New Massachusetts Data Security/Privacy Regulations and Small & Mid-Size Law Firms
March 22, 2010
What the New Massachusetts Data Security Regulations Really Mean for Small and Mid-Size Law Firms
You may have heard of the new regulations released by the Massachusetts Office of Consumer Affairs and Business Regulation – specifically, 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth (PDF link).
These regulations apply to anyone who owns or licenses certain information (so-called “personal” information) about a Massachusetts resident, but for the purposes of this discussion, we’re going to limit ourselves to how these regulations apply to law firms.
Many law firms, and especially smaller firms, don’t have an in-house IT person or technical staff, which leaves the attorney or office manager to grapple with the issues raised by these regulations – issues which in many cases go well beyond their areas of expertise. The goal of this article is to help people understand how these regulations apply to them in plain English.
Note: While we hope you find this article helpful, this isn’t meant to be a definitive guide as to what you should do to make sure your firm complies with these new regulations. This is just general advice and tips.
First, some definitions – the regulations themselves contain a far more extensive “definitions” section (see section 17.02 of the actual regulations) – so we’ll just cover the basics here.
What exactly is “personal” information? The regulations define what constitutes “personal” information – specifically, information that is personal is: A person’s first & last name (or first initial & last name) in combination with any one (or more) of the following:
- Social Security number
- Driver’s License Number (or other state-issued ID number)
- Financial account number(s) (checking/savings account number, etc.)
- Credit card number(s)
What exactly am I required to do? In general, you have to take steps which are appropriate to the size, scope, and nature of your business to protect “personal” information from unauthorized use. More or less, this means coming up with a (written) plan to make sure that the personal information you have is kept safe, keeping that plan up-to-date and making sure everyone in your firm is educated about the plan.
Section 17.04 of the regulations spells out what you have to do as far as computer security is concerned. This section is broken down into a number of topics relevant to computer security.
Secure User Authentication: This is a very technical way of saying “user names and passwords.” We’ve posted a link to an article from Microsoft on choosing strong, secure passwords before, but in general, the longer your password is, the more secure it will be. For most people, the password you need to worry about the most is the password you use to log on to your computer (that is, log on to Windows). Fortunately, Windows allows you to use very long passwords – you can even use spaces and upper & lower case letters – so you can pick very long, but easy (for you) to remember passwords. You can use entire sentences, complete with punctuation, if you want.
For example, the password (or “pass-phrase” as it’s sometimes called when it’s this long) “I grew up on my uncle’s farm in Sudbury, Massachusetts” is very long (54 characters) – which makes it very strong. (A 54 character password, using just the letters, numbers, and punctuation marks on your keyboard, has something on the order of 2.564 x 1091 possible permutations!) The benefit of a long pass-phrase like this is that its length gives it strength (it’s hard for someone else to “guess”), but the fact that it’s a plain English sentence makes it easy for you (the user) to remember. After all, a good password does you no good if you can’t remember it!
Another useful tip is that most computer systems have a limit on the number of times you can try to log on while getting the password wrong (3 or 5 are the usual number of tries you’re allowed). After you’ve tried to log on a few times, but gotten it wrong, you might be locked out – or you might have to wait a period of time before you can try again. This helps prevent people from just guessing passwords as fast as they can (usually automatically using another computer).
However, the built-in “Administrator” account in Microsoft Windows (and in other operating systems too, like Mac OS X and Linux) usually has no limit on the number of times the password can be guessed (after all, you need at least 1 account that you can’t be locked out of, so that you can log on and unlock the people who guessed wrong). It is very important to set a very strong password for the “Administrator” account. If your “Administrator” account doesn’t have a good password, then all of your other good passwords are useless, since by definition the “Administrator” account has access to everything on your computer.
Secure Access Control Measures: In general, this means that people only have access to the files & data that they actually need to get their job done. Your bookkeeper, for example, doesn’t need access to your client’s financial statements – that’s not part of his or her job. Likewise, your receptionist doesn’t need access to your firm’s financial records (unless your receptionist is also your bookkeeper of course!).
All versions of Windows since Windows 2000 provide easy ways for you to set “permissions” on files, so that you can give access to files to some users, but not to others. However, these “permissions” depend on the user who is logged onto the computer – so if you have two or more people “sharing” a computer, make sure that you have a separate user name for each of them. Otherwise, from the computer’s point of view, they are all the same person and have access to the same files.
Secure access control also means disabling or deleting user accounts for people once they no longer work for you anymore – this is something that many people forget to do, and the result is that the ex-employee now has a “back door” into your files. Even if he never intentionally uses it, the account is still around, and he may re-use his password somewhere else, and it may get stolen, and now whoever stole the password has access to your files!
Encryption of personal information sent over public networks (e.g., the Internet): For most people, this refers to email – but it can also refer to websites where you upload files or enter and save information.
Encryption is a complicated topic in itself – but you can think of it as “locking” something in a box or safe, so that no one else can open it up. In respect to email, encryption means that you lock the email before sending it, and the recipient also has to have his own copy of the “key” so that when he receives it, he can unlock the email.
The difficulty here is of course that the recipient must already have the key to unlock the email in the first place. It’s sort of a catch-22 situation – no matter what you do, you need the recipient to somehow already have the “key” before you can send encrypted email. There is no easy answer to this – other than not to send “personal” information via email in the first place. There are many different third party services which offer ways to send encrypted email – but all of them involve making the person to whom you’re sending the email have to do something “extra” to get your message. Whether this involves signing up for an account with the third party service or something else entirely, he will have to do something. (This is one of the main reasons that encrypted email – although it’s been possible for years and years – has never caught on.)
As far as email is concerned, it’s worth remembering that you only need to encrypt emails that contain “personal” information – and remember that “personal” information isn’t just someone’s name, it has to be a name and some form of ID number (SSN/License/credit card/etc.). So if you never send that sort of stuff by email, you’ll never have to encrypt your email.
If you only need to send personal information by email once in a while, you might be able to get by with one of the third party solutions for encrypted email – assuming that you let the recipient know in advance that he’s going to have to do something extra to get your file. Alternatively, you might turn to a secure website for transferring files – we’ve talked about this before here in our article on “Solving the problem of sending sensitive files by email.”
If you upload files that contain personal information to any website (or if you enter and save personal information into a website), chances are that the website already has encryption – just look for the little “lock” icon that appears in your browser when you visit that site. If the “lock” icon is there, then the connection is encrypted.
If you use a third party website which saves personal information, you also have to check with the provider of that website to make sure that the information you’re saving there is also adequately protected – basically, the people who run the website have to comply with the Massachusetts regulations just as you do.
Reasonable Monitoring: In general, this means exactly what it sounds like – take reasonable steps to monitor your computers and make sure that no unauthorized use has taken place. In other words, it means “be aware of your stuff.” Of course, what constitutes “reasonable” will depend greatly on the size and resources of your firm, but in general you’d want to have some sort of record or log of (for example) when someone tries unsuccessfully to log on several times (this might mean that someone’s trying to guess your password and log on).
Encryption of Personal Information on Laptops and other Portable Devices: This part of the regulations is required because laptops and other “portable” computers (netbooks, iPhones, Blackberries, etc.) are naturally more susceptible to being stolen, due to the fact that they are portable – you might forget your laptop somewhere, or it might be stolen, and so on. Because of this, you need to take extra precautions with the information on portable computers.
For example, if someone steals your laptop, even though you have a very good, strong password that prevents him from just logging on and reading your files, he can still just take your laptop’s hard drive out of the laptop and plug it into a different computer and read the files off of it. (The same thing goes for desktop computers as well, but since they are safe behind the locked doors of your office, it is less of a worry.)
To prevent someone from just reading the files off of your laptop’s hard drive, you need to “encrypt” the files – basically, locking them with a “key” which only you know. Fortunately, this is not very hard to do, although there are many different ways to go about doing it. We’ve talked about encrypting your client files here before, in our article on “Keeping your Client’s Data Safe.” If you use Windows, and you have a good, strong password, you can use the encryption that is built right into Windows itself (see our article for links on how to go about doing this).
The only
files you absolutely have to encrypt (as far as these regulations are concerned) are the files that contain “personal” information. However, if you have lots of files in many different programs all over your computer, you may want to encrypt the entire hard drive (using “whole-disk” encryption). The top-end editions of recent Windows versions (e.g., Windows 7) have whole-disk encryption tools built-in, or you can use a third party solution.
As far as portable devices (iPhones, Blackberries, etc.) go, there may be encryption software available, or you may be able to use a PIN/password feature of the phone itself to “lock” the phone completely so that if it’s stolen, no one can use it (without erasing the phone’s memory, which of course also erases any personal information, thus keeping it safe from unauthorized use).
Up-to-date firewalls, anti-virus, anti-malware: This section of the regulations is just formalizing what you should already have – to use a computer that’s connected to the Internet these days without some sort of firewall or anti-virus is just asking for trouble. Fortunately, all of these options are very easy to take care of.
If you have an Internet connection to your office, chances are you have some sort of “router” into which you plug your computers and which then is connected to your actual Internet connection (DSL/Cable modem, etc.). Your DSL or Cable modem may even be a router itself – this depends on your Internet provider and the manufacturer of your DSL/Cable modem. Most modern routers also act as a firewall as well, keeping the computers in your office “invisible” from the outside Internet. Some even offer more advanced filtering options – you should check the manual that came with your router to be sure.
In addition to your router, chances are your computer itself has a “software” firewall built in – all versions of Windows (since Windows XP Service Pack 2) have a firewall built in. As long as you haven’t turned it off, it should be silently doing its job, keeping outsiders from connecting to your computer.
Anti-virus and anti-malware programs are likewise easy to come by, although you need to take care with selecting a reputable vendor, as some spyware/malware disguises itself as anti-spyware or anti-malware programs – so you think you’ve installed a program to protect you, when in fact it is not doing anything but infecting your computer!
There are many well-known names as far as anti-virus programs go – and most of them are available as a “suite” of products, that includes a firewall, anti-virus, and anti-malware. Some you must pay for (and these usually include extra options, for example the ability to administer remotely the settings for all the computers in your office), while others are free. Although we tend not to recommend any one product over another, Microsoft does have an anti-virus and anti-spyware program called Microsoft Security Essentials which is both free and very effective. There are of course other products, which you can easily find both online and at your local software/office supply store.
Education and Training: The final aspect of these regulations involves both education and training. Basically, all the security in the world won’t do any good if the people using the systems aren’t educated about how it works and what they need to do to keep it working. Keep yourself and your staff informed on what proper procedures are for handling personal information in your firm so that no mistakes are made. (For example, you might prohibit your staff from copying files with personal information onto USB flash drives to take home and work on – since their home computers and the USB flash drive itself are not subject to your control and might not be secure.)
In many security breaches, the problem is often not a technical one, but instead a case of “human error.” So keep your staff informed on how personal information must be treated and you will help greatly reduce the chances of unauthorized use of personal information.
Final Thoughts: Although the new Massachusetts data security regulations may appear to be somewhat complex or demanding at first glance, many of the things mandated by these regulations are actually things you are already doing (or should be doing). Although you do have to do some extra work to keep on top of your security policy (such as writing it down and keeping it up-to-date), most of the other things you are required to do are relatively easy to accomplish.
Remember, this guide is just a guide – although it is very easy to learn how to secure your computer systems using the information found here and elsewhere; if you’re not confident that you can do it, please seek the advice or help of a competent computer technician or IT person.
Icons courtesy of the Crystal Icon Set.
Webinar: How to Run a Paperless Law Office
September 28, 2009
“Lawyers are increasingly challenged to track information that’s growing at unprecedented rates. The rise of digital information has only increased that challenge. We are learning that processing information stored in paper is costly, cumbersome and inefficient. The solution is to switch to a paperless practice, which is challenging—but not as challenging as trying to manage both paper and digital information.”
If you’ve ever thought about trying to cut back on the amount of paper used in your law office, you may want to attend this (free!) webinar.
For more information and to sign up for the webinar, visit Ernie the Attorney’s site.
Document Assembly and ROI
July 16, 2009
Seth Rowland has recently published two very insightful articles on Document Assembly and Return on Investment.
- A Systemic Approach to Legal Document Automation (I): Building Technology Bridges
- A Systemic Approach to Legal Document Automation (II): Defining the ROI
Here are some excerpts:
Now is the best time for lawyers to redouble their automation initiatives. Document automation is the art of doing more with less (more work in less time) — with the potential of leveraging higher profits out of a shrinking staff. The best cost-cutting initiative is an investment in document automation.
[...]
For over a decade, I have preached that with document automation, firms can leverage legal talent with multiples that far exceed that of hourly billing.
[...]
Document assembly, properly understood, is a means to systematize the practice of law. Under such a system, you could achieve the same results, or better results, in a fraction of the time.
John Heckman had this to say about these articles:
The premise behind this approach is very simple (and I have seen it work very effectively with clients). Lets say you normally bill a client 5 hours to prepare all the wills and associated documents connected with estate planning. If you charge $300 per hour, that’s $1,500. So you invest in Document Assembly and tell your clients you are reducing the amount you charge for will preparation to a flat fee of $1,000. But meantime, due to the efficiencies of your document assembly routines, it only takes 2 hours to prepare the package, and virtually all of that can be done by a paralegal. All the attorney has to do is make a couple of tweaks and bless it.
So the end result is that your client is happy because he has saved $500. Meanwhile, your effective hourly rate has gone from $300 an hour to $500 an hour. You will very rapidly recover the cost of setting up the system and from there on it is all gravy.
These are both very insightful articles into how investing in document assembly is very worthwhile – it makes your clients happy because they save money, and it makes you happy because you can do more in less time.
The bottom line seems to be that document assembly really is the future – it’s good for both you and for your clients.
John HeckmanJohn
Microsoft Word and the Modern Legal Practice
May 13, 2008
The legal community has long had special requirements for documents that most word processing programs just didn’t handle well. Given the amount of time and effort that is spent drafting documents, it comes as no surprise that lawyers and legal staff have often had a love/hate relationship with their word processing programs over the years.
With the new Word 2007, that’s all starting to change.
Click on the image above for a larger version.
Word 2007 includes document templates specifically for legal documents – including documents with line numbers running down the left margin. You can even choose how many lines will be on a page! These documents are formatted to match the classical style of documents, so they aren’t quite as… let’s say “pretty” as TurboLaw documents, but they’ll do in a pinch. And they are included with Word 2007, so you don’t have to do the hard work of trying to lay them out on your own – which is always handy when you are pressed for time.
Click on the image above for a larger version.
Word also includes some basic pleading templates, which include the traditional document heading. They are very useful for whipping up a quick document – if you intend to write and format the entire body of the document yourself.
Click on the image above for a larger version.
Of course, Word’s legal document templates are just a starting point – unlike TurboLaw documents, they don’t merge case information – and they do use a font that resembles a typewriter’s typeface, just to preserve that “classic” feeling. You can, of course, change the fonts to suit your own taste – and if you want to make sure your documents are actually read, you might consider choosing your font with care – there is a great deal of research that has been done regarding how the choice of font can impact how people read. (For more on this subject, see our article on Tips for getting your documents read.)
Not Just Templates
It doesn’t stop with just templates, either. Microsoft has a vast number of resources available for the legal profession, including an entire section of articles filled with tips and how-to guides just for legal professionals. They have articles on how to write better legal documents with Microsoft Word, how to compare documents with the legal blackline option, using documents effectively in court and a number of articles on removing metadata (the “hidden data” in your documents that we’ve talked about before).
Collaboration Made Easy
Additionally, the Internet has made collaborating on a document easier than it ever was before. The American Bar Association notes how the new features of Word 2007 can help with document collaboration (as well as keeping sensitive information private and supporting compliance efforts), and for when the other party isn’t physically nearby, on-line document sharing tools such as Microsoft Office Groove and Google Docs can help “erase” the barriers of distance.
Technology & Law – Vol. VII
April 4, 2007
“Technology & Law” is a semi-regular column posted by Keith M. Survell. It deals with the interaction of technology and security with the modern law office.
You are going to LOVE Office 2007.
I’m being quite serious here. You are really going to love it, once you upgrade to it. In fact, for anyone purchasing a new computer, I strongly recommend it. It is a worthwhile upgrade, and I will tell you why.
Lots of court forms in TurboLaw documents are laid out in tables, which help align the text exactly as it appeared on the original court form. Indeed, many court forms are obviously tables – with all the lines, columns, rows, and cells that come with that type of layout. It makes it easy to fill in by hand, but not so easy to reproduce on the computer.
Above: A typical Microsoft Word document with a table (click to see full-sized picture)
Now, tables are all fine and dandy, but they don’t exactly work the same way as paragraphs do in a word processor such as Microsoft Word. You can’t just press the “Enter” key and get a new line – you have to add a new “row” in order to do that. In previous versions of Microsoft Word, working with tables was a chore – you had to go to the “Table” menu and select from a number of unclear sub-menus. Even for those who knew how to work with tables, it was a lot of clicking.
Well, Microsoft has really thought about these types of users in their latest version of the Office Suite. In Microsoft Office Word 2007, “menus” as you have known them are gone – instead, you have a “ribbon” that has “tabs” that correspond to different types of tasks. Most people will never leave the “Home” tab, which has most of the things you commonly use – bold, italics, basic paragraph formatting, lists, etc. This makes is extremely easy to get going in the new version – everything you need is right there, and everything you don’t need is hidden from sight (but easily accessible with just a click).
In the spirit of not bothering you with things that you can’t use, some controls are hidden until you click on something that would allow you to use them. For instance, the tabs that contain all of the table editing and formatting tools are hidden – until you click on a table.
Above: The Table Tools tabs appear!
These tabs are colored brightly so that you will notice them – as you can see from the picture above, the table tools tabs are yellow. Should you need to do any editing, simply click on one of these tabs to see the necessary buttons and controls.
Above: The Table Tools “Layout” tab has been clicked
The Layout tab is the one you are most likely to use if you are using TurboLaw, as it includes all the functions you need to add or remove rows from a table. And best of all, the functions are very clearly labeled, and do exactly what they say.
Above: The “Rows & Columns” group of the “Layout” tab
Above: A closeup of a table (click to see full-sized picture)
It is just a single click now to insert a new row in a table. For example, in the document pictured above, there is space for only 6 children. If you needed a spot for a 7th child, you could simply click “Insert Below,” and a new row would appear. It really is that easy.
The ease of use in Microsoft Office Word 2007 goes beyond editing tables, though. This same philosophy has been applied to every function you could conceivably use – they are all grouped logically, so that when you need a function, it is already there. Word 2007 will make you even more productive – and when paired with TurboLaw, you’ll be able to produce and edit documents with astonishing speed. We really can’t say enough nice things about it – it will make your work easier.
Technology & Law – Vol. VI
May 10, 2006
“Technology & Law” is a semi-regular column posted by Keith M. Survell. It deals with the interaction of technology and security with the modern law office.
“Who knows what secrets lurk in the hearts of documents?”
If you use e-mail to send documents back and forth between clients and counsel, chances are that someone has read more information from your document than you intended – maybe even a lot more.
The problem is “metadata,” which means “information about data.” It’s all the statistical information stored along with your documents that allows your computer to tell you who was the last person to edit a document, how many words are in your document, and what changes were made to the document by every person who had opened it previously.
Consider this scenario: you’re working on a document for a client (let’s call him “Client A”), but you need to start a new document for a different client (let’s call him “Client B”). You need to make the same type of document for Client B, so rather than start from scratch, you simply change some text in the current Client A document and save it into Client B’s file. Then, when you’re done, you e-mail it to Client B. What you may not realize, however, is that you may have just emailed a complete copy of Client A’s document – including all the possible sensitive, personal information – to Client B.
This sort of problem is becoming more and more frequent as an increasing number of people send documents – especially word-processing documents like Microsoft Word or Corel WordPerfect – back and forth via e-mail. Unlike printed documents, e-mailed documents can retain all of the file’s information, which often includes things such as the name of the last person to edit a document or fragments of text that had previously been deleted.
One solution that a lot of people are turning to is the Portable Document Format, more commonly known as PDF. When a document is converted to PDF, it loses a lot of the hidden information that the original document contained. However, PDFs are not a perfect solution. Depending on the settings you use when converting a document to PDF, most PDF creators try very hard to preserve everything about your document when it is converted to PDF – which can include hidden information. If you are sending redacted documents via PDF, it may still be possible for people to read the information you have blacked out – especially if you have simply highlighted words or paragraphs in black. Some PDF creators dutifully convert the blacked-out text when the PDF is created – and an industrious user can simply highlight the blacked-out text and read it. This is because the text is still there – it is just covered by a layer of black highlighting. This particular method of revealing redacted information has been used on documents released by government agencies – much to their chagrin. And it’s not just overzealous reporters who are looking for hidden information in documents – some attorneys regard this hidden information as a great source, and they regularly “mine” the data out of any documents sent to them. This has become such a privacy concern that some states’ bar associations have ruled the practice unethical.
There are ways to protect yourself from this kind of exposure, of course. Avoiding “copy and paste” creation of new documents can help keep sensitive information out of documents. If you use a document assembly program (such as TurboLaw) to create your documents, you’re even better off, as each document is created “cleanly” from a template that has no personal information in it.
Many of the options to save hidden data are turned on by default in most word processors, but they are options and can thus be turned off. Here are some tips on how to turn these options off for users of Microsoft Word:
Turn off “Fast Saves”
To turn off this option, click the “Tools” menu and choose “Options.” Then, click on the “Save” tab and un-check the box labeled “Allow Fast Saves.”
Remove “Hidden” Information
To stop Word from saving information about who has created or modified a document, click on the “Tools” menu and choose “Options.” Then, click on the “Security” tab and check off every box under the heading “Privacy Options.” This will stop some information from being saved, as well as give you warning when you are saving a document that contains other information (such as tracked changes).
Turn off “Versioning”
Word’s Versioning feature saves multiple copies of your document, providing a nice history of all the changes that have been made to it. Before you send a document to someone, you should check to make sure that you don’t have any saved versions hidden in the document. To do this, click the “File” menu and choose “Versions.” In the dialog box which appears, click on any versions which appear and click “Delete.”
Don’t use Highlighting to Redact Information
If you are going to send a document to someone else and you want to hide sensitive information (such as Social Security Numbers), you shouldn’t use the “highlight” feature in Word to redact the information. Instead, delete the information and replace it with something else, such as “xxx-xx-xxxx.” This will ensure that no one will be able to extract the hidden data beneath the highlighting. (You can, of course, put the original Social Security Number back after you have sent or converted the document.) This method is especially useful when converting a document to PDF.
Beware of “Track Changes”
The “Track Changes” feature is wonderful for collaborating with other users and when many people need to make changes to a document that is then reviewed by someone else. However, if turned on inadvertently, the Track Changes feature can save all of the edits and changes you have made to a document – which will then be visible to whomever you send the document. Turning off the Track Changes feature doesn’t remove the information, either – it’s still there, it’s just not shown onscreen.
To get rid of tracked changes and comments, you need to accept or reject the changes and delete the comments. Here’s how:
- On the View menu, point to Toolbars, and then click Reviewing.
- On the Reviewing toolbar, click Show, and then make sure that a check mark appears next to each of the following items:
Comments
Ink Annotations (Word 2003 only)
Insertions and Deletions
Formatting
Reviewers (Point to Reviewers and make sure that “All Reviewers” is selected.)
If a check mark does not appear next to an item, click the item to select it. - On the Reviewing toolbar, click Next to advance from one revision or comment to the next.
- On the Reviewing toolbar, click Accept Change or Reject Change/Delete Comment for each revision or comment.
- Repeat steps 3 and 4 until all the revisions in the document have been accepted or rejected and all the comments have been deleted.
Convert Documents to PDF
In addition to all of the steps above, converting a document to PDF is one of the best ways to prevent sensitive information from being inadvertently disclosed to other parties. You can purchase Adobe’s Acrobat product to convert documents to PDF easily, or you can find several basic (but free) PDF-creating packages on the Internet.
For More Information
The following links provide more information and insight into the problem of hidden information in documents.
Colorado Bar Association: “Metadata: Hidden Information in Microsoft Word Documents and Its Ethical Implications” (PDF Link)
NSA Redaction Guidelines: “Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF” (PDF Link)
Microsoft Office Online: “Get rid of tracked changes and comments, once and for all”
Technology & Law – Vol. V
May 18, 2005
“Technology & Law” is a semi-regular column posted by Keith M. Survell. It deals with the interaction of technology and security with the modern law office.
This week, rather than talking about security (as I usually do, and have done since this column started), I’d like to look at the other side of technology as it relates to the modern law office. Specifically, I’m talking about “blogging.”
The word “blog” is short for “web log,” and refers to a specific style of web page – one that is updated frequently with new information, while retaining old information (generally on the same page or sub pages). Only the owner of the blog can post new items – unlike “forums”, where anyone can register and start a new topic. Basically, a blog is sort of like an on-line journal or diary, where people write things that can be seen by everyone. Many people who write these blogs are quite professional, and their blog becomes more like an on-line newsletter or magazine (as opposed to amateur blogs, which can often read like a teenager’s diary).
Lately, a lot of lawyers have started blogging – often in response to interesting legal issues that would go un-published in more traditional media. This has produced some very well-written blogs, with interesting opinions that are well worth reading. In this new information age, a blog is a powerful communication and collaboration tool.
Here then are just a few of the most popular law blogs (or “blawgs” as they are sometimes known).
Those interested in starting their own blog can get started by visiting one of the major blog sites, such as Blogger, WordPress, or Typepad – although there are many other such blogging sites (sites that help you publish your blog).
It’s a brave new world out there – make yourself heard!
Technology & Law – Vol. IV
May 6, 2005
“Technology & Law” is a semi-regular column posted by Keith M. Survell. It deals with the interaction of technology and security with the modern law office.
Another article from Bruce Shneier gives good advice – especially since so many law firms are now using Adobe Acrobat’s PDF format for document storage. If you ever send these documents to other people via email, and you need to hide sensitive information (such as social security numbers), be careful how you go about “hiding” the text. This article describes how someone used the PDF equivalent of “white-out” to redact sensitive information – but the information was still there; it was just hidden under a layer of white.
As computers become more and more commonplace in law firms, and as more and more data is stored in these computers, the issue of data security is going to become more and more prevalent. Many firms have chosen the PDF format for permanent storage of documents – mostly because it can be viewed by anyone (that is to say, a PDF viewer is free and installed on most computers), but also because the PDF format isn’t likely to change in the future. (Word’s “doc” format, for example, has changed many times in its long history – sometimes making it impossible to open older documents in a newer version of Word!)
If it seems silly to be giving this much thought to file formats and digital storage – consider for a moment the effort many firms put into safeguarding their physical files. It is not uncommon to see larger firms equipped with special rooms for files, with special fire-suppression systems and advanced locks to protect the data contained in the files. Now, consider all of those files – the filing cabinets, the folders, and so on – compressed down into a rectangular box about the size of a paperback novel. That’s the data in your computer. That’s why data security is so important.
Technology & Law – Vol. III
April 19, 2005
“Technology & Law” is a semi-regular column posted by Keith M. Survell. It deals with the interaction of technology and security with the modern law office.
Today’s article was not written by me, but instead by Bruce Schneier, a highly-regarded authority in the world of computer security & technology.
Since “Identity Theft” (or just plain fraud) is the biggest crime on the Internet today, and since a law office typically stores quite a bit of personal information on its clients, this is something that all legal professionals should keep in mind.
You can read the entire original article by clicking here.
April 15, 2005
Mitigating Identity TheftIdentity theft is the new crime of the information age. A criminal collects enough personal data on someone to impersonate a victim to banks, credit card companies, and other financial institutions. Then he racks up debt in the person’s name, collects the cash, and disappears. The victim is left holding the bag. While some of the losses are absorbed by financial institutions — credit card companies in particular — the credit-rating damage is borne by the victim. It can take years for the victim to clear his name.
Unfortunately, the solutions being proposed in Congress won’t help. To see why, we need to start with the basics. The very term “identity theft” is an oxymoron. Identity is not a possession that can be acquired or lost; it’s not a thing at all. Someone’s identity is the one thing about a person that cannot be stolen.
The real crime here is fraud; more specifically, impersonation leading to fraud. Impersonation is an ancient crime, but the rise of information-based credentials gives it a modern spin. A criminal impersonates a victim online and steals money from his account. He impersonates a victim in order to deceive financial institutions into granting credit to the criminal in the victim’s name. He impersonates a victim to the Post Office and gets the victim’s address changed. He impersonates a victim in order to fool the police into arresting the wrong man. No one’s identity is stolen; identity information is being misused to commit fraud.
The crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated, and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud. This is what’s been in the news recently: ChoicePoint, LexisNexis, Bank of America, and so on. But data privacy is more than just fraud. Whether it is the books we take out of the library, the websites we visit, or the contents of our text messages, most of us have personal data on third-party computers that we don’t want made public. The posting of Paris Hilton’s phone book on the Internet is a celebrity example of this.
The second issue is the ease with which a criminal can use personal data to commit fraud. It doesn’t take much personal information to apply for a credit card in someone else’s name. It doesn’t take much to submit fraudulent bank transactions in someone else’s name. It’s surprisingly easy to get an identification card in someone else’s name. Our current culture, where identity is verified simply and sloppily, makes it easier for a criminal to impersonate his victim.
Proposed fixes tend to concentrate on the first issue — making personal data harder to steal — whereas the real problem is the second. If we’re ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.
Fraudulent transactions have nothing to do with the legitimate account holders. Criminals impersonate legitimate users to financial intuitions. That means that any solution can’t involve the account holders. That leaves only one reasonable answer: financial intuitions need to be liable for fraudulent transactions. They need to be liable for sending erroneous information to credit bureaus based on fraudulent transactions.
They can’t claim that the user must keep his password secure or his machine virus free. They can’t require the user to monitor his accounts for fraudulent activity, or his credit reports for fraudulently obtained credit cards. Those aren’t reasonable requirements for most users. The bank must be made responsible, regardless of what the user does.
If you think this won’t work, look at credit cards. Credit card companies are liable for all but the first $50 of fraudulent transactions. They’re not hurting for business; and they’re not drowning in fraud, either. They’ve developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions. They’ve pushed most of the actual costs onto the merchants. And almost no security centers around trying to authenticate the cardholder.
That’s an important lesson. Identity theft solutions focus much too much on authenticating the person. Whether it’s two-factor authentication, ID cards, biometrics, or whatever, there’s a widespread myth that authenticating the person is the way to prevent these crimes. But once you understand that the problem is fraudulent transactions, you quickly realize that authenticating the person isn’t the way to proceed.
Again, think about credit cards. Store clerks barely verify signatures when people use cards. People can use credit cards to buy things by mail, phone, or Internet, where no one verifies the signature or even that you have possession of the card. Even worse, no credit card company mandates secure storage requirements for credit cards. They don’t demand that cardholders secure their wallets in any particular way. Credit card companies simply don’t worry about verifying the cardholder or putting requirements on what he does. They concentrate on verifying the transaction.
This same sort of thinking needs to be applied to other areas where criminals use impersonation to commit fraud. I don’t know what the final solutions will look like, but I do know that once financial institutions are liable for losses due to these types of fraud, they will find solutions. Maybe there’ll be a daily withdrawal limit, like there is on ATMs. Maybe large transactions will be delayed for a period of time, or will require a call-back from the bank or brokerage company. Maybe people will no longer be able to open a credit card account by simply filling out a bunch of information on a form. Likely the solution will be a combination of solutions that reduces fraudulent transactions to a manageable level, but we’ll never know until the financial institutions have the financial incentive to put them in place.
Right now, the economic incentives result in financial institutions that are so eager to allow transactions — new credit cards, cash transfers, whatever — that they’re not paying enough attention to fraudulent transactions. They’ve pushed the costs for fraud onto the merchants. But if they’re liable for losses and damages to legitimate users, they’ll pay more attention. And they’ll mitigate the risks. Security can do all sorts of things, once the economic incentives to apply them are there.
By focusing on the fraudulent use of personal data, I do not mean to minimize the harm caused by third-party data and violations of privacy. I believe that the U.S. would be well-served by a comprehensive Data Protection Act like the European Union. However, I do not believe that a law of this type would significantly reduce the risk of fraudulent impersonation. To mitigate that risk, we need to concentrate on detecting and preventing fraudulent transactions. We need to make the entity that is in the best position to mitigate the risk to be responsible for that risk. And that means making the financial institutions liable for fraudulent transactions.
Doing anything less simply won’t work.
Technology & Law – Vol. II
March 21, 2005
“Technology & Law” is a semi-regular column posted by Keith M. Survell. It deals with the interaction of technology and security with the modern law office.
Follow-Up
Last week I talked quite a bit about security, and it seems like a good thing I did, because there have been several news stories since then about large organizations’ data being stolen – data that includes confidential personal information.
As usual, these crimes are happening because criminals are lazy – and these big companies are the easiest targets to go after – both because they are “big,” and because they have the most data to steal. With the information thieves have stolen recently, they could obtain credit in a person’s name with very little trouble – never mind that fake social security cards and driver’s licenses are probably being made as well. It is a troubling trend.
This week, however, I’m not trying to make anyone paranoid(although a little paranoia can be a good thing) – I’m just trying to save you some money, time, & effort through the use of technology.
Free Software
There are many software utilities & programs that are available for free on the Internet, and many of them can be used by a small business (such as a small law office) without violating any licensing
terms. Often times this software can be as good as the more common “commercial” software, and sometimes it is even better – as it may incorporate features or utilities that large corporations might not consider “worthwhile.”
Here then are some of my personal picks for useful (free) software for a law office.
Many jurisdictions are now allowing on-line filing of paperwork for cases (many Federal courts are this way, for example), and most of these on-line filing systems make use of PDF documents in some way.
Now, you can purchase Adobe Acrobat and use it to create PDF documents from your existing documents – if you want. However, since most people simply want to make a plain PDF from their document, there is no need
for the advanced features of Adobe Acrobat. A program called “PDFCreator” can produce the same exact PDF files you’d get from Adobe Acrobat, but without having to buy several copies of Acrobat (one for each computer).
With more and more filing being done on-line, having a program to produce PDF files is invaluable. You can take any TurboLaw document and make a PDF out of it – so it’s 100% compatable with TurboLaw as well. Once installed, you create a PDF file by “printing” your document to “PDFCreator,” which will appear as an additional printer in your system. Simply select “PDFCreator” instead of your normal printer, and you will get a PDF document.
You can download PDFCreator here – you will have to scroll down somewhat to get to the download link, however.
Many computers these days are infected with “Spyware” or “Malware;” that is to say, software that the user did not knowingly install, and that may be reporting information on the user back to some entity (be it a company or individual), as well as usually causing some sort of negative performance effect to the user’s computer.
The easiest way to avoid spyware (as I’ve said before) is simply to not use Microsoft Internet Explorer. There are several alternatives, but I’ve already recommended Mozilla Firefox.
If your computer is already infected with spyware, you may have a hard time cleaning it all up. As a computer professional, I can tell you that removing spyware from a computer can take the better part of a day – and that’s if you’re lucky. Sometimes there is just no way to get rid of spyware, except to re-format the computer & start again from scratch.
However, there is hope – a utility called Spybot Search & Destroy (available here) can scan your computer for spyware and remove it (much like a virus scanner, except for spyware). Spybot Search & Destroy (or S&D as it is sometimes known) is free, although the author does ask for a donation if you find the product useful.
For added protection, be sure to enable the option in Spybot called “teatimer” or “registry monitor.” This will monitor your computer for changes that are likely to be caused by new spyware, and can help keep them from getting back into your computer.
It’s a given fact that just about everyone has email these days. There simply is no easier way to communicate than by email, especially in business. Chances are, if you are reading this article, you have email – maybe even more than one address!
Like anything else, email has its problems – in this case, it’s called “spam.” Many corporate email users report that up to 85% of their email is “junk.” Depending on how many total emails you receive in a day, sorting through all this junk can be a serious drain on your time.
For larger firms, a professionally installed Exchange Server system with Outlook may be desirable – or already in place. This system provides in-house email, server-based junk-mail (spam) filtering, as well as many other benefits, like shared calendars. However, an Exchange Server system with Outlook can cost thousands of dollars – or more! Thus, it is only an option for large firms that can justify the expense (and have need of the other features that go with it).
Fortunately, there are options for the small or medium sized firm. The option that I recommend is called Mozilla Thunderbird. It is a free email program that has very good built-in junk-mail (spam) filtering. It is very flexible and can be customized to suit anyone’s
style. Best of all, it can be extended through the use of free “extensions,” which are like plug-ins for the program. Depending on your level of technical expertise, Thunderbird can be a useful email program, or it can be an extremely powerful & secure communications tool.
In addition to being easy to use, Thunderbird has the added benefit of not being vulnerable to the same virus exploits that Microsoft Outlook and Outlook Express are. Given the fact that many viruses spread through email, using Thunderbird can potentially save your firm thousands of dollars by preventing the spread (and initial infection) of viruses.
You can download Mozilla Thunderbird here.
Other Resources
I hope you’ve found the above links to be helpful – although this is of course by no means an exhaustive list. If you have a specific need, chances are that someone else has that need as well, and may have created software to deal with it. It’s worth the time to use Google to see if someone has already created software that solves your particular need for you. Of course, if you can’t find software, feel free to contact us – we will probably be able to help you.
And please, feel free to comment on this article – you can share your experiences with software, or let others know about software solutions you may have found (or that you can advise against).
Until next week – good luck!
Subscribe
