COSTLY TECHNOLOGY GOTCHAS - A Dozen Tips for E-mail Security and More
Technology can certainly make you more effective and efficient, but you should be careful to guard against some inherent dangers in using it. To help ensure that technology doesn’t bite you where it can hurt most—in the form of ethics and malpractice threats— here are tips for you to follow. Although you may have heard some of them before, all bear repeating throughout your firm.
1. Be aware of the dangers of metadata. When you create or edit just about any document on your computer (like Microsoft Word, MS Excel or Corel WordPerfect files), hidden information about you and the edits you make is automatically created within the document file. This information, in case you haven’t heard of it before, is called metadata—which can be simply described as “data about data.” Think of it as a concealed level of extra information that is automatically created and embedded in every computer file as you work on that file. It is dangerous because it can include past edits, deleted text or tracked changes, and information about others who work on the document—the kinds of things you likely don’t want the client or opposing counsel to see. Thus, if you are e-mailing documents in native format to others, you may be unwittingly sending confidential information to them. Ouch.
2. Remove metadata from your documents. Being aware of metadata is just the start. The important part is to reduce or eliminate metadata from your documents before you send them out. Converting files to PDF with Adobe Acrobat or other PDF creators will usually strip out most metadata. For this reason, many firms have adopted a practice of sending only locked PDF documents to clients or opposing counsel, especially if the recipient doesn’t need to edit the document. Also, newer versions of Microsoft Office include features that can identify and strip metadata from documents created in Office applications. There are also metadata scrubbers that will automatically prompt a user to clean metadata from outgoing attachments. Metadata Assistant (www.payneconsulting.com) is one such product that is widely used in law offices.
3. Don’t share or compromise your passwords. You wouldn’t give your car keys to a complete stranger, so don’t do the same with your passwords!
4. Beware of e-mail address Auto-Complete. Having your e-mail software automatically fill in recipients’ addresses is certainly helpful when it comes to saving a few keystrokes or having to remember an e-mail address. But it is also a recipe for disaster: Too often we are hurried and do not confirm an address that the software has filled in before hitting Send. Oops! Just about everyone who has used the Auto-Complete function will tell you they’ve accidentally sent an e-mail to the wrong person. Save yourself the potential exposure to a confidentiality breach by turning Auto-Complete off.
5. Who the heck is email@example.com? When adding e-mail addresses to your contacts list, you want to enter full names so it is obvious who a message is going to, since the contact’s full name will then appear in your To line. When a person is using a generic address like firstname.lastname@example.org, for example, you may have to type the full name in the contacts file as “James Bond.”
6. Double-check before you hit Send . Building on the previous two tips, before you touch that Send button, you should make it a practice of always checking and verifying that the e-mail addresses in the To field are the correct ones.
7. Check your spam box daily. Spam filters are essential for keeping junk mail out of your inbox. But they can be dangerous, too, because they could erroneously catch a message from your client, opposing counsel, the court or the like. This is called a “false-positive.” So if you don’t check your spam box daily, you could miss an important message (like one that affects a brief you’re in the throes of completing). Most spam filters let you create a “white-list” of parties you know and trust so messages from them will never be stopped.
8. Don’t assume that an e-mail was delivered. From reading the previous tip, you know of at least one reason e-mails don’t get through and read. There are loads of others—including e-mail server problems, a wrong e-mail address, or the message went through but the person didn’t open it, just to name a few. For this reason, you should always follow up on important messages that you send, and you should always reply to important messages sent to you (even if it is just an initial acknowledgement of receipt). This way everyone involved knows that critical e-mails have been safely received.
9. Don’t use the “Remember Me” feature. It is so tempting to let Windows and other computer applications remember your login names and passwords when they offer to do this. However, while it may make sense for your NYTimes.com access, you should never—repeat, never—have Windows or other programs remember your password for access to any program or system that has sensitive or confidential information in it (as in your computer logon, accounting systems, bank accounts, practice management software access and so on). In the law firm context, this is especially critical for those who use the family computer at home. Letting Windows remember a username and password gives anyone sitting at that computer full access to the program and all the data in it. Don’t do it!
10. Never use a public computer to log on to your firm network. Let’s repeat again—never. Public computers (like those in libraries and hotel business centers) often have spyware on them that surreptitiously captures login names, passwords and other data typed in by people using them. That information could be used to compromise the integrity of your network and leave you open to breaches of attorney- client confidentiality. For this reason, typing usernames, passwords or other confidential information on a public computer is an absolute do-not-do.
11. Don’t let the bad guys in the back door. A compromised computer that has remote access credentials can bypass firm security and let bad guys or malware get on to your firm network. Require all remote users to have the same level of Internet security on their computers as the law firm has on its. Any computer seeking to access your network must use firewalls, antivirus software, anti-spyware protections and the like.
12. Enforce and regularly update your technology use policy. Remember, rules only work when they are current and enforced. Every law office should have an up-to-date and enforced technology use policy (and incorporating the foregoing tips is a good place to start), a policy that clearly sets out what people can and can’t do when using office computers and when working on client matters on computers outside the firm’s walls.
About the Author
Dan Pinnington is Director of practicePRO at the Lawyers’ Professional Indemnity Company (LAWPRO) in Toronto. He is Law Practice’ s Editor-in-Chief.
Reid Trautz is Director of the American Immigration Lawyers Association’s Practice & Professionalism Center. He serves on the Governing Council of the ABA Law Practice Management Section.
This article is an excerpt from The Busy Lawyer’s Guide to Success: Essential Tips to Power Your Practice, soon to be released by the ABA Law Practice Management Section. Order the book online at www.ababooks.org.
Watch for Dan Pinnington and Reid Trautz at these ABA TECHSHOW 2009 sessions:
- Excel Q&A, Thursday, April 2, with Adriana Linares
- The Greatest Hidden Windows and Office Tricks for Lawyers, Friday, April 3, with Peggy Duncan
- 60 Tips in 60 Minutes , Friday, April 3
- Techno Ethics: Be Safe, Not Sorry! Friday, April 3, with Erik Mazzone and David Ries