Volume 1, Number 4
|Table of Contents|
Practicing Safe Computing:
Electronic security and disaster prevention are facts of legal life today. With new computer viruses and daily security breaches, protecting client confidences and firm information is challenging. There are very real malpratice risks, as well as ethical traps and pitfalls that will befall the unwary pracitioner. Committing “Technology Malpractice” is not just a futuristic prediction – it is a daily reality that may be happening in every law practice at this moment. Complicating this is HIPAA’s privacy legislation. Security and disaster planning are as critical in small firms as in mega-practices. This articles explores seven quick tips for practicing safe computing:
Uninvited software that installs itself on your PC when you visit websites. In fact, this is often installed without the permission of the websites you visit – the websites themselves may have been compromised. These programs can “see” all the data on your office computer systems. In the worst situations, these malicious programs look for confidential financially-focused information such as passwords, social security numbers, account information. Failing to protect against spyware could be argued to be a per se breach of your obligation to protect and maintain client confidences. Use fee-based anti-spyware tools such as AdAware Professional, Spy Sweeper and others. These protect your system from spyware in real-time, just as anti-virus software does. It is critical to note that the free versions of these products do NOT provide continuous protection and should not be used.
Plug the holes: you need to keep your operating systems, your applications and your Internet software updated with the latest patches. Microsoft products are regular targets of hackers. You can counter the troublemakers with Microsoft ’s free Security Bulletin Alerts. This e-mail based service warns of the latest security and privacy issues affecting their software and links you to the needed patches.
For all the law practices now using Microsoft Word as their document generation system, there’s a horrifying threat that needs to be addressed: it’s called "Metadata." From the time a Word document (or an Excel spreadsheet or a PowerPoint file) is created, through all the edits, revisions and modifications that occur during the life of the document, a frightening amount of information is permanently stored, invisibly, "under the hood" so to speak, in the file. Anyone who knows how to view such a file (as easy as selecting the "Recover Text from Any File"option in Word’s "File | Open" dialogue box, whereupon retrieval of the file, all the contained metadata is tacked onto the end of the document) can exploit it to their advantage. For example, assume you’ve had several revisions of a document with passages of text being removed, copied from other documents, comments inserted and deleted, etc. Perhaps some of the language, or even the entire document was "leveraged" from work done for another client. If that document leaves your firm as an e-mail attachment, what are the consequences of someone outside your firm being able to view all the information you thought was no longer there? Have you breached client confidentiality (of both the client in question as well as the earlier client whose work you recycled and whose information is still hidden in the document)? Could this be an ethical violation? How about malpractice?
The only practical ways to address this issue are to turn Word documents into PDF files (using Adobe Acrobat writer or an equivalent compatible product such as FinePrint Software’s pdfFactory Pro), which strips virtually all the metadata out of the document. Or alternatively, use a Word add-in that removes Metadata from documents such as Metadata Assistant from Payne Consulting (or MetaWALL from Workshare Technologies or iScrub from Esquire, Ltd.). The point is, in the "protecting your clients from disaster" category, taking one of these approaches must be considered mandatory.
The bottom-line: we practice law in a complex electronic environment. Protecting our confidential information can’t be an afterthought - it must be as rigid a daily procedure as entering time. It is essential that your law strive to “practice safe computing.”