4-Step Computer Security Upgrade
Learn to encrypt your files, secure your computer when using public Wi-Fi, enable two-factor authentication, and use good passwords.
Being a Luddite can be expensive, embarrassing, and potentially disastrous for lawyers and clients. Technological incompetence can result in wasted time (and therefore increased cost to the client), loss of money and identity, ethical sanctions, and embarrassment or worse in the courtroom. Those are high prices to pay for being too proud (or lazy) to learn how the Internet, social media, and that box on your desk work.
Don’t believe me? Here are some examples of the problems that can arise.
Out of Touch
Almost nobody but lawyers and junk mailers use the post office to communicate anymore. Just about everyone else primarily uses email for non-trivial communication. Email has been around for over 20 years, and it is free, reliable, and much faster than the post office. Probably for these reasons many courts require lawyers to have a working email address on file to receive case notifications.
Still, some lawyers are reluctant to adapt. You probably know a lawyer who has their secretary print out all emails so they can read them on paper before dictating or writing out responses in longhand for their secretary to transcribe. This is a ridiculous waste of time, of course, and no client should have to pay for such inefficiency. But it is not yet rare, either.
One South Carolina lawyer figured she didn’t have to have an email address if she didn’t want to, even though she was involved in ongoing proceedings. She only got one after a court order (in a discipline case, no less), and then she set it up with an auto-responder. The Supreme Court of South Carolina refused to indulge her:
Respondent … is … a regular member of the South Carolina Bar and, therefore, pursuant to Rule 410(g), SCACR, required to provide a valid email address. — Supreme Court of South Carolina Order in Appellate Case No. 2012-213164.
Procedural requirements aside, an email address is at least as essential as a mailing address. Have your secretary print out your message for you so you can respond in longhand if you must, but you need to be able to use email one way or another.
The Failure to Google
“We have not quite reached the level of ‘if you can google it, you must,’ but we are fast approaching it.” — Megan Zavieh, Lawyerist.com
Courts have started to lose patience with litigants who complain they didn’t know something they could easily have found online. In Munster v. Groce , for example, the plaintiff tried to use alternative service through the Secretary of State because it couldn’t find the defendants to serve them. The court did a quick Google search and lost its patience:
In fact, we discovered, upon entering “Joe Groce Indiana” into the Google™ search engine, an address for Groce that differed from either address used in this case, as well as an apparent obituary for Groce’s mother that listed numerous surviving relatives who might have known his whereabouts.
Search is ubiquitous. In fact, it is even common to use search on smartphones to settle arguments in real time. Basic search skills are basic tech competence — even for judges. There is no formal duty to Google, but since you can, why wouldn’t you? Search for information about your clients, other parties, witnesses, maps — anything that can give you an advantage.
You may not have a duty to Google, but you would be foolish not to.
Wasting Clients’ Money
Clients are starting to notice when their lawyers’ technological competence results in wasted time.
In 2012, Kia Motors corporate counsel, D. Casey Flaherty, began administering a technology audit to Kia’s outside counsel. The audit tested their ability to perform fairly basic tasks with Word, Excel, and Acrobat. Flaherty’s reasoning was that his company should not be paying lawyers to fumble their way through basic tasks. More importantly, Flaherty was tired of getting badly-structured Word documents and seeing improperly-redacted PDFs. The former wastes his time. The latter can result in big problems.
If the lawyers failed the audit, Flaherty cut their rates. They all failed.
I’ve administered the audit 10 times to nine firms (one firm took it twice). As far as I am concerned, all the firms failed—some more spectacularly than others. The audit takes me 30 minutes. … The best pace of any associate was 2.5 hours. The worst pace was 8 hours. Both the median and mean (average) pace rounded to 5 hours.
I’ve taken the audit, and I think it fairly tests basic proficiency with Word, Excel, and Acrobat. Anyone who fails it twice (I would chalk up the first time through as a learning experience) deserves to have her rates cut not just for wasting time while she fumbles with software, but for increasing the chance of mistakes and producing objectively inferior work product.
Of course, the audit only tests three software applications. If a lawyer manages to pass the audit, it probably means he is not hopeless, but it hardly means he should be considered technologically proficient. Flaherty just established a floor. And while rate-cutting was a potential consequence of poor performance on the audit, he was more likely to recommend improvements to improve systems and proficiency.
True to form, the outside counsel were happy to change once money was on the line. Sooner or later, smaller clients than Kia will start asking pointed questions about their lawyers’ technological competence, too.
Giving Away Clients’ Money
Technological competence doesn’t just mean knowing how to use hardware and software. It also means being smart about online services like malicious attachments in emails and recognizing when a helpful caller is actually a hacker using social engineering techniques.
A San Diego lawyer learned this the hard way when he clicked a link or attachment in an email he thought was from the US Postal Service. In fact, it was a virus that allowed a malicious hacker to spy on his online activity. But it wasn’t hacking that caused his clients to lose $289,000, it was foolishness and a bit of well-timed social engineering.
The virus disrupted the lawyer’s access to his firm’s bank accounts. While he was trying to log in to the bank’s website, someone called the lawyer, pretending to be a representative of the bank, and offering to help him log in to his accounts. The caller instructed the lawyer to enter a code to gain access. Of course, the code was apparently an authorization to transfer funds. It didn’t work the first time, but the hacker called back two days later and the lawyer helpfully entered the code again. The same day, the hackers transferred $289,000 from his firm’s bank account to a Chinese bank.
So far, the bank has refused to cover the loss.
Not all scams involve Nigerian princes (although some lawyers have even fallen prey to such obvious phishing attempts). The lawyer in this case needed to know how to recognize a suspicious email. He also should have known better than to trust someone ostensibly calling because he was having trouble logging into his account. Banks don’t do that. And he certainly should not have done it again a couple of days later.
Social engineering can be more effective than clever code, but good lawyers should be able to do a better job protecting their clients’ funds.
Data security goes to the heart of a lawyer’s professional obligations. All lawyers have client information on computers and mobile devices, whether in emails or files. That client information — data — can be valuable to a credit card fraudster or identity thief. Unfortunately, lawyers are terrible when it comes to security.
The smartest cyber criminals have even figured out the best way to get what they want is to avoid the target corporation entirely and aim straight for their law firm — the soft underbelly of American cyber security….
Since Above the Law’s Joe Patrice wrote that line in February 2013, it is probably safe to assume less-intelligent cyber criminals have now caught on, too. Law firms are a weak spot because few lawyers know anything about data security and fewer do anything about it. At best, security is left to IT contractors, often without specific directions. More commonly, lawyers don’t do anything particular to ensure the security of digital client information.
In any case, cyber criminal continue to be resourceful. In November 2014, researchers at Kaspersky Lab discovered hackers who were stealing trade secrets by compromising luxury hotel wireless networks. In some cases, it may only take a phone call and some clever social engineering.
When the Heartbleed bug in OpenSSL was discovered in April 2014, the impact was enormous. 17% of the Internet’s secure servers were affected. Heartbleed has already been used in some pretty big intrusions, and since nobody knows how many systems were compromised before the “good guys” discovered the bug, it may take years for the full impact of Heartbleed to become clear.
It’s not just servers. In July 2014, researchers announced an unpatchable flaw in USB that allows malicious code to run from flash drives, printers, cameras — virtually anything with a USB plug. The only way to avoid this problem is to consider a USB device infected if it is ever plugged into a USB port you don’t trust and control.
But perhaps the best example of ignorance is how the majority of lawyers “protect” email when sending privileged communications:
Asked what precautions they take when sending privileged communications via email, 77 percent said that they include a confidentiality statement.
Confidentiality statements and other email disclaimers are pointless. Even if someone is willing to cooperate, they will not see your statement until after they have seen whatever you meant to send to your client. Worse, they do absolutely nothing to protect a communication intercepted by a malicious hacker.
The Internet is a haystack, terrorists are needles, and the NSA’s approach is to pick up the entire haystack, take it to a warehouse, and call it a job well done. “Don’t worry, America, we’ve got the needle!” —Me
In 2015, you can refer to the US government as Big Brother without sounding like a conspiracy theory nut job. That is because we now know for a fact that government agencies in the US, Great Britain, and other countries really are vacuuming up all the data they can get and compromising networks, hardware, software, and encryption algorithms at will.
Reactions vary, but if you or your clients are not comfortable sharing your data with government agencies in the US and abroad, it is possible to take precautions. The question for lawyers is whether to take those precautions (maybe) and whether to involve clients in that discussion (probably).
A failure to understand fairly basic technical concepts can impair your effectiveness, too. One California lawyer apparently did not think it was a big deal that he did not understand basic e-discovery concepts like native format. The California Court of Appeals hastened to correct him:
At the hearing, Sklar’s counsel stated, “I don’t even know what ‘native format’ means.” The court responded: “You’ll have to find out.” — Ellis v. Sklar, 218 Cal. Ct. App. 4th 853 (2013).
Digital documents contain more information than paper documents, and they cannot always be reproduced adequately on paper. That’s why the native format concept is important for anyone dealing with discovery that involves digitally stored documents. The information you are seeking in discovery will determine the format — native or otherwise — in which you can accept those documents.
Social Media as Evidence
Lawyers often think of social media mainly in connection with online marketing. But social media is a primary communication tool for a very large portion of world’s population. That means if you litigate, sooner or later social media will come up.
A hopefully-obvious mistake is to make the mistake of thinking social media is somehow exempt from spoliation rules. It took a while for lawyers to get their heads around the idea that things on the Internet can be evidence. This is Tech Competence 101, which proved to be a very expensive lesson for one lawyer.
A Virginia lawyer who ran afoul of discovery requirements in a major wrongful-death trial by allegedly encouraging a client to clean up his Facebook account has paid his $544,000 share of a $722,000 legal fee award to opposing counsel and seen an $8.5 million award to his client and other plaintiffs in the case upheld by the state supreme court.
Assuming someone doesn’t erase it, you may have to get social media into evidence or challenge it. In order to talk about it, you should probably have a basic understanding of it. Remember the George Zimmerman trial? During the trial, the prosecutor completely failed to score a point due to his failure to understand Twitter.
The George Zimmerman murder trial took a strange detour into social media this afternoon, as prosecution witness Jenna Lauer, who placed the 911 call on which screams for help can be heard, was accused by the prosecutor of following Zimmerman’s brother, Robert Zimmerman, Jr., on Twitter. Lauer made a credible claim of ignorance about Twitter, and denied following Zimmerman, which turned out not to be true. The real spectacle, though, was the utter failure of anyone in the court to know a single thing about Twitter. (Emphasis added.)
The trial probably did not turn on this point, but it is not hard to imagine the date, time, or existence of a tweet being a central question in a trial. If you do not have a solid understanding of Twitter, you probably should not try to introduce someone’s Twitter profile as evidence. And if that is an important thing to do, you had better cure your incompetence.
To be a lawyer in the 21st century requires a basic techno-literacy that is not generally taught in schools or acquired passively. But if you do not have this basic level of tech competence, you may not be competent to practice law. Twitter and other social networks are how modern human beings communicate. The failure to understand Twitter or Facebook or Snapchat in 2015 is not much different than the failure to understand the postal system in 1915. Searching for information, protecting client communications, and avoiding scams are basic skills at which lawyers should be at least competent, if not expert.
Not sure where to start? I’ve put together a checklist of the knowledge and skills that I think ought to be basic technological competence for lawyers. You can get it free by clicking here:
Featured image: “Modern silver monitor on reflective surface and home cat” from Shutterstock.