 |
| January/February 2006 |
| Technology |
Confidentiality: The Technology Overlay
By William Freivogel and Douglas R. Richmond
Part I
I. INTRODUCTION
This article focuses on the information technology that sophisticated law firms use, and on the ways this technology can be misused.
II. E-MAIL (OR, THE KEYBOARD IS YOUR ENEMY)
Lawyers must understand that they cannot be sure that their e-mails will not be turned over to prosecutors, regulators, plaintiffs in cases where the client’s conduct is at issue, and plaintiffs in suits against the firm. A lawyer beginning to compose an e-mail message must assume that she will be asked on the witness stand to read and explain the message to a jury. Where possible, that lawyer should consider foregoing e-mail and having a private conversation with the intended recipient. This is particularly true where the subject or theme of the message is the conduct or competence of a lawyer in the firm, or that of the client. It is also true when a lawyer believes he has made a mistake. When the conduct of a lawyer in the firm is at issue, convey related information orally to the person in the firm designated to handle such matters (for our purposes in this article, the “General Counsel”). If the General Counsel needs something written, it can be prepared under the General Counsel’s supervision.
A. “Aren’t These E-mails Privileged or Work Product?”
Good luck. As we have reported in various ways over the last several years, the biggest problem for good law firms is client fraud in the business practice. We are aware of thirty-four settlements by law firms exceeding $20 million, the largest being $108 million. Twenty-eight of those, including the largest, involved fraud by a client and subsequent claims by third parties against the client’s law firm. The attorney-client privilege evaporates in these cases, and the law firms must turn over their e-mails to prosecutors, regulators, and class action plaintiffs’ lawyers. This includes e-mails to and from clients, and e-mails between and among lawyers in the law firm. The ways that the privilege can be lost are myriad. A court can make a “crime/fraud” finding.(1) The client can waive the privilege as a public relations gesture.(2) A bankruptcy trustee or examiner can waive the privilege for an insolvent client.(3) Waiver can be part of a plea agreement.(4) Sharing documents with regulators (even with a confidentiality agreement) may cause a waiver in class actions or derivative actions.(5)
As to communications within a law firm about potential claims against the firm, courts do recognize an intra-firm attorney-client privilege. Problems arise, however, where the claimant is a current client. In such cases, courts have held that the firm’s conflict of interest abrogates its attorney-client privilege.(6) We discussed this situation at the Aon 2005 Large Law Firm Symposium, and Doug Richmond’s paper on the subject is available on the CD that all attendees received.
B. “Our Firm Deletes All E-Mails After Six Months”
Again, good luck. Your clients don’t. Third-party recipients don’t. If you print your important e-mails, the hard copy is still in the paper file. If your software permits you to put e-mails in special folders (What system does not?), they are still there. We do not know a law firm that purports to delete e-mails after a given period that also deletes messages kept in such folders. In short, e-mails are everywhere and are forever.
III. VOICEMAIL
We just recommended that e-mails that are negative about lawyers or clients are dangerous and that such sentiments should be conveyed orally. We did not mean that lawyers should do so by leaving a message on someone’s voice mail. Firms and companies are increasingly saving or backing up voicemails. That means when the attorney-client privilege is lost, or when the firm is sued, recorded voicemail becomes available to prosecutors, regulators, and plaintiffs’ lawyers. Thus, the most that lawyers should say on voicemail when they have something negative to convey is “please give me a call or come see me.” If the call is returned, presumably the conversation can occur with relative safety.
IV. ENCRYPTING E-MAIL
Encryption software makes e-mail messages unreadable, unless the recipient has a “code” or “key” to make the message readable. Occasionally, well-meaning experts in law firm risk management advocate that law firms encrypt their outgoing e-mails and require their clients to do the same.(7) That position has two problems. First, encryption software is cumbersome. Second, most clients—even large and sophisticated clients—do not use encryption, and do not want their lawyers to use it. Therefore, we do not take the view that law firms should encrypt their e-mails. The vast majority of state ethics bodies and the ABA’s Standing Committee on Ethics and Professional responsibility agree that the ethics rules do not require encryption.(8) Using unencrypted e-mail does not waive the attorney-client privilege.(9) Last, in all our years of advising law firms on loss prevention and studying claims against law firms, we are not aware of a single instance in which a lawyer or law firm paid civil damages resulting from the interception of an unencrypted e-mail.
V. METADATA
Documents created with word processing software contain “metadata.”(10) Metadata is information embedded in a document’s electronic file that is automatically created by the software the author is using without the author’s intent or knowledge. Metadata may include the author’s name, the names of prior authors, the identity of the server or hard drive where the document is saved, when the document was created, file
properties and summary information, document revisions and versions, template information, the names of people to whom the document has been sent, comments, the time spent editing the document, custom document properties, and more. “Metadata can be as revealing as a postmark on a letter, fingerprints on the envelope, and DNA from saliva on the seal.”(11) Furthermore, because lawyers often reuse documents and templates, the amount of metadata that a document contains is often impossible to judge.
Many lawyers know that documents transmitted electronically contain metadata. One lawyer has even boasted publicly that “‘[t]he first thing I do when I get something is look for [metadata] like the author’s name, revisions, and history.’”(12) The problem, quite obviously, is the associated transmission of confidential information.(13)
Given lawyers’ ethical obligation to maintain clients’ confidences, they should exercise reasonable care to strip metadata from documents exchanged with adversaries, electronically filed with courts, or disclosed to the public. Various types of scrubbing software are available. Alternatively, lawyers might transmit documents in electronic formats that do not allow metadata to be revealed. We are told that metadata cannot be revealed in documents sent in “pdf” format. If you have reservations about particular documents, and can do so, the easiest solution is to send paper copies.
The practical problems posed by metadata transmission are several. Suppose that you send a client a bill as an e-mail attachment, or put the bill on a shared drive or intranet accessible by the client. Suppose further that the client uncovers the metadata in the bill, and it reveals that you changed the amount charged for “secretarial overtime,” which the client said it would not pay for, to “photocopying expense,” which the client agreed to pay for.(14) Alternatively, suppose that you are negotiating a settlement, and you send a proposed settlement agreement to the lawyer on the other side. The parties have not yet agreed on the amount. The initial draft contains a settlement amount of $15 million. Your opponent opens the hidden data, which suggests that your client was willing to pay $30 million. No firm wants to find itself in one of these situations.
Since the threat to client confidentiality and attorney work product posed by metadata is now known, it is appropriate to focus on the lawyers who receive electronic documents loaded with invisible information. Do they have any ethical obligations with respect to the metadata hidden in the documents sent to them? On the one hand, it might be reasonably argued that lawyers’ duty to competently represent their clients obligates them to uncover the metadata in the documents they receive and, if possible, use any information revealed to their clients’ advantage. On the other hand, it can just as easily be argued that electronically ransacking a document to uncover metadata is dishonest—it is no different than rummaging through another lawyer’s briefcase when he leaves the room, or eavesdropping on another lawyer’s private conversation with her client.
The New York State Bar Association’s Committee on Professional Ethics attempted to resolve this debate in a 2001 ethics opinion.(15) The Commit-tee saw no difference between a lawyer’s surreptitious examination of metadata and “less technologically sophisticated means of invading the attorney-client relationship” that have been “rejected as inconsistent with the ethical norms of the profession.”(16) The Committee concluded that a lawyer’s surreptitious use of technology to obtain another party’s potentially confidential information would violate New York’s ethics rules prohibiting conduct in-volving dishonesty, deceit, fraud or misrepresentation, and conduct prejudicial to the administration of justice.(17)
Doug Richmond is Senior Vice president in the Professional Services Group of Aon Risk Services, the world’s largest broker of lawyers’ professional liability insurance, where he consults with Aon’s large law firm clients on professional responsibility and liability issues. Before joining Aon in Chicago, Doug was a partner with Armstrong Teasdale LLP in Kansas City, Missouri (1989-2004), where he had a national trial and appellate practice.
Bill Freivogel is Senior Vice President-Loss Prevention at Aon Risk Services and is a member of its Professional Services Group. He provides legal ethics and loss prevention services to Aon’s law firm clients.
Footnotes:
1. See RESTATEMENT (THIRD) OF THE LAW GOVERNING LAWYERS § 81 (2000) [hereinafter RESTATEMENT] (discussing privilege); id. § 93 (discussing work product).
2. Several law firms representing Enron saw their communications with and about Enron made public. See Testimony of Stephen Hall before the Senate Committee on Commerce, Science, and Transportation, May 15, 2002.
3. See, e.g., FDIC v. Cherry, Bekaert & Holland, 131 F.R.D. 202, 205 (M.D. Fla. 1990); Odmark v. Westside Bancorp., 636 F. Supp. 552, 554-56 (W.D. Wash. 1986). As to the Examiner in the Enron bankruptcy waiving Enron’s privilege, see In re Enron Corp., Order Pursuant to 11 U.S.C. §§ 1104(c) and 1106(b) Directing Appointment of Enron Corp. Examiner, No. 01-16034 (AJG) (S.D.N.Y. Apr. 8, 2002).
4. For a good overview of how the Department of Justice uses this technique, see
John Gibeaut, Junior G-Men, A.B.A.J., June 2003, at 46.
5. See, e.g. In re Columbia/HCA Healthcare Corp. Billing Practices Litig., 293 F.3d 289, 302-04 (6th Cir. 2002).
6. For an article critical of this result, see Douglas R. Richmond, Law Firm Internal Investigations: Principles and Perils, 54 SYRACUSE L. REV. 69 (2004).
7. We recently read a report of a law firm “audit” conducted by a law firm risk
management consultant, who, in the course of advising the firm to encrypt its
e-mail, asserted that all good firms encrypt e-mail. That statement is patently wrong.
8. See, e.g. ABA Comm. on Ethics & Prof’l Responsibility, Formal Op. 99-413 (1999); Del. State Bar Ass’n, Comm. on Prof’l Ethics, Op. 2001-2 (2001). For an
excellent discussion of unencrypted E-mail, see David Hricik, Lawyers Worry Too Much About Transmitting Client Confidences by Internet E-mail, 11 GEO. J. LEGAL ETHICS 459 (1998). For a compilation of state authorities, go to David Hricik’s Web site at http://www.hricik.com/email.html (last visited Oct. 11, 2005).
9. In re Asia Global Crossing, Ltd., 322 B.R. 247, 256 (Bankr. S.D.N.Y. 2005).
10. David Hricik & Robert R. Jueneman, The Transmission and Receipt of Invisible Confidential Information, PROF. LAW., Spring 2004, at 18, 18; Jason Krause, Hidden Agendas, A.B.A. J., July 2004, at 26, 26; Donna Payne & Bruce Lewis, What You Can’t See, Can Hurt You, LEGAL TIMES, Sept. 27, 2004, at 16, 16; Thomas E. Spahn, Litigation Ethics in the Modern Age, BRIEF, Winter 2004, at 12, 16.
11. Krause, supra note 10, at 26.
12. Id. (quoting lawyer).
13. See id. (describing confidential information learned from an examination of metadata found in a document from a major intellectual property lawsuit).
14. This is not a hypothetical. A partner in a very fine law firm did this to several large
corporate clients, and when caught, was disciplined. The law firm had to reimburse the clients for the over-billings. The aggravation and embarrassment were substantial.
15. N.Y. State Bar Ass’n Comm’n on Prof’l Ethics, Op. No. 749, 2001 WL 1890308
(Dec. 14, 2001).
16. Id. at *2.
17. Id.
Security Alert
***Note***
The following paragraph discusses the "zero-hour" vulnerability in Microsoft Windows products. While this is a very severe issue, we would like to let our readers know that Microsoft has since released an update to address this issue. The update can be downloaded on Microsoft's Windows Update (http://www.windowsupdate.com) site, as well as through Microsoft's Automatic Updates. We have decided to leave the following paragraph intact just to reiterate the danger of this flaw, and the importance of keeping your software, especially Microsoft products, up to date with the latest patches and updates.
***End Note***
The current hot topic regarding Microsoft’s security is the release of the latest “zero-hour” vulnerability. Unfortunately, the problem with this particular exploit is the way it propagates itself. This particular exploit is embedded in files called WMF files (Windows MetaFiles, files that end in .wmf). This is an image file format (like JPG or BMP), and because of the way Windows handles them, all a user has to do is view the file to launch the exploit. Put simply, someone could send you an e-mail with an attached image, and as soon as you view that image (such as opening an attachment, loading the image in the Outlook preview pane, or visiting a malicious site), your computer could be infected with a virus, spyware, or any number of malicious software programs. There are a number of things that can be done, but unfortunately none of them are foolproof, which is what makes this particular exploit so frightening. For example, network administrators can filter out internet borne WMF files, but people spreading the exploit can simply rename the WMF file to .JPG, or .BMP to get past the filters. Microsoft has recommended disabling the Windows Picture and Fax Viewer but that has its own problems as you will not be able to view standard JPGs and BMPs unless you have another viewer. This also poses a problem for users of Q-Law, considering an image viewer has to be installed to view scanned documents. Also, if another viewer is used that can view WMF files, it is also venerable, so disabling the Picture and Fax viewer is not a foolproof, or feasible short term solution. The best course of action is vigilance. Keep your antivirus and spyware software (I recommend checking out Microsoft’s Anti-Spyware) updated, don’t stray too far from the sites you know are safe, and avoid e-mails with attachments, or embedded images. The good news is Microsoft has announced that a fix should be available in the next week or so.
This brings up another point, keeping your system up-to-date. I know many people frown at upgrading to Windows XP Service Pack 2. While it does have its issues (primarily with programs due to increased core security), it is something you may want to think about upgrading to. It provides a laundry list of fixes, as well as a ton of security upgrades, most notably the updated firewall (designed to protect you against foreign intrusion). If you do not wish to upgrade, it is highly recommended you install a firewall (such as Zone Alarm), and keep your computer up to date with Microsoft’s critical updates. Microsoft has been very good with releasing fixes to vulnerabilities in Windows, so it is certainly worth your while to keep an ear to the ground for new updates. Microsoft also provides an automatic update feature that does the work for you, so it is even easier to stay updated.
It is worth mentioning that aside from Windows, hackers have been targeting other programs, such as Internet Explorer, which has been a target of many many attacks. Mozilla’s Firefox is a great, highly customizable browser that offers good security and a nifty feature called Tabbed Browsing. Instead of having 5 IE windows open, Firefox (along with Netscape) can have one window open with multiple pages broken into tabs. It has had its vulnerabilities, but it is more secure than Internet Explorer, although it does not include many of the plug-ins (java, flash, shockwave) that IE packages. Outlook has also been a target of attacks. If you are only using Outlook or Outlook Express to check e-mail, it might be worthwhile to switch to another program, such as Eudora, or Mozilla’s Thunderbird. They also offer Junk Mail filters that do a superb job of stripping out the garbage (Of note, most Junk filters must be trained. This usually involves simply marking junk mail as such, and after a while the program will catch on.) If you wish to stay with Outlook, it may be worthwhile to turn off the preview, or reading, pane (in Outlook 2003, this can be done by clicking View => Reading Pane => Off). It is NOT necessary for you to switch programs, but it may be something for you to consider.
Another topic that deserves attention is the proliferation of viruses, Trojans, and worms. Viruses are programs that replicate themselves on systems, usually destroying data in the process. Trojans are programs that primarily cause annoyances; many do not cause data loss, but are a pain. Worms are programs like viruses in that they replicate themselves, however they do so by spreading through the Internet, usually using e-mail, or through networks. While viruses can easily destroy a system, Worms are more subtle, considering they usually do not directly destroy data, but they can slow networks to a crawl, cause major aggravation to users, and many can open holes for hackers to access your system (often times, the hackers use infected systems to launch Denial of Service (DoS) attacks on major Web sites. Put simply, when enough computers try to access a Web site at one time, it can cause the site to go down). I am sure many of you out there have heard of the various viruses, Trojans and worms going around, such as the I.Love.You virus, the Blaster worm, Netsky, Sober, etc. What many may not realize is how easy it actually is to avoid infection from these numerous viruses and worms. The vast majority of modern viruses and worms come in e-mail, usually disguised as a message from someone you know. Most recently, a worm (a varient of the Sober worm) was attached to an e-mail that looked as though it were from the FBI or CIA, claiming to have logged your IP address on illegal Web sites. The e-mail went on to say that attached there was a checklist for the reader to fill out… of course the attachment was not a checklist, it was a worm. Many people were infected by this worm, and it spread rapidly. I myself got hundreds of copies of the e-mail in my mail box in the course of just a few days, but I was never infected.
So, how do you avoid infection? Well, there are two primary ways. The first and most important is to install a good, auto-updating virus scanner. Symantec’s AntiVirus and McAfee’s VirusScan are the two most popular, and usually come pre-installed on many new systems. These are not your only two choices, as there are literally hundreds of different programs out there, each with varying degrees of effectiveness. I cannot stress the importance of proper virus protection in an office environment, or on a home PC. Aside from e-mails, viruses and worms can also be attached to downloads, transferred via chat programs, installed from malicious Web sites, or may even be on a laptop someone brings to your office or home. Quality virus scanning software can protect an entire network from infection, and even protect against AOL Instant Messenger viruses and E-mail borne viruses. At home, I recommend a product called AVG Anti-Virus, which is totally free and designed for home use. It is a very effective virus scanner and auto-updates daily so you are always protected from new threats. If your office does not have virus protection, purchase it pronto. If your home computer is unprotected, check out AVG.
Secondly, a little precaution in your computer usage habits goes a long way in the computer world. Many many computer users become infected simply because they are not the most computer savvy. I cannot fault anyone for that, as although computers are machines that work purely on a Yes/No or On/Off basis (called Binary) they can be quite daunting, and oftentimes very touchy. In the olden days, you could get by with “flying blind,” so to speak, and not have to worry about people trying to destroy your system. Unfortunately, today there are a lot of people out there who feel their time is best used destroying computers, and causing headaches for both the non-savvy users and IT staff. It takes a sad, sad person to do something like that, but they exist. Because of this, it is best to remember when browsing or reading e-mails, that at any given moment, someone is plotting to do your computer harm. Therefore, if you do not know who sent you an e-mail, and it has an attachment, DO NOT OPEN IT. Often- times, e-mails come from people you may know when they have become infected, usually with odd or inviting subjects (such as “check this out, you’ll love it!”). If they send you an e-mail with an attachment, and you have the slightest suspicion, e-mail them to confirm the attachment is safe. If you have proper anti-virus software installed, more often than not, it will detect and clean the virus from the attachment. (If your virus scanner does clean a virus from an e-mail recieved from someone you know, it is a good idea to send them a message to let them know their system is infected.) E-mail attachments are quickly becoming the #1 way for viruses and worms to spread, so remember, if an e-mail has an attachment, err on the side of caution.
In closing, the internet can certainly be a scary place, but it is not unlike anywhere else in the world, so do not panic. You are at risk with everything you do, even getting up and walking to get a cup of coffee. The important thing to remember is to know the risks of your actions, and take proper precautions (you wouldn’t try to walk to the coffeepot blind folded while holding a sharp knife and wearing roller skates… at least I hope you wouldn’t). Make sure you install a quality spyware removal program, such as Microsoft’s Anti-Spyware beta, which has caught everything thrown at it thus far. Beware; there are a number of “anti-”spyware programs that are malicious, most are advertised in pop-ups, and an alarming number come packaged with adware (how ironic is it for an adware or spyware program to advertise something that is used to remove itself). Along with the anti-spyware program, install a proper anti-virus program. You should also consider your usage habits. Do not browse, or read e-mails with reckless abandon. If something looks suspicious, it is best to err on the side of caution. When installing software, be sure to read the prompts. I recently had to clean a computer that became infected because the user ignored the adware notice in a wallpaper program. As I said earlier, computers are very yes and no, a little precaution goes a very long way.
We hope this article shed some light on methods to protect yourself from the various viruses, worms, Trojans, and exploits that are floating around. If you have any further questions, or just want to discuss the topic, don’t hesitate to visit our bulletin board at http://forums.qlaw.biz and post.
Kurt Sund
Q-Soft if the developer of Q-Law, a comprehensive software package custom designed to improve the productivity and profitability of law firms which specialize in collection, creditor bankruptcy and foreclosure procedures, using advanced document automation templates, docket calendaring, time and billing, and much more. Q-Law has been in development since 1986.
Mr. Kurt Sund, founder of Q-Soft and the mastermind behind Q-Law, has been a software developer for over 20 years. His vas experience as owner of a collection agency and as the chief IT officer in one of the nation’s largest collection law firms granted him insight to the nuts and bolts of legal collection. |
|
|
