Laptop Lapses and
Even Authorized Off-Site Parties Imperil Security
Turnover, temps and troublemakers require tech hedges against tech risks.
A LAW FIRM'S most valuable assets walk out of the office every night, goes the old saying. But today, many of them leave carrying laptops, and they increasingly demand remote access to all of the firm's documents.
The demands of these "road warriors" make a law firm's computer systems more vulnerable than ever before. Mobile attorneys delight in dialing up their desktops and electronic file cabinets from home, from a client's office or from a hotel or courtroom--in effect, punching a hole through a firm's electronic walls with every connection. "Security is very tough with lawyers because they demand [remote] access," says Bruce Kiefer, systems administrator at Denver's Holland & Hart L.L.P. "It would be easier if they didn't demand it."
It's not only veteran, trusted lawyers who may have access off-site. Disgruntled employees may also seek entry to a firm's system, as well as a mobile army of staff or contract attorneys who work at firms for varying amounts of time before moving elsewhere. Increasingly, clients are also requesting remote access to their documents and billing information at a firm, requiring yet another entryway into the system.
Lawyers have always been concerned, even obsessed, with security, from protecting client documents to shielding privileged legal advice to safeguarding accounting information. "Lawyers tend to be much more concerned about securing their data than other businesses," says John Hokkanen, a computer technologist at Atlanta's Alston & Bird.
Some of the obsession is justifiable. Precautions to protect the attorney-client privilege are required by the code of professional responsibility. "There is a real fear of liability and professional malpractice" that might result from unauthorized access to a firm's documents, says Simon Chester, a partner at Toronto's McMillan Binch who uses five passwords--one of them 20 digits long--to protect his laptop's files.
In addition to remote-access issues, law firms can also face unique security problems stemming from the need to "wall off" members of the firm from a client matter due to a conflict of interest. At Jones, Day, Reavis & Pogue, paper and electronic documents list the names of those who are not allowed access to the document, says Kingsley Martin, the director of technology planning at the firm.
Naturally, as technology raises new security risks, high-tech tools are used to enhance a firm's security systems. Different passwords allow access only to certain types of files. At Jones Day, some passwords used on the road allow access to e-mail but not to a document repository, says Mr. Martin.
At McMillan Binch and other firms whose clients tap into a firm's files, separate servers are set up to hold the clients' documents; these servers are segregated from others that contain a firm's entire document data base. "Clients who tap into our firm have access only to bits of our system, not the entire system," says Mr. Chester.
Firewalls, functioning like high-tech border guards, stand between a firm's system and the Internet. Encryption programs protect e-mail and documents when transmitting them among offices.
Friend or Foe?
But the technology that allows lawyers increased mobility and increased security is itself a focus of concern. "At the same time [lawyers are using the equipment], there is a general distrust of technology," says Mr. Chester, who lectures on legal technology and says he is constantly asked whether it is safe to transmit documents over the Internet. "Compared to the postal system, no, it's not as safe," he says. "Compared to a fax, yes. Compared to a courier, yes--read the Federal Express bill of lading," which allows the company to open packages at any time, he says. A recent technology crime spree has focused attention on computer security.
David J. Loundy, an attorney at Chicago's Davis, Mannix & McGrath, circulates a monthly Internet Law Report via e-mail. Much of the December report reads like a rap sheet: "The United States Attorney's Office for the Southern District of New York filed charges against a local computer programmer who remotely sabotaged a computer system [after a] billing dispute with the company."
The incident that strikes closest to home for lawyers involves a temporary staffer at Forbes Inc., George Mario Parente, who was hired for the magazine's computer "help" desk and fired after a short time. Operating from home and using a former colleague's passwords, Mr. Parente allegedly broke into the system and crashed the file servers.
In late November, prosecutors charged Mr. Parente in Manhattan federal district court, alleging that he caused more than $100,000 worth of damage to the computer system. According to an affidavit by an FBI agent, salary information and an internal computer security analysis were found in Mr. Parente's home. He faces five years in prison. The incident struck a nerve, because law firms are increasingly relying on contract attorneys and part-time technical staffers. The U.S. Bureau of Labor Statistics estimates that in 1995, there were 40,000 temporary lawyers in the country, up from 10,000 in 1992. By 2005, the number is expected to rise by 56 percent.
Mark Pruner, president of WebCounsel, in White Plains, N.Y., who advises law firms on technology, says, "While people obsess about external threats to computer security, they're hiring" liberally from temporary agencies.
Alston & Bird conducts background checks and requires confidentiality agreements to be signed by temporary workers, says Mr. Hokkanen.
The external hacker is an exaggerated threat to law firms, says Mr. Chester of McMillan Binch, as hackers are frequently searching for credit card numbers, which law firms, unlike many businesses, usually don't store on their systems. Four hackers arrested in California in December were typical. Aged 14 to 16, they broke into an Internet service provider's server, searched for credit card numbers, then headed to an online auction house, where they ordered computer equipment. Police tracked them down without great difficulty: The merchandise was sent to one of the boys' homes.
Even if hackers did gain access to a firm's systems, they might have trouble finding information. Laughs Mr. Chester, "Our own lawyers have trouble finding what they need; how will hackers?"
But the worst security breach McMillan Binch has suffered- -to the firm's phone system--did involve a hacker. "We had a system that allowed us to dial in from anywhere in the world, and then to dial out to anywhere," recalls Mr. Chester. The system facilitated phoning while on the road and directly billing clients. "It was a nice feature, password- controlled and all that. It got hacked into." The firm paid the bill and discontinued the service.
Inside information about mergers and acquisitions is still usually obtained via low-tech methods: a human informant at the firm. Says Patrick J. Schultheis, a corporate securities partner at Palo Alto, Calif.'s Wilson Sonsini Goodrich & Rosati, "The bottom line is that unless someone [with access inside the firm] is willing to open my e-mail, or log onto my computer, or break into my voice mail," the information is safe as long as regular methods, such as code names, are used.
"I don't think technology increases security," says Mr. Schultheis. "I think it actually has increased the risk, because there's more ways to steal information." He says he would never use e-mail to discuss an undisclosed acquisition with a client. "If I send an e-mail to [a client], the mail could bounce around to half a dozen computers between here and there," he notes. Those familiar with the addressee could intercept the e-mail at any number of points, he says.
Technology, if anything, has complicated existing security at the firm. "We've always used code names," says Mr. Schultheis, but formerly only on faxes. "Now, because of increased access to documents, we've started using code names on everything: on all documents and computer indices" that could be used to search for all matters pertaining to client X, for example.
The internal danger, from a disgruntled or dishonest employee, is widely acknowledged. But it is difficult to address. There is little a firm can do to head off a disgruntled staffer, e-mails Duncan C. Kinder, a sole practitioner in St. Clairsville, Ohio, who teaches computer crime and security at Ohio University and who established a Web site on computer crime. "A disgruntled employee could demolish the firm's data base with a baseball bat," he says.
Alston & Bird's Mr. Hokkanen says that whenever people leave, their access is immediately blocked and passwords are changed. When a senior computer staffer left recently, passwords were changed during his exit interview.
Frequently firms give lip service to the importance of changing passwords, but don't dare do it too often. "You'd have mutiny among the troops," says the head of Holland & Hart's technology committee, John C. Tredennick. "Computer security is not that different from other security. There is always a trade-off between convenience and security."
It seems that convenience wins. Jones Day's Mr. Martin says he just received an e-mail from his former firm, Minneapolis' Dorsey & Whitney L.L.P., where he worked until this fall as director of computer applications, asking him for a password to evaluation files. He gave it to them. Holland & Hart's Mr. Kiefer says he makes an effort to keep his tech staffers happy, taking them out to dinner and trying to match projects with personality types. Still, there is turnover, he says.
High-tech law firms are now using ever more sophisticated tools to address security. The equipment is easier than ever to use and sometimes goes undetected by the user.
Alston & Bird uses a utility called the Secure File Cabinet, which allows attorneys to post documents to the firm's intranet using encrypted Web communication that requires no extra steps by the attorney. "We wanted to provide an easy-to-use alternative to the clumsy PGP," says Mr. Hokkanen, referring to Pretty Good Privacy, which requires that the sender generate a set of digital keys to lock and unlock a document.
Viruses persist as a threat, especially since employees try to bypass virus protection programs if they require extra steps. Virus protection programs must be installed in such a way that they cannot be skipped in the interest of time, says Mr. Hokkanen.
E-mail is now the mainstay of much attorney-client communication, but it can be difficult to know if a document was received or read. Chicago's Gordon & Glickson is experimenting with "secure, authenticated and trackable e- mail," says attorney Marcelo Halpern. "The system can track the delivery of the e-mail package, time- and date-stamp things, and provide evidence of delivery."
Jones Day is exploring e-mail certification to confirm that the e-mail address to which a document is sent belongs to the person to whom the document is directed, says Mr. Martin, in order to prevent third-party fraud.
Lawyers' demands on the technology will grow, and Mr. Tredennick is excited about the possibilities.
"The new dream is to 'tunnel' into the system" through an encrypted passageway. This would allow mobile lawyers "to access the firm's computer system through a Web browser anywhere in the world," he says.
This article is reprinted with permission from the January 12, 1998 edition of The National Law Journal. © 1998 NLP IP Company.