethical traps and pitfalls that will befall the unwary pracitioner. Committing “Technology Malpractice” is not just a futuristic prediction – it is a daily reality that may be happening in every law practice at this moment. Complicating this is HIPAA’s privacy legislation. Security and disaster planning are as critical in small firms as in mega-practices. This articles explores seven quick tips for practicing safe computing:

  • Know your responsibilities: ethical rules are essential reading. Review for applicability to issues related to security and protection of client information from loss or intrusion. Pay attention in ethics credit CLE programs. Leverage the knowledge of your state bar ethics advisor. Talk to your malpractice insurance carrier and get their opinion, in advance.
  • Understand how substantive law and technology use intersect. Example related to HIPAA: the healthcare privacy requirements in this legislation impact lawyers in many areas - not just those that are injury or healthcare-related. Lawyers and clients are subject to significant penalties for failing to protect the privacy of healthcare information. Example related to electronic discovery: failure to understand the broad range of technology issues and underpinnings of the discovery of electronic information will most certainly lead to negative case results . . . and potential malpractice claims.
  • Backup - not optional: the need to backup should be a given after years of pleading and begging. Many small firms still have inadequate systems for backing up firm and client information. The ability to access the data (i.e. backing up your programs to enable quick restoration to normal operation) is as important as protecting data. Occasionally copying your documents to a writable CD isn ’t an adequate backup system; it’s a malpractice action waiting to happen. Whether via tape or external/removable USB hard drives, employ purpose-built backup software, off-site backup storage, alternating media, and regular "test restores."
  • Security - it ’s not someone else’s responsibility: so you have a shiny new cable modem in your office. The cable guy told you they’ve got that whole "security thing" taken care of - great news! WRONG! Security is YOUR responsibility - it’s your business, your practice, your obligation to protect the integrity of your client information. Use a hardware or software firewall to protect your internet connection from hacking. There are even "free" software firewalls available from vendors such as ZoneLabs (ZoneAlarm Standard) and Sygate (Sygate Personal Firewall). More preferable hardware firewalls can be had for as little as $100 (i.e. using a cable/DSL router device that also has built-in Network Address Translation (NAT) and "stateful packet inspection") although this is considered “barely adequate” (look for firewalls that also incorporate a technology called “stateful inspection”). Small firms can look at the hardware firewalls from companies such as SonicWALL, starting at less than $500. So cost shouldn’t be the reason that you throw security caution to the wind. Get firewalled, period.
  • Security is an attitude: You can buy the most secure firewall products in the world but if you write passwords on Post-It notes stuck to your monitors, nothing will protect you. Think of the people (i.e. cleaning crew) who visit your office after hours. Security is, foremost, procedures created and enforced by top firm management. All the technology invented won ’t protect you from lax policies.
  • Viruses: e-criminals distribute new viruses every day. Averting professional disaster means taking precaution against virus infection - or spreading them to others. Could you be liable if you didn ’t update your anti-virus software, thereby becoming infected and in turn, infecting a client whose business is shut down for days? You bet you could be. Four tips: a) use capable anti-virus software, b) update it automatically, DAILY, or even multiple times per day, c) educate your people about not inadvertently spreading viruses and the liability your firm could incur from infecting other companies, courts, clients, etc., and d) never trust just one person to keep your anti-virus software update subscription current – it’s not the software that let’s most firms down, it’s the liveware (the people!)
  • Spyware: even more insidious than computer viruses, Spyware is everywhere. What is it?

Uninvited software that installs itself on your PC when you visit websites. In fact, this is often installed without the permission of the websites you visit – the websites themselves may have been compromised. These programs can “see” all the data on your office computer systems. In the worst situations, these malicious programs look for confidential financially-focused information such as passwords, social security numbers, account information. Failing to protect against spyware could be argued to be a per se breach of your obligation to protect and maintain client confidences. Use fee-based anti-spyware tools such as AdAware Professional, Spy Sweeper and others. These protect your system from spyware in real-time, just as anti-virus software does. It is critical to note that the free versions of these products do NOT provide continuous protection and should not be used.

Plug the holes: you need to keep your operating systems, your applications and your Internet software updated with the latest patches. Microsoft products are regular targets of hackers. You can counter the troublemakers with Microsoft ’s free Security Bulletin Alerts. This e-mail based service warns of the latest security and privacy issues affecting their software and links you to the needed patches.

For all the law practices now using Microsoft Word as their document generation system, there’s a horrifying threat that needs to be addressed: it’s called "Metadata." From the time a Word document (or an Excel spreadsheet or a PowerPoint file) is created, through all the edits, revisions and modifications that occur during the life of the document, a frightening amount of information is permanently stored, invisibly, "under the hood" so to speak, in the file. Anyone who knows how to view such a file (as easy as selecting the "Recover Text from Any File"option in Word’s "File | Open" dialogue box, whereupon retrieval of the file, all the contained metadata is tacked onto the end of the document) can exploit it to their advantage. For example, assume you’ve had several revisions of a document with passages of text being removed, copied from other documents, comments inserted and deleted, etc. Perhaps some of the language, or even the entire document was "leveraged" from work done for another client. If that document leaves your firm as an e-mail attachment, what are the consequences of someone outside your firm being able to view all the information you thought was no longer there? Have you breached client confidentiality (of both the client in question as well as the earlier client whose work you recycled and whose information is still hidden in the document)? Could this be an ethical violation? How about malpractice?

The only practical ways to address this issue are to turn Word documents into PDF files (using Adobe Acrobat writer or an equivalent compatible product such as FinePrint Software’s pdfFactory Pro), which strips virtually all the metadata out of the document. Or alternatively, use a Word add-in that removes Metadata from documents such as Metadata Assistant from Payne Consulting (or MetaWALL from Workshare Technologies or iScrub from Esquire, Ltd.). The point is, in the "protecting your clients from disaster" category, taking one of these approaches must be considered mandatory.

The bottom-line: we practice law in a complex electronic environment. Protecting our confidential information can’t be an afterthought - it must be as rigid a daily procedure as entering time. It is essential that your law strive to “practice safe computing.”

Ross L. Kodner is a "recovering lawyer" and President of MicroLaw, Inc., a 17 year old national-focused legal technology consultancy based in Wisconsin. He is a founding member of the T3 Network of Legal Technology Consultants and has held many leadership positions in national, state and local bar associations. He is perhaps best known for his internationally acclaimed "Paper LESS Office™" concept. He co-plans the CLE programming for all U.S. LegalTech events and he is a prolific speaker and author on legal technology topics. Ross can be reached at and 414-476-8433.


Back to Top