12 Postema.doc


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

12 Postema.doc

  1. 1. The Wired University: Legal Issues at the Copyright, Computer Law and Internet Intersection Ethics: How to Protect Your Client and Not Commit Malpractice with Your Computer November 9-11, 2005 Miles J. Postema Ferris State University Big Rapids, Michigan I. The Lawyer's Duty of Confidentiality There has been a significant trend towards electronic communication which has led to the legal profession’s adoption of electronics communication technology. The last ten years have brought about substantial changes in the way lawyers communicate with their clients, colleagues, and opposing counsel. Most lawyers now communicate through e-mail as our primary communication medium. We use word processing software to create, edit, share and store documents. However, ethical dilemmas seem to exist around every corner when client information is kept or sent electronically. The digitalization of information, it seems, has expanded exponentially, the consequences of a breach of a lawyer's duty of confidentiality. Entire files can now be inadvertently sent to opposing counsel or other third parties with the push of the “send” button. The ways in which confidentiality can be breached has also changed dramatically. With regard to digitized communication, courts and bar associations often lag behind the technology. A. The Digital Age has brought lawyers and clients many benefits, including increased and enhanced ways in which to transmit and store ever increasing quantities of information. The use of e-mail and other digital methods of communication will only continue to grow in popularity and use. As the use of e-mail and these other methods grow, lawyers need to continue to identify and minimize the associated risks. There can be little dispute that e-mail and the Internet provide the following benefits to attorneys: • It provides for quick communication that may eliminate needless games of phone tag with clients and opposing counsel; • It allows for electronic document transfers; • It allows for access to e-mail away from the office; • It provides more secrecy than some other forms of communication because it is sent directly to the recipient's computer, which often can only be accessed with a password; National Association Of College and University Attorneys 1
  2. 2. • It can be sent quickly to multiple recipients at once with relative ease Given the benefits of e-mail, clients now demand and expect that their attorneys will use it. The latest trends are that it is acceptable to use unencrypted, Internet e-mail as a communication method with a reasonable expectation of privacy.1 In 1999, the American Bar Association published an ethics opinion, No. 99-413, that indicated that a lawyer may transmit legal or client information by unencrypted e-mail without violating the Model Rules of Professional Conduct. A lawyer may transmit information relating to the representation of a client by unencrypted e-mail sent over the Internet without violating the Model Rules of Professional Conduct (1998) because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint. The same privacy accorded U.S. and commercial mail, land-line telephonic transmissions, and facsimiles applies to Internet e-mail. A lawyer should consult with the client and follow her instructions, however, as to the mode of transmitting highly sensitive information relating to the client's representation. The Committee believes that e-mail communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy. The level of legal protection accorded e-mail transmissions, like that accorded other modes of electronic communication, also supports the reasonableness of an expectation of privacy for unencrypted e-mail transmissions. The risk of unauthorized interception and disclosure exists in every medium of 1 There are a number of articles that discuss the use of e-mail by lawyers and whether it violates a lawyer's obligations of protecting confidential communications. David Hricik, Lawyers Worry Too Much About Transmitting Client Confidences by Internet E-mail, 11 Georgetown J. of Legal Ethics 459 (No. 3 1999). Hricik's article reviews the rationale in favor of the proposition that e-mail is no more risky than other forms of communication between lawyer and client. He also concludes that encryption of all e-mail is unwarranted and unnecessary. The sensitivity of a given e-mail may, in certain instances, dictate whether encryption is used. The challenge is in recognizing those situations when encryption might be warranted. There are a number of outlines from materials presented at previous NACUA conferences that also provide excellent overviews and discussion of whether e-mail is an appropriate means to communicate with clients and opposing counsel, and regarding some of the concerns in doing so. For more detailed discussions of this, see Michael Goldstein's article entitled Caveats on Trafficking on the Web which was part of NACUA's 2001 workshop on Web Lawyering; Christine Bates and Michael D. Sermersheim's paper entitled Ethical Considerations of Information Technology presented at the 2001 NACUA Annual Conference; Christine Bates, Michael B. Goldstein, and Michael D. Sermersheim's paper entitled The Possibilities Inherent in the New Technology presented at the 2001 NACUA Annual Conference; Lori E. Fox's paper entitled Attorney-Client Privilege in Cyberspace presented at the NACUA Workshop in March 2000. National Association Of College and University Attorneys 2
  3. 3. communication, including e-mail. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of law. The Committee concludes, based upon current technology and law as we are informed of it, that a lawyer sending confidential client information by unencrypted e-mail does not violate Model Rule 1.6(a) in choosing that mode to communicate. This is principally because there is a reasonable expectation of privacy in its use. The conclusions reached in this opinion do not, however, diminish a lawyer's obligation to consider with her client the sensitivity of the communication, the costs of its disclosure, and the relative security of the contemplated medium of communication. Particularly strong protective measures are warranted to guard against the disclosure of highly sensitive matters. Those measures might include the avoidance of e-mail just as they would warrant the avoidance of the telephone, fax, and mail. See Model Rule 1.1 and 1.4(b). The lawyer must, of course, abide by the client's wishes regarding the means of transmitting client information. See Model Rule 1.2(a). [Emphasis added] Rule 1.6(a) of the ABA's Model Rules of Professional Responsibility states: A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation . . . Like many commentators before the issuance of Opinion 99-413, the ABA concluded that the Internet poses no more risk of compromising client information than sending facsimiles or making telephone calls. Nonetheless, the commentary to the Opinion indicates that attorneys should employ reasonable safeguards to prevent inadvertent disclosure. Even since the Opinion was issued, there are new ways to share information over the Internet that have spawned new security risks that lawyers should consider (Microsoft’s NetMeeting, instant messaging). Many of these new ways of sharing information involve or rely upon the storage of information on third party servers. 1. There is a growing body of ethics guidance for lawyers exploring the reaches of the digital information superhighway. Increasingly, Bar Associations are issuing opinions dealing with digital ethics issues. Despite the issuance of new opinions, guidance in this area will always lag the technology. A lawyer, particularly in the public higher-education setting, should review state law of privilege and waiver, as well as state open records/freedom of information statutes since these will, in National Association Of College and University Attorneys 3
  4. 4. some cases, impact the analysis of how and when to use electronic communications. (a) Most, if not all states have ethic rules that require lawyers to protect confidential client information, although the scope of the term "confidential" often varies by state. (b) Most states define confidential information to include not only privileged information, but all the information relating to the representation received by the lawyers as a part of the representation. (c) The definition of what is confidential is purposely and extraordinarily broad. The information need not be a "secret" for it to be confidential under most state rules. It can include public information learned by a lawyer in the scope of a representation. 2. There can be no dispute that even though the duty may vary by state, all lawyers must take reasonable steps to ensure that confidential client information is not disclosed to third parties, nor misused by the lawyer or his/her staff. Breach of the lawyer's duty is likely to lead to money damages, forfeiture of fees, or disciplinary action, or a combination of the three. II. Some Practical Steps to Ensure Confidentiality of Information2 A. Limiting third party access to your systems. In the course of computer systems maintenance, law firms and in-house legal offices routinely allow third parties like software consultants and equipment specialists to have physical or virtual access to their systems on which client confidences are stored. These third parties are often strangers to the privilege and do not have a duty of confidentiality to clients. 1. You should obtain agreement of these third parties that they will respect the privilege and protect confidentiality. Permitting third party access is not an ethics violation as long as the obligation of confidentiality is maintained. 2 In addition to the following suggestions, Michael Goldstein offered the following suggestions in his paper on Web Lawyering: (1) discuss the risks of electronic communications with clients at the outset of an engagement and obtain informed consent to the use of electronic communications; (2) discuss the issues surrounding inadvertent waive of privilege that might arise from the use of electronic communications; (3) make the client aware of the way electronic communications are stored on your own servers and other servers; (4) in complex transactions agree up front for the return of confidential information if inadvertently disclosed or misdirected; (5) employ effective encryption software and limit a recipient's ability, in some instances, to copy, print or forward messages; (6) ensure that passwords remain confidential and change them frequently; (7) implement a record retention policy pertaining to and including electronic communications; (8) in some instances, avoid delegating the transmission of sensitive materials or communications. National Association Of College and University Attorneys 4
  5. 5. 2. In its opinion addressing virtual access to computer systems, the ABA Committee on Ethics and Professional Responsibility advised: A lawyer who gives a computer maintenance company access to information in client files must make reasonable efforts to ensure that the company has in place, or will establish reasonable procedures to protect the confidentiality of client information. Should a significant breach of confidentiality occur, the lawyer may be obligated to disclose it to the client. (Formal Opinion 95-398 (1995)). The ABA went on to note that ". . . a lawyer might be well-advised to secure from the service provider in writing . . . a written statement of the service provider's assurance of confidentiality. (Formal Opinion 95-398 at p.2.) 3. This issue also arises when information is stored with a third party such as an application service provider, computer consultant or vendor. If you have given these consultants or vendors the right to access your system, virtually or physically, you should determine whether to match their confidentiality obligations to your own. B. Preventing unauthorized access to your system. In order to prevent third parties accessing your system, you should consider additional safeguards or precautions. 1. The courts that have addressed e-mail and website security have noted the presence of password protection as a key factor in finding that stored data to be considered confidential. Even information that is stored on the web or with an Internet service provider may be deemed confidential if log-on and password protection is employed. Some courts have addressed the importance of using e- mail and website security and noted the presence of password protection as a factor in their decisions. See United States v. Maxwell, 43 Fed. R. Evid. Serv. (Callaghan) 24 (U.S.A.F. Ct. Crim. App. 1995) (e-mail was covered by Fourth Amendment from unreasonable search and seizure where it was protected by log- on name and password); Konop v. Hawaiian Airlines, Inc. 236 F.3d 1035 (2001) (stored wire communication act protects information stored on a website that uses log-on and password protection). Other courts have held that documents are not privileged when available on the Internet on a publicly accessible site. Castano v. American Tobacco Co., 896 F. Supp. 590 (D. La. 1995). 2. Every computer that stores or provides access to client confidences should have password protection in place. (a) Good password protection should include the following: National Association Of College and University Attorneys 5
  6. 6. (i) Users should select appropriate, secure, nonobvious passwords. Passwords should be at least six to eight characters long and contain letters plus numbers or other nonalphanumeric characters. Also, users should never leave their passwords written down near their computers. Employees often write passwords down on post-it notes and stick them on their computer monitors or somewhere close to their computer. Take a random walk around your office to see whether your employees have passwords exposed in their area or on their monitor. Employees may also use their names as passwords and log-ins. In some cases, employees never change the supplied default passwords. (ii) If you have to write down your passwords to remember them, write them out in a way that they must be translated. (iii) Do not share your passwords with others. When others have your passwords they have control and access to your computer. (iv) Do not use the same password for all of your log-ins. Doing so ensures easy access to your system when they know that one password. Use different passwords for different programs and accounts particularly sensitive applications like network log-in or bank accounts. (v) Change your passwords frequently. You should change important passwords every sixty to ninety days. (vi) Do not store your passwords in a Word file or a calendar file on your computer. Often users store all of their passwords in a Word file or other file on the computer. Some users even name the document with the word “password” or some derivation of it. (vii) Do not let your browser store or remember your passwords. This makes your passwords accessible to anyone that has access to your system. (b) Create and use strong passwords. Use passwords that are difficult to guess or figure out. Over time, password-cracking tools can crack any password, but using strong passwords can take months to crack. For a password to be “strong” it should: • Be eight or more characters long; • Contain uppercase letters, lowercase letters, numerals and symbols; National Association Of College and University Attorneys 6
  7. 7. • Not contain your first or last names, mother’s maiden name, birth date, nor your children or pet’s names; • Not use a common word, name or phrase; • Be different than other passwords you are using. Think of your passwords as the “keys” to your computer and properly secure your office and client data and information. (c) Institutions should monitor their employees' password usage. (d) Every computer in your office should be configured to require a password upon start-up. You should also consider activating a password-protected screensaver. All versions of Windows contain password protection with the screensaver. (e) Consider encryption of sensitive files. Most software products permit you to password protect your documents. C. Safeguard against physical theft by locking down and protecting your data. Today, data exists in electronic form in a number of different places both inside and outside your office. In light of the compact size, light weight, and file storage capacity of devices such as PDAs, handhelds, and notebooks, computers present even greater risks in terms of physical theft. PDAs and laptops contain large amounts of confidential personal and confidential information. Their portability easily lends them to theft and loss. Often an office’s security measures fail to consider issues that arise with regard to portable computers and devices. 1. Laptop theft is one of the leading causes of computer security breaches. Weekly, there are reports of stolen laptops containing thousands of social security numbers or other sensitive data. Over 2,000 computers are stolen every day. A computer is reported stolen every 43 seconds. One out of 14 laptops is either lost or stolen. Approximately 57% of corporate crimes are linked to stolen laptops.3 Do not leave your laptop unattended. Consider using a bag or briefcase that does not look like a laptop bag. • While going through security keep your laptop in sight. • Do not place your laptop on the floor. It is easy for someone to pick up your laptop and disappear into the crowd. 3 Yevics, Patricia, Tidbits and Bytes, Maryland State Bar Association, Law Office Management Articles (August 2003). National Association Of College and University Attorneys 7
  8. 8. • Do not check your laptop with your luggage at the airport or at your hotel. It should always travel as a carry on. • Tape a business card to your laptop and the case to make it easily identifiable. Often laptops and cases look alike and it is easy to pick up the wrong laptop. • Use password protection for your laptop. If your laptop contains sensitive data consider using encryption. • Backup your laptop’s hard drive in case it is lost or stolen. Carry or store the backups separately. A backup will be of little value if it is stolen or lost with the laptop. 2. Attorneys and employees that use notebooks and PDA's need to be advised on securing the information contained on the device. Some programs such as CompuTrace (www.computersecurity.com/computrace/index.html) are available that once installed on a notebook computer, will periodically and surreptitiously phone a center and report the device's identification number and location. Two sites provide you with a number of options to minimize the chance of having your laptop or PDA stolen. The two sites are www.computersecurity.com and www.worldsecuritycorp.com. 3. You may wish to provide a tag indicating that if someone reports finding your device that person will receive a reward and Federal Express will pick up the device at no charge. One such service is e-tagit (www.etagit.com). If you buy this service, you will get a tag that you can place on your PDA. If it is lost, then the service arranges for Federal Express to pick it up and send it back to you. 4. There is no opinion indicating that lawyers that use these devices have an obligation to safeguard the device using these types of systems. However, it might be worth considering given the low cost of the precaution versus the expected risk of loss. 5. There are products that encrypt the data on PDAs. Some products used include: PDADefense (www.pdadefense.com); PDASecure (www.trustdigital.com); SafeGuard PDA (www.safeguardeasy.com). 6. USB drives, thumbdrives or flashdrives have become quite common. Their size, ease of use, and storage capacity has not only made them popular but also made them the perfect tool to easily and quickly steal data. Also, they are easy to lose or misplace. National Association Of College and University Attorneys 8
  9. 9. D. Protecting against viruses and hackers.4 Viruses and hackers can destroy or damage sensitive client files on your computer. Some viruses allow third parties to examine stored files or randomly e-mail stored files to third parties. Virus protection should be maintained on each computer in your office or firm. Viruses are here to stay and if you have not been hit yet at some point, you will be. 1. Safeguard your system by establishing policies to reduce the risks to client confidences presented by viruses and hackers. Consider these steps: (a) Install and run reliable virus detection software; (b) Regularly update your virus definitions so your software can recognize the latest viruses (ideally weekly or even daily); (c) Place a secure firewall between your computer and the Internet; (d) Do not open e-mail attachments from unknown senders; and (e) Routinely scan all e-mails with attachments. 2. Again, no ethics opinions state that lawyers must use these kinds of methods or similar procedures. However, in light of their availability and relatively low cost, a client whose information is compromised would have little difficulty convincing an ethics panel that these are reasonable steps to protect sensitive data. 3. If you have a cable or DSL connection to the Internet you should install firewall software such as Black Ice Defender, Zone Alarm, or Norton Personal Firewall. 4. In addition to antivirus protection it is also important to provide some protection from spyware which is generally software installed without the user’s knowledge, that monitors or controls the computer. Spyware can present a series of problems from slowing down your computer to totally compromising security. Threats to security are currently changing with new viruses and worms appearing daily. Information about current threats is available from sources such as CERT (www.cert.org), the SANS Institute’s Internet Storm Center, (http://isc.sans.org), Security Focus, (www.securityfocus.com), and Microsoft’s Security Homepage, (www.microsoft.com/security). Spyware software includes: Spybot Search and Destroy (www.afernetworking.org); Spy Sweeper (www.webroot.com); Ad-aware (www.lavasoftusa.com); SpywareGuard (www.javacoolsoftware.com). 4 In its 2001 Legal Technology Survey, the ABA reported that more than 13% of the law firms that responded, reported having been hacked in the previous year. National Association Of College and University Attorneys 9
  10. 10. 5. In addition to the basic security steps set out here, you should consider additional steps such as intrusion detection, network monitoring, security audits, and penetration testing. 6. Some browsers are more prone to viruses, spyware, and malware than others Your first line of defense is your browser. Which browser you use can have much to do with how much time you spend ridding your computer of bugs. Microsoft Windows and Internet Explorer are subject to viruses and malicious attacks. One alternative is to use a more secure browser such as Firefox (www.mozilla.org) Firefox is gaining a larger share of the browser market every day. E. Ensure that information is deleted from your computer before it is sold, transferred, or given away. Computers make it difficult to get rid of data and simply deleting files is not enough. Deleted files can often be found in the trash or recycle bins, temporary files, cache files, history files, cookies, word processor back-up files and back-up tapes and disks. Programs to erase data from hard drives can be purchased for as little as $50.00.5 Even when the hard drive is wiped, it may be worthwhile to physically destroy the hard drive. You might consider retaining the internal hard drive from the computer of a departing employee particularly where there may be an issue regarding the person’s termination or discharge. Nonetheless, delete utilities or wipe tools will not remove material from archival media such as back-up or archival tapes. Also, recipients may still have copies of transmitted documents. Do not forget to shred CDs or DVDs with sensitive client information. F. Lawyers in firms and University legal departments should consider implementing electronic use policies and further educate lawyers and staff as to the realities of usage of the computer.6 Such policies might consider the use of e-mail and the consequences of misdirected e-mail. Another consideration might be the potential consequences of sending documents to adversaries and third parties without stripping metadata or converting to a format free of metadata. Faxing documents might also avoid work product being seen by third parties. A College or University computer/e-mail use policy may not be sufficient to include the specific or special risks found in a law office environment, and so while they may offer a starting point, you may want to add provisions tailored to your specific setting and needs. G. Data backup. It is not a matter of “if” but “when”. Sooner or later you will suffer a hard drive failure or infection. Hard drives are complex electronic devices and are subject to failure. You should make back-ups of critical information. Backing up your files is something every lawyer should consider and do. There are a number of systems and software/hardware packages that will make backups automatically. 5 One such program is BCWipe (www.bcwipe.com). BCWipe uses military grade procedures to erase files from a hard disk. Another potential solution is to retain your hard drive rather than discard or donate it. 6 Natalie Hanlon-Leh, Acceptable Use Policies: Managing your Internet, Computer and Security Risks. National Association Of College and University Attorneys 10
  11. 11. Backing up your data on a regular basis may be your most important office procedure. A good backup system includes automatic backup software, a good storage device or medium, and a plan to make sure it runs properly. Good backup practices include the following: 1. Do full backups. Full backups are better than partial backups. Having everything that was on your hard drive is better than missing critical files. 2. Do regular test restores. Backup logs may report a successful backup when something was missed. You must test your backup to ensure that it will restore properly when and if needed. 3. Do backups as often as reasonably possible. Backup hardware and software can now backup an entire hard drive within hours and backups can be set to run automatically. Daily backups will ensure that your backup is as up to date as possible. 4. Review your backup logs. Most software programs create a report when the backup is finished. The report will show what was backed up and whether there were any problems with the backup. 5. Consider offsite storage. At least one backup should be kept offsite or in online storage. If there is a fire or theft you may lose all of your onsite backups. There is a growing number of services that will permit you to store your backups online. 6. Remember to backup data on other devices including desktop computers, laptops, and PDAs. 7. Create a policy for backing up critical data. When and wherever possible, you want to ensure that backups are done without fail. You can backup your files on CDs, DVDs or some other type of removable storage device. For about a dollar per gigabyte, you can purchase small portable external hard drives with large capacities of 300 gigabytes or more. These are easy to use via a USB port and you can copy your data generally in less than three hours. Most come with backup software that will allow you to backup the contents of your entire hard drive with the push of a single button. Some backup solutions include: @Backup (www.backup.com), Data Protector (www.onlinebackup.connected.com, IBackup (www.ibackup.com), and Iomega Istorage Online (www.iomega.com/istorage/). To back up files to CDs or DVDs you should use backup software. One such application is Backup Now. National Association Of College and University Attorneys 11
  12. 12. III. Securing E-Mail A. Do lawyers worry too much (or not enough) about transmitting confidences via the Internet? While many have focused on interception, it is misdirection which is most likely to cause disclosure of confidential information. Ten or twenty years ago, when lawyers or their assistants were typing names and addresses onto envelopes by hand, once in a while, the materials were inserted in the wrong envelope and sent on to the wrong person. Now, faxes and e-mails can be sent with a push of a button. Every lawyer has been the recipient of a fax or e-mail intended for someone else or observed one posted on a list-serv or bulletin board. Because of the way that e-mail is routed over the Internet, it is no less secure than traditional methods of transmitting or storing client confidences. B. Whether lawyers worry too much about transmitting confidences via the Internet, some consideration and safeguards are in order. 1. State bar associations generally hold that it is ethical for lawyers to use unencrypted e-mail to communicate with clients. 2. If the material is particularly sensitive, you should consider encrypting the information. 3. A lawyer should determine at the outset whether a client (campus or otherwise) wishes to communicate via e-mail. A lawyer should consider advising his or her clients that the Internet is not completely secure. Also, in-house lawyers and outside counsel should consider dealing with the issue of communicating via e- mail in letters of engagement. Letters of engagement might include a paragraph explaining the form of electronic communications a firm might use and the client could consent to their use or special arrangements noted. C. The biggest concern is not interception but misdirection. Experience suggests that misdirection, and not interception, is more likely to cause disclosure of confidential information. Lawyers should take reasonable precautions to prevent inadvertent transmission of confidential information to third parties and particularly opposing counsel. 1. You should create a policy that no e-mail is ever sent without checking and rechecking to ensure you are using the proper address. Each e-mail address in your computer should include the full name so that you have the right person and not just their address. Beware of “autocomplete” because it may finish your e- mail address with the wrong address. 2. Encrypting e-mail can prevent harm if an e-mail is misdirected. National Association Of College and University Attorneys 12
  13. 13. 3. Encryption of sensitive e-mail is a best practice. 4. Thus far, it does not appear that there are any published cases or ethics opinions based on e-mail interception or third party review of misdirected e-mails. 5. Encryption is not simple and most lawyers and clients do not want to deal with encryption. Most word processing programs do provide some level of password protection and permit you to assign a password to a document during the "save" process. Once password protected, only users that have the password can access and read the document. Password protection does not provide the same protection as encryption, but it can eliminate much of the risk of a third party reviewing attachments as the result of interception or misdirection of e-mail messages. D. Disclaimers. Disclaimers are those ubiquitous statements at the end of the e-mail that appear on many e-mails sent by lawyers. Consider adding the privacy statement at the beginning of your e-mail so that it is the first thing a recipient sees. You might use a text box to set it off from the text of your message. 1. The typical disclaimer looks something like this: Confidentiality/Privilege Notice (Facsimile/e-mail) Form 1 The information contained in this facsimile transmission (including the accompanying pages, if any) is intended only for the personal and confidential use of the designated recipient(s). This may be a privileged attorney-client communication. If you are not a designated recipient or an agent responsible for delivery of this transmission, you have received this document in error, and any review, dissemination, distribution, use or copying is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone or return fax and return the original by mail. Thank you. Form 2 Statement About Privilege This e-mail contains privileged legal advice not intended for any individuals other than listed above. Any other recipient is advised that this information is protected and subject to the attorney-client privilege. Should anyone other than these individuals receive this e-mail, they should delete it and they are requested to inform the sender. Form 3 This electronic transmission contains confidential information from the _____________. This information may be covered by the attorney-client privilege or constitute attorney work product. Information contained in this e-mail is intended solely for the person or entity named above. If you are not the intended recipient of this communication, you hereby are notified that any dissemination, distribution, downloading, or copying of the contents is strictly prohibited and you are strictly prohibited from taking any National Association Of College and University Attorneys 13
  14. 14. action in reliance on the contents of this e-mail. If you have received this communication in error, please notify us by reply e- mail or contact ____________________, and delete this e-mail and destroy all copies. Thank you for your cooperation. These samples are taken from the new NACUA Contract Formbook. 2. There are no published decisions or opinions that indicate whether the use of disclaimers affects the attorney-client privilege. 3. Indiscriminate use of disclaimers may lead a court or ethics panel to question their validity. The use of disclaimers in communications to non-clients may also raise the question of whether the lawyer has an attorney-client relationship with the recipient. Almost all lawyers use some form of a disclaimer, and some firm computers are automatically programmed to add the disclaimer to every e-mail that leaves an office. By claiming an attorney-client privilege with every message, some may argue that the disclaimer is overly broad. In addition to being overused, these disclaimers often appear at the end of the message where they are seen after the message is read. Lawyers should consider e-mail messages as seriously as a memorandum or an opinion letter. While disclaimers are a common practice, a lawyer should not expect them to offer a complete defense in the event they are carelessly misdirected. It may be wise to include a disclaimer at the beginning of e-mails to University clients and to opposing counsel. E. Effective strategies for dealing with an overloaded inbox. E-mail has certainly made it easier to communicate with clients, colleagues and opposing counsel. However, as the popularity and use of e-mail has grown in the practice of law, it has become increasingly difficult to manage time and productivity while battling inbox overload. Our clients typically want their answers yesterday and e-mail, to an extent, has exacerbated this desire. Clients sometimes believe that because they can send their request quickly that you can respond equally as quickly. If nothing else, client's expectations and demands have become heightened as the result of facsimiles, overnight mail and now electronic communications including e-mail and instant messaging. The average lawyer probably receives more than 50 e-mails per day including both business and personal e-mail messages. The average lawyer might send another 10 to 30 e-mails in that same day. When correspondence is electronic it lends itself to poor internal procedures and often e- mail never makes it into the electronic file or paper file. There are a number of ways to deal with in-box overload: • As lawyers do with returning telephone calls, set aside times in the day to review and reply to e-mail messages. The temptation is great to review and reply to e- mail messages as they arrive. Resist the temptation. National Association Of College and University Attorneys 14
  15. 15. • Business e-mail messages should be organized and archived using a system that is easy to use (and that you will use) and which will promote electronic and hard- copy archival of important messages related to your files. • Defer non-urgent messages to less productive times. You can forward or delegate some of your e-mail to your assistant or staff for response. • Keep your responses relatively short and create template replies if the inquiries you field involve or concern the same issues. • Know when to use the telephone instead of sending an e-mail. There are some e- mail inquiries that should be responded to with a telephone call as opposed to an e-mail reply. These might be where the e-mail thread will go on and on if additional facts are necessary to reply with an answer. • Keep a good folder system organized by topic or case. You can use your rules wizard to filter e-mail. • Try to keep your inbox “above the fold” filing or deleting messages so that only one page appears in your inbox. • Consider using more than one e-mail address. A primary e-mail for clients, friends and other lawyers, and a backup e-mail maintained with a different Internet service provider. F. Consider using a desktop search tool to index the entire contents of your hard drive. Desktop search tools are available from X1 (www.x1.com), Copernic (www.copernic.com), Google (www.google.com), MSN (http://toolbar.msn.com/), Ask Jeeves (http://sp.ask.com/docs/desktop/), and Yahoo (http://desktop.yahoo.com/). IV. Beware of metadata and prevent metadata from infecting your documents and attachments.7 Sending communications through the Internet affixes them in a tangible form. Each time a document or e-mail is typed on a computer, the computer stores information called metadata (data about data or information about information). Metadata can include over 90 different types of electronically stored data such as dates an e-mail was sent, comments, and e-mail threads.8 A document created in a word processing program and later revised may contain the entire set of changes and revisions or deletions. If the document is created using another document as a form, the trail might contain the contents of the original document being used as a form. Metadata can also include dates of file creation and changes and revisions, file name, location and configuration, and the person or persons drafting, using or accessing the file. It might also include text deleted by simple deletions, track changes, document comments, or document 7 See Jan Sylanski, Threat of Metadata and Malpractice Initiates Problems for Attorneys, 15 Law. J. 8 (2001). 8 Virginia Llewellyn, The Key to Containing Costs: Explosion of Electronic Information, 16 No. 9 Corp. Couns. 6 (2002). National Association Of College and University Attorneys 15
  16. 16. version features. Metadata can be found within the properties of a document or within the actual file data. Some documents will contain a document summary like a profile of the document which might identify the author, the date it was created, date(s) on which it was modified, and the identity of those individuals that edited, accessed or even printed the document. Much of the information contained as metadata may be harmless. However, the dangers of metadata are real and readily apparent. An article on the front page of the October 20, 2000 edition of the Wall Street Journal, entitled, "Beware, 'Invisible Ink' Inside Computer Files May Reveal Your Secrets" related the metadata issue. The article discussed how metadata identified the author of a string of e-mails to the staff of an opposing candidate. According to at least one website, the British Government learned about the consequences of leaving metadata in a document. According to several published (via websites) stories in February of 2003, 10 Downing Street published a dossier on the security and intelligence organizations in Iraq. According to these reports, the dossier was cited by Colin Powell in an address to the United Nations. Apparently, Dr. Glen Rangwala discovered through a review of the metadata contained in the document that it was plagiarized from a researcher from the United States in Iraq. Apparently, the document was published as a Microsoft Word file on the web site.9 Metadata can reveal confidential, privileged or embarrassing information to a third party. On a University campus, this could be in situations involving non-lawyer personnel as well. Metadata could be embarrassing when sending out press releases in the form of Word attachments to an e- mail, drafts of collective bargaining agreements, settlement and release agreements, white papers, and a myriad of human resource documents and agreements. A. Word processing and related programs have built-in tools that provide tremendous processing power but also pose significant problems. Through metadata, you can track the changes made to a document including the author and the date the changes were made. Metadata, visible or not, may accompany the digital file. Often a lawyer will attempt to retrieve metadata from documents received from the opposition. At the very least, a lawyer may learn who last drafted it or find embedded versions of earlier drafts.10 Usually, transactional or general business documents are created by copying an existing document or template which may have been created from yet another document. Documents created using these methods inherit metadata from prior documents. Some firms have suffered embarrassment when clients have discovered that “their” documents were the product of some other client’s documents. B. Lawyers need to consider how and when they use the features of their word processors and consider whether they are allowing comments or tracked changes to accompany a file that is being transmitted via an e-mail.11 If they do not, they may compromise information with third parties when the electronic version of the document is shared with 9 Richard M. Smith, Microsoft Word Bytes Tony Blair in the Butt (June 30, 2003) (http://www.computerbytesman.com/privacy/blair.htm) 10 There are a number of methods for revealing metadata. After opening a Word document click “File”, “Properties”. A review of the General, Summary, Statistics, Contents and Custom tab will show some of the metadata contained within a document. You can also click “Tools”, “Options”, “User Information” tabs. Any time a track changes is made to a document, or a comment is added, user information contained on this tab is read by Word and added to the edit for a recipient to see when the document is shared electronically. National Association Of College and University Attorneys 16
  17. 17. third parties. Lawyers and other University employees should create clean documents free of harmful or embarrassing metadata. Lawyers should avoid the use of "Versions" and "Fast Save" that can leave text in a document in the form of metadata. If a document is not going to be edited by the recipient, consider sending/publishing it in PDF format. C. Fortunately, there are a number of good ways to avoid or strip metadata in your documents. In Microsoft Word, saving a document in rich text format, as an “.rtf” file will eliminate such information. Another effective option is to send the document in PDF format which is a popular option for legal documents. PDF format has become the standard format for distributing documents electronically because it preserves the document’s original appearance and format and minimizes the risk that the document is intentionally or unintentionally altered. Even though the converted PDF document will contain some metadata, like the date the PDF document was created, any metadata contained in the previous converted document will not be transferred.12 Converting a document to PDF format is effective but may not be an effective solution where you need to transmit a document that may need to be edited. There are a number of programs designed to strip the metadata from documents and a review of programs that remove metadata can be found in a recent review in the June/July issue of Law Office Computing.13 Three of the leading products for removing metadata from Word documents are Metadata Assistant from Payne Consulting (www.payneconsulting.com), Workshare Metawall from Workshare (www.workshare.com), Microsoft Hidden Data Remover (www.microsoft.com/download).14 There is at least one free utility that will strip or remove metadata from documents. It is a version of Bill Coan's "field sniffer and remover program." More information and a download of this utility are available at http://woodyswatch.com/util/sniff/. It will locate metadata in Microsoft Office applications that permit placement of metadata. It also places a macro in the tools section of your Office application. You should also turn off the “fast saves” features of your word-processing software. In Microsoft products you can do so by selecting the tabs “Tools”, “Options”, “Save”, and then uncheck “Allow Fast Saves.” D. Another danger of e-mailing documents is that a recipient may alter (intentionally or unintentionally) your document. Recipients of documents in Word format, for example, can change a document before it is executed. 11 According to its website, Microsoft indicates that the following are some examples of metadata that might be stored in a document: your name, initials, company or organization name, the name of your computer, the name of the server or hard disk where you save the document, other file properties and summary information, non- visible portions of embedded OLE objects, names of previous document authors, document revisions, document versions, template information, hidden text and comments. 12 Converting a document to a PDF document will remove most of the metadata. To remove the balance of the metadata (author, subject, etc.), open the PDF file and choose File Properties and delete any text you would like to remove and then choose “File”, “Save As” and overwrite the original file or rename the file. 13 “Disappearing Data”, Law Office Computing, June/July, 2003, pp 41-43. See also http://www.abanet.org/genpractice/magazine/June 2003/protect html. 14 Other metadata removal products include EZClean by Kraft Kennedy and Lesser (www.kklsoftware.com), iScrub by Esquire Innovations (www.esquireinnovations.com), Out-of-Sight by Softwise (www.softwise.net), Field Sniffer (www.woodyswatch.com/util/sniff). National Association Of College and University Attorneys 17
  18. 18. V. Ethics on the Internet. Websites of interest to lawyers regarding ethics and professional responsibility. A. The following is an overview of some Internet sites devoted to or concerning ethics and professional responsibility: 1. American Legal Ethics Library (www.law.cornell.edu/ethics). This site contains the full text or links to the professional responsibility codes of virtually all states. It also includes references to the ABA's Model Code. 2. ABA Center for Professional Responsibility (www.abanet.org/cpr.home.html). 3. Lawyers' Manual on Professional Conduct (www.bna.com/products/lit/mopc.htm). 4. Legalethics.com (www.legalethics.com). Legalethics contains links to articles, rules and information that relates to Internet ethics issues. 5. A Good Lawyer (www.agoodlawyer.com) 6. American Judicature Society (www.ajs.org) 7. Ethics and Lawyering Today (www.ethicsandlawyering.com). Ethics and Lawyering Today is an e-mail newsletter published by William Freivogel and Lucian Pera and provides practical updates for attorneys on ethics rules and other rules that govern the practice of law. 8. Association of Professional Responsibility Lawyers (www.aprl.net) 9. Legal Ethics Opinions Summaries (www.mcguirewoods.com/services/leo) 10. Ethics resources from Findlaw (www.findlaw.com/o1topics/14ethics/index.html). This site contains links to sites concerning legal ethics and practice. 11. Court rules at llrx.com (www.llrx.com/courtrules/) 12. Hieros Gamos Guide to the Practice of Law (http://www.hg.org/practic.html). This site contains a collection of links to resources about ethics and practice. National Association Of College and University Attorneys 18