Commission on Law & Technology
|Working Group||Basic Skills|
|Topic||Basic Technology Decisions: Operating Systems and Hardware|
|Date of Publication||March 27, 2014|
|Summary||This paper is the first in a series of papers prepared by the Basic Skills working group of the Commission on Law & Technology intended to address leading practices relating to basic technology skills and decisions. The discussion here is primarily intended for solo and small firm practitioners or other lawyers who make their own technology purchasing and implementation decisions without the benefit of extensive in-house or outside IT support. This paper focuses on how basic technology decisions relating to the operating system and hardware might implicate obligations under the Rules of Professional Conduct.|
|Applicable DLRPC (Rules)||1.1, 1.4, 1.6, 4.4|
Disclaimer: The purpose of this leading practice is to provide the Delaware Bench & Bar with an understanding of an appropriate manner in which this technology may be used. There may be more appropriate uses; and the leading practice discussed might not be appropriate for a specific purpose. It is up to the individual to use well-reasoned judgment in making that decision. The Commission is not responsible for the consequences of the decision-making process.
Law Firm Usage of The Cloud
I. TECHNOLOGY IS A FUNDAMENTAL PART OF THE PRACTICE OF LAW - LIKE IT OR NOT.
It is impossible to practice law in Delaware today, or even to become a lawyer, without a basic understanding of how to use technology. To become a lawyer, an electronic application must be filed, and although not required, most bar examinees complete the Bar exam on a computer using approved software. 1 The Board of Bar Examiners is in the process of converting its grading and review process to an all electronic format. All Delaware courts, except the Family Court, offer or require filings to be made electronically and therefore lawyers must have an email address in order to register and to receive service of documents. 2 The Commission on Continuing Legal Education now requires that CLE transcripts be certified on-line. 3 All annual registration statements with the Delaware Supreme Court and pro hac vice renewals must be filed electronically. In other words, some of the most basic tasks required to become and remain a lawyer now require the use of technology. Lawyers who say that they will retire before the practice of law reaches the stage where they must learn to use technology to practice... should have already retired.
Consistent with the increasing role that technology plays in the practice of law, the Delaware Supreme Court by Order of January 15, 2013 amended the Delaware Lawyers' Rules of Professional Conduct specifically to address, in part, ways in which technology is transforming the practice of law. 4 The amendments were prompted by and patterned on a series of proposals formulated by the ABA's Ethics 20/20 Commission. The major changes that relate specifically to technology include:
- The comments to Rule 1.1 of the Delaware Lawyers' Rules of Professional Conduct regarding competency were amended to provide that a lawyer should "keep abreast of changes in the law and its practice, including the benefit and risks associated with relevant technology...".
- Changes to Rule 1.6 and the comments to that section require a lawyer to make reasonable efforts to prevent inadvertent or unauthorized disclosure of or access to information relating to representation of a client and are directed primarily at the risks posed by storage and dissemination of information electronically.
- Various changes to the Rules make explicit that the Rules applicable to lawyers' conduct relating to records and communications apply equally to records and communications that are in electronic form, and also that such Rules apply to information that is unique to electronic records, e.g. metadata (Rules: 1.1 cmt. 9; 1.4 cmt. 4; 4.4(b) and cmt. ).
- Other Rule changes address potential issues arising from client development and marketing through internet and electronic communications (Rules: 1.18; 5.5 cmt ; 7.1 cmt ; 7.2 various cmts; 7.3 cmts.  - ). For information relevant to those topics, readers are referred to the "Social Media" Leading Practices section.
This paper addresses some very basic decisions relating to hardware the implementation of technology and how those decisions may impact lawyers' abilities to comply with their professional obligations. Future papers will focus on software and basic security issues.
II. OPERATING SYSTEM- PC or MAC: COMPETENCE AND CONFIDENTIALITY
The most fundamental question a lawyer must answer when implementing technology in his or her practice is Windows or MAC? A lawyer implementing technology must be able to competently use that technology. If the lawyer cannot use the technology reasonably efficiency, he or she risks incurring time inefficiencies that can lead to mistakes in work product, missed deadlines, and additional stress. There are also differences in the vulnerabilities of each system that should be considered in order to comply with the obligation to take reasonable steps to prevent unauthorized access. Questions to consider when making this choice are:
A. What are you familiar with? While the distinctions and barriers to switching between PCs that use Microsoft's Windows operating system and Macs which use Apple's operating system have diminished over the years, the learning curve time to learn one system when you are already familiar with the other is still significant. Unless there is a specific reason that you seek to switch from one to the other, or you are committed to spend the time necessary to become familiar with a new operating system, stick with what you know (a/k/a. if it's not broke, don't fix it).
B. What do your friends use? One way that all users deal with questions about how to use technology is to ask colleagues, co-workers and friends. If your circle of informal technology consultants consists of all Windows users, that weighs heavily in favor of Windows. Additionally, Windows is used by far more lawyers and businesses than are MACs. Thus, the clients and colleagues with whom you interact are more likely to use Windows. On the other hand, if you have a circle of friends, colleagues and clients who are MAC users, you should consider an Apple. If you are not technology savvy and therefore lean on others to answer questions, buy what they know.
C. Are there specific programs that you use or want to use? If you currently use a program that is integral to your practice or have discovered a program that you are committed to implementing, make sure such program is available for whatever operating system you intend to use and that there are not significant differences in the look and feel of the MAC and Windows version of the program.
D. Confidentiality: Susceptibility to viruses and hackers. 5 In the paper world, protecting against unauthorized access to or tampering with your files was as simple as making sure they were in a physically secure location in which access was limited primarily to those who needed access. In the virtual world, the concept is the same, lawyers must take steps to keep their electronic files in secure locations with limited access, but the implementation is much more difficult. It is more difficult because (i) lawyers know how to determine if someone was trying to break into their file room, but lawyers do not know how to determine whether someone is trying to break into their computer, (ii) unlike file rooms, computers have a constant, direct two-way hallway (the internet connection) through which outsiders and insiders communicate but the outsiders are communicating from a private location and there may be no easy way to identify their presence, and (iii) most lawyers understand how a lock and key works, but they do not understand how the security features on their computers work. Both Windows and MAC operating systems can be adequately secured and thus confidentiality concerns are probably secondary to competency issues in choosing an operating system. Still, it is helpful to have a sense of the differences when choosing your system.
In general, Macs tend to be subject to fewer viruses for a combination of reasons, including: (i) newer Macintosh operating systems is built on the Unix kernel, which is one of the oldest and most secure operating systems available; (ii) Microsoft Windows is used by a lot more people than the Apple Mac OS. Because more people use Microsoft Windows, it is a much better target and makes it easier for viruses to spread; (iii) most of the computer virus writers are more familiar with the IBM platform and Microsoft Windows, which means it is easier for them create a virus for that platform, and (iv) many of the tools, scripts, and code used to create viruses or other malware are designed for Microsoft Windows. On the flip side, because Windows has been the target of more attacks in the past, there are a greater number of products available to help protect against outside attacks on Windows. Norton and McAfee are two of the better known makers of such products. The MAC operating system however is generally just as susceptible to security breaches by virtue of "plug-ins" or "add-ons" which are pieces of software created by companies other than Apple. Most reported attacks to Mac computers have been through web browsers (such as Google Chrome or Firefox) or plug-ins such as Adobe Reader, Adobe Flash, or Oracle's Java which are added to web browsers to allow content on the internet to display and function properly. Macs are also equally susceptible to "Trojan Horses" or "phising" programs that are designed to secretly and fraudulently obtain information from a victim's computer but rely on the person using the computer to inadvertently install them in the first instance.
Some commentators suggest that the less frequent incidence of viruses and attacks aimed at Macs make them a better choice while others suggest that because Microsoft and other third parties have had to develop protections against the more frequent attacks on Windows that a more sophisticated and fully-developed set of security measures exists for Windows making it more secure. The latter theory posits that Apple is less prepared to deal with attacks on its systems should they become more frequent and sophisticated in the future. The point here is that to satisfy his or her professional obligations, a lawyer needs to consider what additional steps may be required to reasonably secure clients' information from inadvertent access or disclosure based on the operating system selected. Basic technology security will be addressed in a subsequent paper and is addressed in greater detail in the Data Security and Mobile Technology Leading Practices.
III. BASIC HARDWARE CONSIDERATIONS
A. Desktop and Laptop Considerations
Basic decisions relating to the type of computer used and the set-up of that computer can also impact a lawyer's compliance with the obligation to preserve the confidentiality of client information. When using a desktop computer (i.e. a computer that resides in one location; typically on the lawyer's desk) some basic steps should be taken to help prevent inadvertent disclosure of client information.
1. Location. For desktop computers, the computer monitor should not be located where persons in a publicly accessible area can easily see the contents on the screen. For example, the receptionist's monitor should not be placed so that persons in the reception area of a law office can view its contents over the receptionist's shoulder. Likewise, if a secretary or paralegal workstation is located in a hall-way or area that clients or visitors regularly access, they should be positioned so as to limit the ability of non-employees to view them. . Leaving a document visible on a computer screen in an area that is publicly accessible is the equivalent of leaving a paper document laying on the desk or table.
2. Passwords/Automatic Screen Lock. All computers should be password protected in two ways. First, the user should be required to enter a password when the computer is first turned on. Second, if the computer is not used for a period of time, a user should be required to re-enter his or her password to resume using the computer. Passwords are particularly important for laptop computers because of the risk that the laptops can be lost or stolen. The period of time before the computer locks due to inactivity should be short to avoid the risk that if the laptop were to be lost or stolen, the person who finds the computer cannot access it and change the password before the computer automatically locks. Users should be encouraged to lock their screens (which can be accomplished though simple key-strokes) anytime that they walk away from their computer in addition to setting the computer to automatically lock after a period of inactivity. 6
B. WiFi Equipment.
A WiFi network allows lawyers to access their computer network or internet wirelessly from their laptop, tablet or smart phone. A WiFi network consists of a wireless router, and if the space in which it is located is large, perhaps additional "access points" which act as antennas to send and receive signals from wireless devices such as laptops, cell phones and table computers. The main issue when implementing WiFi hardware is to select hardware that runs on the most current WiFi standard possible. While there are some other options that are beyond the scope of this paper, the most prevalent WiFi standard as of the date of this paper is the 802.11 standard. There have been various iterations of this standard which have included 802.11a, 802.11b, 802.11n and 802.11ac. Equipment that utilizes the older standards can often be purchased more cheaply than equipment that supports the newer standards and may be adequate, but such older equipment sometimes does not support that most recent security standards.
A WiFi network typically will send its wireless signal beyond the wall of the office where it is located. Someone in the street outside your office can detect your WiFi network on their devices, and correspondingly attempt to hack into it while sitting in their car or other location near your office. Therefore the main concern when selecting WiFi equipment is to make sure that it supports WPA2 (Wi-Fi Protected Access) or its predecessor, WPA, security as opposed to the older and less secure WEP (Wireless Encryption Protocol) security. WPA2, WPA and WEP are all protocols that "encrypt" the information that is sent and received over a WiFi network. 7 Then, make sure that you actually implement the WPA or WPA2 security. Most WiFi devices what support WPA will also allow users to choose to use WEP instead.
If you intend to allow visitors to your office to access your WiFi network, it is advisable to set up a second "guest" network. Typically, such a "guest" network provides visitor with internet access but it is walled-off from your computer network itself by certain security measures. Creating a "guest" network does not require additional hardware. It runs on the same router and access points as your primary network. When acquiring hardware, make sure that it supports and will run multiple WiFi networks if you want to create a "guest" network.
Wi-Fi interception can also be inhibited by use of what is known as a VPN client. A VPN client or service automatically encrypts all network traffic flowing in and out of a given device and thereby disallows interception of your data. These are more secure than WPA encryption but also are less flexible and can be more cumbersome to set up and use.
When outside of your office and accessing public WiFi networks with your laptop, tablet or phone lawyers should be cautious in the information sent over such networks. As a general rule, there is no way to encrypt the information that you send and receive over public Wi-Fi networks so you should not transmit confidential information over such networks.
C. Discarding Hard Drives, Printers and Copiers .
All computers and many other technology devices, including printers, scanners and photocopiers, contain "hard drives" on which information is stored. A concern arises when devices containing these hard drives are discarded or returned to vendors from whom they were released. All information that was added to those hard drives during their life remains on those drives unless removed. Removing such data requires more than just accessing it with your computer and "deleting" it. Even when files are deleted from hard drives, the information typically remains on the disk; it is just more difficult to locate. However, persons with adequate technology skills know how to recover the data. In the case of copiers, images of all the documents copied on that machine typically remain on the hard drive. Thus, if a copier is returned at the end of the lease or re-sold without taking steps to wipe all information from the drive, the recipient of the copier is also receiving electronic copies of all the documents copied or printed on that machine. A recent example of this type of problem involved a medical insurance company that settled claims for violations of HIPAA because it failed to adequately protect information contained on its copiers. 8
D. File Back-Up: External Drives or Cloud?
Hardware, although generally reliable, still breaks down sometimes. Even the most diligent computer users can occasionally lose data. Sometimes data loss is accidental, other times it's due to malware or physical device failure. Electronic storage devices are complicated devices with thousands of components and should any one of them fail, the data could permanently be lost. Viruses and malware often spread their infection beyond just the original infected device by progressively downloading more advanced viruses or malware. As a result, some malware infections cannot be fully eradicated without a fresh installation of the operating system which will result in the loss off most or all data on the hard drive of the infected computer or device.
Lawyers never want to be in a position where their notice of appeal is due today and their computer crashes or their file becomes corrupt and they have no alternative was to access it. Thus, in purchasing and acquiring hardware, lawyers must consider how to provide redundancy meaning that if one computer or drive fails, there is another method for accessing needed information. There are several options to accomplish this.
1. Back-Up to an External Hard Drive. One option is to have a copy of your files copied onto a hard drive in addition to the one that resides inside the computer itself. These are typically referred to as external hard drives, jump drives or USB drives. External hard drives are cheap and very easy to implement. If used, they should be set up so that files from the lawyer's computer are automatically copied to the external drive. If a lawyer relies on his own diligence to manually copy files there is significant risk that files will not be copied regularly or files will be missed. External hard drives are relatively secure from hackers since they are physically housed in the lawyers' office provided that the lawyers' internet network itself is secure from intrusion. The most significant risk for an external hard drive is that if the lawyers' office or building is destroyed in a fire or other disaster, both the computer hard drive and the external hard drive are likely to be destroyed. Thus, if using external hard drives as a back-up method, it is advisable to use several drives, rotate them and store some of them off-site.
2. "Cloud" Back-Up: Attorneys more frequently use "Cloud" storage to back-up and in some cases to store their computer files. Cloud storage services such as DropBox, SkyDrive, Sugarsync and iCloud make files accessible from anywhere on any Internet-connected device. However use of Cloud services raise ethical considerations for data security. There are many services that offer Cloud storage. The better-known ones typically contain reasonably strong security protocols. Still, there have been incidents where data housed by the Cloud service providers has been hacked. Thus, in addition to checking what security the Cloud service provider itself utilizes, a lawyer utilizing such a service should implement systems on his or her end to make sure that all files are password-protected and encrypted. Uploading only protected files to the Cloud significantly impedes the ability of a hacker's to access confidential data should they successfully compromise your Cloud account. 9
In order to protect your own and your clients' data it is important to maintain frequent, quality backups. The cost of many backup programs and external media has dropped significantly so this should not be an inordinate expense. If you ever become the victim of malware, disaster or other device failure, backups may save you from unpleasant conversations with your clients and the Office of Disciplinary Counsel.
E. Telephone Services
There are two types of wired telephone services currently available: POTS (plain old telephone service) and VOIP (voice over internet protocol). The fundamental difference is the POTS lines transfer signals over copper telephone lines whereas VOIP systems transfer signals over the internet. POTS lines have been around for years and are very secure. Tapping into a POTS telephone line requires use of a mechanical devise actually attached to the phone or phone line. VOIP systems have become popular in recent years because they can be significantly cheaper and permit much more flexibility from your telephone service. Vonage was one of the first well recognized companies to offer VOIP but most cable companies, including Comcast and Verizon now offer VOIP services also. Skype is also an example of a low cost VOIP provider although its services are known primarily for audit and video communications via computers as opposed to telephone sets..
The flexibility of VOIP systems is significant: users can plug their telephone unit into any internet jack anywhere and have it work exactly the same as if it was plugged in at their office; users can have multiple telephones (e.g. at the office, at home, and at a vacation house) that all work exactly the same and ring simultaneously when called, and can check voice mail messages via a web site, or have messages forwarded to them as emails with a sound file which they can then listen to on their computer. VOIP systems have improved significantly in recent years but lawyers should be aware that because VOIP systems utilize the internet as their method of transmission, they are subject to being hacked in the same way that computers connected to the internet are. Therefore, anyone choosing to implement a VOIP system must take steps similar to those necessary to secure a computer to prevent unauthorized access. Specifically, VOIP telephone systems should utilize the most current encryption standards and include firewall protection to minimize the risk that they may be illegally accessed. 10
As noted at the outset, this paper is directed to lawyers who have limited technology knowledge, limited technology budgets, and make many of their own technology decisions. To the degree necessary, lawyers should utilize consultants or vendors knowledgeable regarding technology in making decisions and implementing technology. Be aware, however, that technology consultants and vendors do not always understand and appreciate the professional obligations applicable to lawyers. This Basic Skills paper and the ones that will follow are intended to address some very basic considerations that lawyers should keep in mind when acquiring, using and disposing of basic computer equipment and software that is necessary to the practice of law today.
2. See courts.delaware.gov/efiling/ for information about e-filing requirements in the Delaware state courts.
3. See courts.delaware.gov/cle/.
4. The January 15, 2013 Order is available at courts.delaware.gov/rules/ and the report of the Permanent Advisory Committee asked to consider and make recommendations to the Rules is at courts.delaware.gov/odc/.
8. See: clearwatercompliance.com.