November 2000 

Information Security and the Legal Profession: A Beginner's Guide

Frank Andreano is an associate with the Joliet, Illinois firm of Dunn, Martin & Miller, Ltd. He is a graduate of the DePaul University College of Law and holds an LL.M. Degree in Information Technology from the John Marshall Law School.

"The loss of control over [confidential] information could also lead to the loss of the privilege that protects it from disclosure."

One of the most interesting aspects of the Internet is "packet switching."3 In simple terms, once an email message is sent the message is broken into subparts called packets, which may travel through various computer servers before reaching their destination. Once arrived, the packets are reassembled into their original form. The messages are then stored on a system server until retrieved by the intended recipient.

Because messages are broken into packets that travel different routes to their destination, and given the sheer volume of messages carried by the Internet, email messages are relatively safe from interception -- "relatively" because packet sniffing -- i.e., interception during transit -- is possible.4 A more vulnerable point, however, is the computer system that holds the message until it is retrieved by the intended recipient.

Email depends on "store and forward" technology. After a message travels through various computer systems to reach the recipient, his or her mail server makes a copy and passes it on when requested, usually the next time the recipient "logs on."

It is at this point that a message is most at risk.5 System administrators may read the message, or hackers who have gained access to the system may read or copy it. Since messages sent over the Internet are subject to interception both along the way and upon receipt, confidential email messages, without security protections, should not be considered safe or secure. As put by one author, "Email is more like a postcard than a sealed letter."6

How do we comply with a client's request for email communication and not compromise our ethical obligations to maintain client confidences? Actually, the answer is quite simple. Numerous companies offer security programs, chips, and services that can be installed and used with ease. Each method of securing computer information has certain advantages, disadvantages, and dangers. A general understanding of each is helpful in assessing the risks involved.

Single-Key Systems
Most commercial word processing and other computer applications have a "password" function. In order to gain access to the file or system, the person seeking access must know the preprogrammed code. So, if a lawyer and client are both using the same word processing program, for example, they could use the password function to "lock" and "unlock" the message.

In practice, the lawyer uses the password to "lock" the message. Then, the lawyer sends the confidential document to the client as an email attachment. Finally, the lawyer calls the client and reveals the password, which the client then uses to "unlock" or read the document with relative security. This process of exchanging dual function passwords is often referred to as "single key" security.

Although password protected files offer greater protection than nonprotected files, they are by no means secure. In fact, computer companies often build weak password systems into their products to help customers who have lost or forgotten their passwords. They also design intentionally weak password systems in order to help law enforcement and detect unauthorized program copying.7

Several computer companies offer programs intended to break the password protection of popular commercial software programs.8

These are effective and popular products that help many people and companies avert data-loss disasters. Unfortunately, hackers can also use them to "unlock" confidential communications.

Public Key Cryptography
How it Works One of the most popular methods of assuring a high degree of security in computer communications is public key cryptography (PKI). Through a branch of applied mathematics known as cryptography -- the science of transforming all or part of a message into, then back out of, an unreadable or "secret" code -- PKI allows messages to be sent, stored, and retrieved with relative security.

Through the use of a mathematical formula known as an algorithm, two related "keys" are created. One "key" is used for creating a secret message, the other is used to decode and verify the message. These keys are referred to as the "private" and "public" keys.

The "private" key is generally used to transform data into an unreadable or secret code. As its name suggests, this key is kept secret and is known only by its owner. If the owner discloses or fails to keep safe the private key, the integrity of this otherwise reliable system has been compromised.

The corollary to the private key is the "public" key. As its name suggests, this key is not kept secret and can be made available in numerous ways. For example, it can be published in an online directory, held by a certificate authority, 9 or posted on a Web site. Access to the public key is important because it is used to decode, and thus verify, the authenticity of a message. If a message coded with a private key can be decoded with the public key, it is said to have been "digitally signed."10

Although the public/private keys are related, it is "computationally infeasible" to derive the private key from knowledge of the public key. Knowing a person's public key is somewhat akin to having possession of their ATM card. Without knowledge of the personal identity number (PIN), the card is useless. The only difference is that digital signature technology employs a mathematical algorithm that makes it nearly impossible to reengineer or guess a private key.

One of the algorithms used in the coding/decoding process is known as the "hash function," which is used in both creating and verifying the authenticity of the message. The hash function algorithm creates a "hash value" unique to each message. If the message is changed, the hash value will be changed. Thus, any tampering with the contents of a digitally signed or encrypted document would be detectable.

In practice, both a lawyer and client could establish, publish, and/or exchange their respective "public" keys. The client could use the lawyer's "public" key to send the lawyer an encrypted message, and the lawyer would then use a "private" key to read the message. Likewise, the lawyer could use the client's "public key" to send the client a confidential message, which the client would decode with a "private" key. The lawyer could also use his or her private key to send the client messages, which the client could decode with the lawyer's public key, and vice-versa.

In addition to securing messages, PKI can also be used to encrypt database programs or any other information stored on a computer. Thus, if properly employed, a computer and its information can be secured with a high degree of confidence. Billing records, trial strategy memos, case analysis memoranda, and all other confidential information may be stored, transmitted, and retrieved with the utmost of security.

To those unfamiliar with PKI, these procedures may sound like a dizzying array of complex steps needed to secure electronic information. Nothing could be further from the truth. As I stated earlier, most major software and computer companies offer very simple-to-install encryption devices and/or software programs. These security measures are generally "step-by-step" programs that require very little technical knowledge to operate. These products are normally designed to make the securing of electronic information a breeze. Just remember, you don't need to be a mechanic to know how to drive a car.

The Downside. Although the security offered by PKI is phenomenal, it also has its downside. As noted earlier, most commercial programs intentionally build weak password protection into their systems. They do this for valid business reasons; clients tend to lose or forget passwords. In a law office, not having access to billing records, stored emails, or other crucial documents can be devastating.

Beyond that, associates, staff, and even senior partners sometimes leave firms on less than friendly terms. If everyone has a "private" key, certain information could be lost forever upon the holder's death or acrimonious departure.

To avoid such problems, many firms are employing encryption technologies with "key recovery"11 capabilities or employing key escrow agents. Key recovery means that lost or unavailable private keys may be recovered by duly authorized personnel. As its name implies, the "key escrow" method involves the use of a "trusted third party" (TTP) to store private keys and only release the keys under appropriate circumstances.

Although key recovery is extremely important, it is equally important for attorneys to understand that the improper use of PKI may result in confidential information being readily accessible to a hacker. For example, suppose you want to send a confidential document to a client. You pull the document up on your computer, and then encrypt and send it. What do you do with the text (i.e. unencrypted) documents on your computer? The delete key does not delete the document from your hard drive; it simply tells your computer that it can "overwrite" the "secret" data you just sent your client.

In short, the data has not been "deleted" but can be recovered and viewed. To deal with this problem, traditional cryptographic software has a "wipe" function that covers the secret file's space on the hard disk with pseudo-random data.

Encryption Hardware. Because encryption software requires the user to properly implement the technology, some privacy experts suggest the installation of encryption hardware as an alternative. Encryption hardware is especially useful for those who use encryption frequently or want to encrypt all data on their computer. ATM machines use encryption chips, as do military and commercial institutions.

Since "encryption boards" are not particularly expensive (starting at approximately $250), and automatically encrypt and decrypt information at rapid speeds, they may be a preferable choice for many firms. Of course, encryption software may also be used in addition to encryption hardware, thus providing an even higher degree of safety and information security.

"confidential email messages, without security protections, should not be considered safe or secure"

"Who would really want to look in our files?" This is how many lawyers feel about computer security. However, would we feel the same way if we were the client? Would we want wide-ranging access to our divorce file? How would we feel if our lawyer left our information unprotected?

Industrial espionage is a reality. A recent survey of 150 security directors of major corporations indicated that 98.6 percent of their companies had been victims of computer-related crimes. The largest reported increases included thefts of confidential client information and trade secrets from computer viruses and unauthorized computer access.12 If major corporations have been victims of computer crime, there is no reason to think a "hacker's ethic" will save lawyers from assault. Further, most computer crime is committed by insiders, such as office staff and disgruntled employees.13

During the trial of Timothy McVeigh it was reported by the Dallas Morning News and Playboy that they had obtained a confession that McVeigh had given to his defense attorneys. This fact was widely published and during voir dire, four seated jurors who admitted having heard something about the McVeigh confession were allowed to remain on the jury when they "unequivocally stated that [they] nonetheless could keep an open mind about the case and would adjudicate it on its merits."14 Although it was never established how the information was leaked, there can be no question that having the jury pool learn that your client confessed is not helpful.

Although most attorneys will never handle a case with such intense media scrutiny, we still hold important secrets as trustees. Patent attorneys, trade secret attorneys, and attorneys involved in security transactions often hold secrets worth large sums of money to their clients and their clients' competitors. Divorce attorneys often hold our most personal information and criminal defense attorneys often hold information that could land us in jail.

The loss of control over this type of information could also lead to the loss of the privilege that protects it from disclosure. Paralegals and other law firm employees have been known in the past to sell confidential client information,15 thus exposing the firms to malpractice claims for the wrongful acts of their employees. Therefore, the question becomes what steps the law firms should take to protect themselves and their clients.

Technological protections, such as firewalls and encryption, have their limits -- limits usually based on the fact that the human users do not understand the limitations of the technology, or are simply sloppy, or will not allocate sufficient resources to implementing reasonable security.

The most important first step in developing an information security policy is recognizing the need. Ignoring information security or delegating the problem to someone else is no solution. Information security should be a firm-wide process.

It should also be made as easy as possible. This can best be done by making sure everyone in the firm organization, partners included, understands (1) why information security policy is necessary and (2) what steps each of them needs to take, including the following:

Decide on a system. What type of system do you need or want? Do you want all data encrypted, or just selected files? (Hardware/software-both?) What do your clients want? If you ask they may actually have an opinion or preference.
Forbid access to outsiders. Allow no outsiders on the firm computer system.
Test the system. Conduct periodic checks and "white hat" (i.e.friendly) attacks on system. If no one in the firm knows how, hire an outside firm. You'll never know how safe your system is until it is checked and tested.
Establish good password management. Don't allow posting of sticky notes with the passwords written on them, and avoid passwords that are names or birthdays.
Require key escrow. Everyone's computer and all its files must be accessible to the designated key-escrow agent, whether the user is present, dead, or leaves. Allow no exceptions, and allow no encryption programs for which the firm or escrow agent does not have a key.
Educate. Encryption policies must be understood to be adequately implemented. Make sure everyone has the training they need. Most security breaches occur because of human failure.
Continuously enforce these policies. Information security programs will not succeed if they are not enforced. Setting up an information security program and then forgetting about it guarantees failure. Periodic meetings, training, and policy updates are required. Also, listen to the office staff, secretaries especially. They might have some very good ideas.

If you properly address computer security issues and take adequate care with electronic attorney/client information, your firm can achieve superior information security. As in all other human endeavors, errors will occur. Thus, repetition of security protocols and reinforcement of firm "security" policies through ongoing education are important.

Attorneys are not always the models of sound business practices. We are often too busy, or simply not inclined to think of our practices as businesses that need to follow certain rules. If one of our clients were injured by a business that followed inadequate security protocols we would be outraged. If we objectively judged our own security protocols by those same standards, however, many of us would likely find our measures woefully inadequate.

This should not deter attorneys from using computers. Information security can be obtained and maintained with a little time and effort. With proper safeguards in place, electronic communication and storage of information are a boon to the legal field.

Law-Specific Resources
llrx.com -- One of the leading sources of information about technology and Internet legal research, llrx.com recently published an online email security symposium hosted jointly with the Internet for Lawyers newsletter. The symposium includes links to numerous articles, an online discussion forum, and more: http://www.llrx.com/email/.
lexisone.com - Lexis' new site for sole practitioners maintains a large archive of articles in its "Computer Security Center": http://www.lexisone.com/html/legal_ guide/computer_security center.htm.
law.com - Stay abreast of developments in e-security at law.com http://www.law.com: under "Practice Centers," click on "Tech Law," then select "security/encryption" from the "choose a practice area" pull-down menu.
Law Office Computing Online - The online version of LOC offers reviews of a few information security products: http://www.lawofficecomputing.com/ (click on "Security").
Recent articles - See "Revisiting the Risks to Client Confidences and Attorney-Client Privilege Posed by Internet Electronic Mail," by Joshua M. Masur, from the Berkeley Technology Law Journal, online at http://www.law.berkeley.edu/journals/btlj/articles/14_3/Masur/html/ reader.html. See also "E-mail and Attorney-Client Communications," by Maureen B. Collins, from the September Illinois Bar Journal, online at http://www.isba.org/Member/sep00lj/p541.htm.

General Resources
Electronic Privacy Information Center - The "EPIC Archive" contains a number of articles on computer security: http://www.epic.org/security/.
Internet Security Review - An online periodical devoted to security issues: http:// www.isr.net.
ZDNet - Zdnet is a vast store of general computing information. See their Quick Start Guide series http://www.zdnet.com/quickstart/, where they have a guide entitled "Virus, Security Protection."
The World Wide Web Security FAQ - Maintained by MIT's World Wide Web Consortium ("WC3"): http://www.w3.org/Security/Faq/www-security-faq.html.

1 Benjamin Wright, The Law of Electronic Commerce 36 (1991).
2 Surveys conducted by the American Bar Association within the past ten years demonstrate that in firms and law departments of various sizes, far fewer respondents report using email for external communications than for internal communications. See American Bar Ass'n, Survey of Automation in Corporate Legal Departments 35 (1993); see also American Bar Ass'n, Automation in Midsize Law Firms 9 (1992), American Bar Ass'n, Survey of Automation in Smaller Law Firms 61 (1995).
3 See Jon Phillips, "How Your Data Snakes Across the Internet," The Net, Sept 1996, at 45;
4 See Frederick B. Cohen, Protection and Security on the Information Superhighway 75 (1995).
5 See G. Burgess Allison, "Technology Update"
http: //www.abanet.org/lpm/magazine/tu963.html#tag0.
6 See Andre Bacard, The Computer Privacy Handbook, Peachpit Press, 1995, p 61; see also Kenneth S. Rosenblatt, High-Technology Crime, How to Investigate Cases Involving Computers (1995), 126.
7 See Bacard, supra, at 63.
8 See http://pwcrack.com; http://www.lostpassword.com/.
9 See generally, A. Michael Froomkin, "The Essential Role of Trusted Third Parties in Electronic Commerce," 75 Ore L Rev 49 (1996). A certificate authority (CA is a trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs. The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be.
10 On June 30, 2000, President Clinton signed into law S 761 (now PL 106-229), the Electronic Signatures in Global and National Commerce Act. The act is designed to clarify the legal validity of electronic contracts, signatures, notices, and other records.
11 Key recovery is proposed by law enforcement officials concerned that encryption would prevent surveillance of criminal activities. See generally, Ernest T. Patrickis & Stephanie Heller, "The Government's Role in Electronic Commerce: A Review of the Clinton Administration's Framework on Global Electronic Commerce," 18 Ann Rev Banking L 325 (1999) . For examples of encryption technologies offering key recovery see http://www.RSA.com.
12 See Brian S. Akre, "On-Line: Snoops, Thieves Lurk Around Corporate Computers," Morning News Trib (Associated Press) Nov 1, 1995 at A12.
13 See Catherine Therese Clarke, "From CrimINet to Cyber-Perp: Toward an Inclusive Approach to Policing the Evolving Criminal Mens Rea on the Internet," 74 Ore L Rev 191, 222 (1996) (stating that approximately 80% of computer crimes are committed by insiders).
14 See United States v McVeigh, 153 F3d 1166 (10th Cir 1998) at 1184.
15 See generally Thomas A. McGrath III, "The Rise and Fall (and Rise?) of Information-Based Insider Trading Enforcement," 61 Fordham L Rev S127.