Posted Dec 12, 2005 10:08 pm CST
Up until Arthur Andersen and Wall Street superstar Frank Quattrone made the news, says Christopher Gaines, a Chicago records management specialist, very few firms thought about data destruction. Then the accounting giant and the investment banker were hit separately with charges and later convicted for obstruction of justice based on allegations they improperly destroyed data when government investigations were pending.
Since then, the U.S. Supreme Court has reversed the conviction of Arthur Andersen because jury instructions provided inadequate guidance on the issue of criminal intent. And Quattrone’s pending appeal of his conviction may benefit from that ruling.
But that doesn’t mean lawyers don’t have to worry about the proper document destruction procedures to follow. While the obstruction of justice statute requires a showing of criminal intent, it’s not required under new federal laws such as the Sarbanes-Oxley Act. Even when criminal prosecution is not an issue, potential civil liability still can be a major concern.
Experts suggest that companies and law firms need policies for the preservation of important documents and for the routine destruction of those that aren’t needed—but the destruction policy may need to be suspended when potential litigation is on the horizon.
With increased storage space, companies find themselves holding onto trillions and trillions of bits of data in backup tapes, hard drives, disk drives, compact discs, servers and portable devices. All of that data costs money to maintain and is discoverable in litigation. Creating a system to track information, identify where it is stored and destroy it when it has reached the end of its useful life—in an ongoing and consistent manner—is the only way to prevent litigation from becoming prohibitively expensive.
“Destroying documents is the cornerstone of a document retention policy,” says Gaines, records retention manager for Océ Business Services. Midsize to large firms can invest in enterprise software that costs thousands of dollars, such as document management systems or other programs that keep track of e-mail.
These products include systems like Tower Software Corp.’s Trim compliance software, which identifies how long documents need to be retained to comply with the law. Companies like Interwoven have software records management tools that track documents. And practice management software like Hummingbird Ltd.’s LegalKey lets firms find and catalog documents in their systems.
So what about actually destroying things? Routine destruction is easier said than done because electronic data is nearly indestructible.
Hitting the delete key on a computer just deletes the link to a document, allowing the computer to write over it if it needs the space. But the document itself remains until it is actually overwritten. And even some overwritten data can be found by a determined computer forensics specialist.
A number of new products that hit the market this year conform to the U.S. Department of Defense standard 5220.22-M, which specifies how to overwrite computer disks so that all data is erased. (Some data recovery specialists claim to be able to recover data even after this standard has been met.)
Document management experts say that if a firm can demonstrate in court that it has well-managed systems and has made a good-faith effort to find all responsive documents, it shouldn’t have to worry about a judge allowing forensic experts to comb over every inch of their business for scraps of information. “Lawyers should discuss what to do with documents early—I recommend as early as the engagement letter,” Gaines says. “It’s the best way to avoid thorny questions later, like how to dispose of things.”
Lawyers can ignore some technologies. Not everybody needs litigation support software, and not every lawyer needs a handheld personal digital assistant. But in some jurisdictions, lawyers may need to know about e-filing if they want to continue to practice.
The federal courts’ Electronic Case Files system, overseen by the Administrative Office of the U.S. Courts, has provided a de facto model for many other court systems. Well over half of all federal bankruptcy filings are done electronically, as are over 35 percent of all federal filings.
Each court system can decide how it wants to handle e-filing, but more are moving toward making it the mandatory way to file court documents. LexisNexis, the largest commercial provider of e-filing software, claims to have wired more than 200 jurisdictions. Rules for e-filing in selected jurisdictions can be found at www.abanet.org/tech/ltrc/research/efiling/rules.html.
Fortunately for lawyers, it doesn’t take a huge investment or training to file over the Web. A lawyer needs a computer, high-speed Internet access, and Adobe’s Acrobat PDF (portable document format) writer software, which costs around $120. Following the lead of the federal court system, most courts have made e-filing relatively easy by adopting Adobe’s PDF as a de facto standard. And, since it will occasionally be necessary to scan paper documents to convert them into electronic files, a high-quality scanner might also be necessary.
Scanning technology isn’t too expensive, either. Basic scanners include Visioneer’s XP 450 ($600), the Fujitsu ScanSnap ($400) and Xerox DocuMate 252 ($900). While most of the scanning hardware is similar, lawyers should make sure that it is compatible with PDFs or whatever digital format their court system uses.
Think technology is just something that helps get things done? Today, understanding how technology works can be the key to understanding how a law is applied.
Just ask Craig Ball, a court-appointed special master and consultant on technology issues in litigation in Montgomery, Texas. You would think he would be happy to see his business booming, but sometimes he wishes lawyers would try to better understand technology themselves. “I sometimes feel like I’m swimming upstream,” he says. “I tell lawyers, ‘Let me teach you this so you don’t need to hire me next time.’ ”
Computerization has made it impossible for lawyers to be technology Luddites and hope to be competent litigators or give complete advice to their clients. First, computers are nearly ubiquitous. Second, storage technology has become so inexpensive that the volume of information involved in litigation has become nearly unmanageable. “Everybody uses computers,” Ball says. “But there’s still this fanciful idea in parts of the legal profession that ‘If I close my eyes, this monster will go away.’ ”
In the coming year, new e-discovery rules are likely to become part of the Federal Rules of Civil Procedure. Under these rules, a pretrial conference will include discussion of issues related to discovery of electronically stored information. Lawyers cannot claim ignorance. They need to have an understanding of how documents are stored electronically, what format documents ought to be produced in, how to obtain information from things like databases or spreadsheets, and how to compile and search all this information.
And corporate lawyers need to know what to tell clients who work in regulated industries about how to manage their information systems and conform to the law. For example, while recent regulations connected to the Sarbanes-Oxley Act are not about technology, understanding technology will make it less expensive to comply with the law. That’s because the law requires companies to keep good records, and keeping records that can be audited requires good technology.
Ball also expects new technology torts to arise in the coming year, such as civil suits arising from identity theft on the Internet. Phishing (phony e-mail schemes to get you to disclose personal information), hacking (digital breaking and entering), spamming (flooding e-mail accounts with advertising) and other Internet-related issues are reaching the courts, and lawyers involved will have to understand some technical issues.
To understand how technology and the law relate, lawyers need to study e-discovery issues and learn how computer systems and networks work. Ball also says the best thing a lawyer can do when working with a corporate client is to get to know its tech guys. “Ask a corporate client if you can come by the computer room and take the IT guy to lunch,” he says. “I call it the ‘adopt-a-geek’ program.”
Around 2001, John Paris and the Seattle-based Hagens Berman law firm (now Hagens Berman Sobol Shapiro) got serious about switching their telephones from traditional lines to phones that run over the Internet. At that time, the Internet was even less stable than it is today, and most people thought phones using voice over Internet protocol were a joke. “When we were doing this back in 2001, it was still very bleeding edge,” says Paris, information technology director for the firm. “Heck, I started to think we were crazy once we started to get into it.”
But now more law firms are using VOIP. The voice quality today on Internet phone systems is nearly indistinguishable from traditional phone lines, which need a complex wiring system.
But the big advantage is that, since Internet telephony systems are run by computers, they are easier to manage, cost less to operate and can be programmed to do almost anything a firm might ask of them.
Internet telephony allows a firm to replace a traditional telephone wiring closet and analog phones with computer equipment and VOIP phones. The telephones look and act like normal phone sets, though they tend to have interactive screens that allow users to edit their contact lists and address books as if they were using a computer. Many phone systems are now integrated into desktop computers, so a lawyer can do scheduling and time-and-billing input right from the phone.
Paris says the main advantage for his firm has been conference calling. In the past, the firm would spend $1,000 to $1,500 a month to get conference bridges from the phone company. He can cut out almost all that expense, he says, by using the company’s own system to set up conference calls. He has even set up video conferencing within the firm, allowing partners to have meetings without traveling to one location. (He does note that videoconferencing is not wildly popular. “Nobody wants to have people stare at their face while they sit on the phone,” he says.)
Though VOIP systems can cost as much as or more than a traditional phone system, once one is up and running, a company’s voice and data systems can be merged into one, which makes their technology infrastructure much less complicated. “When we started doing this, people thought we were crazy,” Paris says. “At least here in Seattle, it seems like almost everybody is doing it now.”
Across the country, it seems like every lawyer, paralegal or legal secretary ends e-mails with a canned message that reads something like, “The information contained in this transmission is attorney privileged and/or confidential information intended for the use of the individual or entity named above.” That type of broad declaration is applied to everything from actual privileged documents to plans for lunch.
These disclaimers have not been tested in court, but their ubiquity makes them something of a joke within the legal profession. A better way to protect privilege is to secure a message with digital protection. With lawyers relying on e-mail to communicate with clients and to get things done, it is very likely that a privileged message will be misdirected. And with electronic documents being used in more trials, it’s sometimes difficult to ensure that privileged documents don’t accidentally get swept up in discovery requests.
If you keep sensitive client documents on a computer, it is advisable to use the highest levels of security to protect them. At the very highest level, a fingerprint reader will make sure only you can access a computer. For sending sensitive messages, programs like Hushmail make it possible to encrypt documents so that only the intended recipient can read it. Popular e-mail programs like Microsoft Outlook make it easy to send encrypted e-mails that can only be read by the right person.
To use encryption in e-mail, all you need is a digital certificate, which Outlook will automatically help you find, costing about $20. If you don’t use Outlook, VeriSign and ZixMail are two of the better-known providers of digital certificates, and they can be found online.
If you want to send a secure e-mail to a client, send him or her the certificate ahead of time, and then only he or she can read your encrypted message. Using encryption is a signal that you are serious about protecting sensitive documents. In fact, using encryption is something small firms can probably do better than large ones because it’s difficult to keep track of a large number of the digital certificates used to send and read encrypted e-mails.
Todd Nugent, chief information officer at Chapman and Cutler in Chicago, can claim something that probably makes IT staffs and lawyers at other firms deeply envious. “We don’t spend any time worrying about computer viruses. We don’t even have anti-virus software,” he says.
That’s because Chapman and Cutler uses Apple computers throughout the firm, which includes three offices. Since there are relatively few Apple users in the country, there are few viruses written to cause problems with Apple computers. Hackers and virus writers instead spend their time trying to break into or wreck the more popular Microsoft-based computers. According to the 2004-2005 ABA Legal Technology Survey Report, 3.6 percent of all respondents use Apple computers in their practice. The greatest number is among solo lawyers, with 11 percent using Apples.
Nugent admits there are some drawbacks to going against the Microsoft tide in the legal profession. There are not as many legal applications that run on Macs, so his IT department has to create some applications for the firm. That’s not too much of a problem because Chapman and Cutler is a specialized financial law firm, but large firms with many practice areas might find it too expensive to create different applications for each group.
He says the cost of using Apple is about the same, and the systems are remarkably robust—his e-mail system has not crashed in more than a year. And Apple tends to have new features years before they get to the Microsoft world. The computers are considered more expensive, but Nugent thinks his systems might be even less expensive than Microsoft systems.
“You can buy dirt-cheap PCs, but no self-respecting law firm is going to buy those for the office,” he says. “The new, current models of Apple cost about the same as a good PC, and our software costs are lower.”
Some may look at Apple’s emphasis on consumer gadgets (like the iPod music player) as a distraction from the serious business of practicing law, but Nugent thinks it’s another advantage. Those who use these extras “like to use their computers more,” he says. “I think that can only be a good thing.”
It shouldn’t take something like Hurricane Katrina to make lawyers think about disaster recovery. Data can be destroyed all sorts of ways: Employee mistakes, computer crashes, computer viruses, sabotage, fires and natural disasters can wipe out a small firm and wreak havoc on a large firm’s computer systems. Firms should back up data daily, so that a crash or something worse doesn’t set everyone back days or weeks. Backup methods differ depending on the type of firm and computer setup involved. Large firms have IT staffs that can make sure PCs are backed up by network servers.
Tape has long been a popular backup medium for large firms, but tapes tend to wear out. For that reason, backup disks and hard drives are becoming more popular. For small firms, external drives like USB recorders or removable media like CDs and DVDs are cheap and small enough that no firm has an excuse to not back up.
Midsize to large firms will have to invest in a separate device for network storage that can automatically download documents from multiple computers. However, it does a firm no good to have a backup if the device is located in the same physical space as the computers it is backing up. For that reason, some lawyers are turning to third-party backup companies like LiveVault, EVault, or AccessGenie that will back up files over the Net. Other lawyers are still leery about handing client data to third parties that might go out of business or suffer security breaches.
It’s important for firms to test their backup systems to see if they can restore data that they’ve saved. Since software becomes obsolete and disappears quickly, firms should consider saving all documents in a single format, like PDF, so they can be opened in the distant future. A number of large businesses have been ordered by courts to produce documents from their backup systems only to find the systems are either too old or too cumbersome to actually recover documents.
But disaster recovery technology is useless unless a firm actually has a policy. That means every law firm should consider how often to back up data, where it is to be stored, and who will be responsible for ensuring that backup happens.
Thanks to new rules about disclosing security breaches, 2005 was the year that many people became aware of how much personal information is stolen over the Net. Thousands of people found out their information was stolen from credit tracking companies, banks, online merchants, credit card issuers, LexisNexis and Westlaw. Even Paris Hilton’s phone was hacked.
It’s probably only a matter of time before some law firm with a big case or famous clients will become a target of hackers. Since a law firm’s entire business revolves around how it handles client information, a firm that fails to secure client data is a firm that is not likely to last long. And law firms should be able to advise their clients on what constitutes good security practice.
Currently, data thieves can be prosecuted for identity theft; wire, credit card, bank and computer fraud; and for violations of the CAN-SPAM Act, under which national standards for the sending of commercial e-mail were established. But companies that have had client data stolen have also gotten in trouble. Several have been sanctioned by the Federal Trade Commission when client data was compromised. Pending federal legislation would make civil suits possible against those who take insufficient care in protecting client or customer data.
The best way to secure data is to have a firewall, which is used to prevent unauthorized access through a computer’s Internet connection. Firewalls come in either software or hardware packages and are designed to block efforts by hackers and virus writers to break into a computer system. The hardware versions, made by companies like Cisco or Netgear, are the most secure, while software firewalls made by Zone Labs or Symantec are good for protecting personal computers. Anti-virus software programs like Spybot and Ad-Aware, which can be obtained and used for free, are also important to sweep systems for digital viruses and malicious programs.
Firms need to be careful when rolling out new technologies. Wireless networks, like Wi-Fi, are increasingly popular, but because Wi-Fi is a shared network, hackers might be able to steal documents over the network. Once you give staff members handheld devices, make sure they are secure by having passwords changed regularly and finding out how they are accessing company data. If staffers are using insecure home computers or wireless devices, the company should install firewalls or upgrade the security measures on those machines.
Technology is useless unless a firm can create policies to ensure people use it right. Employees should be educated about the ways virus writers use e-mail to trick people into downloading viruses, or the ways phishing scams try to trick people into giving access to their computers and even their bank accounts. One useful place to start is the FTC Web site, which has a menu of information for consumers explaining the most current scams. The site is found at www.ftc.gov/bcp/menu-internet.htm.
In recent years, cell phone companies have been rolling out new combination phones, cameras, personal digital assistants and other gadgets step by frustrating step. First, a new phone would be available, but only with a black-and-white screen. Then a version with a built-in PDA would hit the market. Lawyers who were early adopters were sometimes left with outdated versions of the same phones their colleagues were now buying.
But as the boom in cell phone technology has slowed, it has given gadget-savvy lawyers a chance to pick and choose which functions, which software and which add-ons are most important to them. The same is true of digital cameras, which are now indispensable to some practices.
Combination phone-PDAs—such as the BlackBerry, made by Research in Motion, and smartphones, which run on either the Palm operating system or Microsoft Pocket PC software—have become the market leaders, though other brands, like Good, have gained adherents.
Lawyers need to pay attention to whether a handheld works with their current e-mail system. Most phones, including Good and BlackBerry devices, will be able to access Microsoft Outlook for e-mail. However, it is less likely that a Microsoft Pocket PC phone will be able to access e-mail from another vendor, like Lotus Notes, without help from the office’s IT department.
Because the Palm OS has been around a while, Palm smartphones have the most legal applications available. That’s good for lawyers who travel a lot and need access to applications like time-and-billing software or case managers, and not just e-mail. Among Palm smartphones, the Treo 600 and 650 are the most popular. Among BlackBerry phones, there is a wide range of different versions with different-size screens, color or black-and-white imaging, or built-in cell phone capabilities. Handheld devices, including cell phones and PDAs, can cost anywhere from $200 to $600, depending on the cell phone provider.
As the combined cell phone/PDA market has matured, so has the digital camera. Now that prices have come down, no one should buy a camera with less than 4 megapixels resolution, and cameras with 5 or 6 megapixels are becoming more affordable at $250 to $600 for entry-level models. (Combination phone-cameras are popular gadgets, but the camera resolution is too poor for professional use.)
Most cameras use lithium-ion batteries, though some allow you to use AA or AAA batteries in a pinch, which is handy and convenient. Most brands accept the Secure Digital memory card to store photos, which costs less than $50 for 512 megabytes. The easiest way to transfer photos is with a SD digital film reader, which typically costs less than $40. But be aware that some brands—like Olympus, Sony and Fujitsu—may not work with the SD cards.
It is clear that before law firms commit to any new technology, they need to train their employees on how to use it. One of the most surprising findings of the latest ABA technology survey is that even where software is integral to the practice of law, very few lawyers actually use the technology their firm has invested in.
The survey found that 31 percent of law firms have document management software, which should be the standard way documents are handled within a firm, but only 11 percent of lawyers reported using it. Ownership of case management software stands at 41 percent, but only 18 percent reported using it. And 50 percent of respondents have document assembly software, which should provide a standard and simplified way to create legal documents, but only 30 percent said they used it.
One problem is that legal technology vendors like to tell law firms about the exciting new things they can do with technology, but they don’t ask if the product actually fits the way a firm works. A consultant should sit down with a firm and find out what the lawyers need to practice law better. Or firm managers must make sure lawyers need a product before investing in it. Buyers need to know what a specific technology purchase should provide and must stand up to pressure from vendors. Otherwise, their firm will join a long list of others that have been bullied into buying things they don’t need.
But even the best, most cutting-edge technology is useless unless the staff learns to integrate it into the way they work. A cost-effective approach is for someone within the firm who is interested in a technology project to become a staff trainer. In the software business, they call it taking ownership of a project. One approach is to combine one-on-one training with classroom training for the entire staff. But whatever approach a firm takes, training its staff is usually worth a significant investment in time and energy. Better to invest in training than to have a technology investment sit unused.
Jason Krause is a legal affairs writer for the ABA Journal.
Jason Krause is a legal affairs writer for the ABA Journal.