We often bemoan that lawyers don't take seriously their duty to understand e-discovery. Today we tackle another subject that attorneys seem to avoid, often to their peril as they step on virtual cow pies. Social media is so pervasive that ignoring its legal implications is (we think) simple incompetence. Now that the active Facebook user population is more than 400 million globally (more than the U.S. population), it is clear that the social media phenomenon is here to stay.

Not only do lawyers need to understand the upsides and downsides of social media for their clients – they need to understand the interplay between their ethical duties and their own use of social media.

Some examples:

1. Suppose a divorce client comes to you and says she is sure there is wonderful evidence on her spouse's Facebook page to assist in her child custody dispute. You suggest getting a third party to "friend" the husband, right? No, no and again no, but we've seen it happen. Attorneys cannot ethically be a party to a deception.
2. Recently, there has been a lot of buzz about LinkedIn recommendations. In many jurisdictions, you cannot have a client recommend The Law Office of Jane Doe by saying "Jane is the finest lawyer in the city." There is no objective basis on which to make that comparison so in many jurisdictions, including ours, you cannot have that recommendation on a site which you control and clearly you control your LinkedIn page.
3. From North Carolina: A judge "friends" one of the counsel in a pending case – the two Facebook buddies begin to chat about the case, including querying whether one of the parties involved was having an affair. The judge also checked the website of the opposing party. For this, the judge earned a reprimand from the North Carolina Judicial Standards Commission.
4. A lawyer/blogger/juror in California had his law license suspended for 45 days and was placed on two years' probation after he blogged about a trial while serving as a juror. He rather haplessly noted, "Nowhere do I recall the jury instructions mandating I can't post comments in my blog about the trial." Yeah, right. He also failed to disclose to the court that he was an attorney.
5. In 2009, The Illinois Administrator filed charges against an assistant public defender that alleged, in part, improper disclosure of confidential client information on a blog, sometimes using their first names or sometimes their jail identification numbers. The information posted was not just personal, but extraordinarily personal and the violation of client confidentiality exceedingly clear.
6. In yet another case of lamentable judgment, Florida attorney Sean Conway posted a comment in his blog that a particular judge was "an evil, unfair witch." Perhaps she was but the Florida bar authorities were not amused and fined him $1,200. Not a great sum of money, but Mr. Conway appealed the matter all the way to the Florida Supreme Court, which upheld the fine. Many commentators have suggested that was an overreaction, but the case certainly points out the need for caution, even in informal online settings.
7. Next up to bat is the "trial from Hell," so named by the media. Here we have another Florida case (is it the water?) in which a prosecutor sought to display his skill at summarizing a trial through a ditty posted on Facebook and meant to be sung to the tune of "Gilligan's Island." If you are already shaking your hand, you have good reason. At the very, very least it was immature – his supervisor ruefully commented that it would provide for a good training moment. As he noted, we shouldn't be talking about cases on Facebook. D'oh. The case resulted in a mistrial, not because of the lawyer's actions but because jurors were texting one another and making cell phone calls during deliberations. To add to the mischief, during a 'smoke break,' a bailiff helpfully assisted the jury with its deliberations, illustrating his points with a pen. No wonder the press dubbed this the "trial from Hell."

We have only scratched the surface of attorneys and their unfortunate interactions with social media. Our own informal polls of conference attendees tend to confirm studies that roughly 60% of attorneys (and growing) participate in social media, generally split half and half between Facebook and LinkedIn with a few Twitterers thrown in. All other forms of social media run a distant fourth.

While no one doubts the benefits of social networking to lawyers (and that's an article in and of itself), certainly the lawyers need to know the rules of the game. They need to be aware of the advertising, client confidentiality and other professional conduct rules which may govern their online behavior. These posts are not ephemeral. They live, approximately, forever. Even if you delete something, you have no idea whether someone else has preserved your foolish post on Facebook showing you demonstrating the finer points of using a beer bong (or worse). And now that the Library of Congress has announced its acquisition of Twitter's archive of public tweets, lawyers may now be chagrined to find an ill-advised tweet becoming a historical artifact.

When we present at CLEs, we always close with the ultimate common sense rule that should govern lawyers when using social media:

DON'T BE STUPID.

Be careful out there . . .

Intriguing news from the ABA’s 2010 Legal Technology Survey Report: 14% of lawyers reported that they ran a virtual law office, working with clients over the Net and rarely meeting them in person. We thought that statistic was fairly amazing.

Though the term virtual law office (VLO) has been around for a while, the definition has been morphing. In fact, as we went to research the definition, we found a wide range of definitions many of them at odds with one another.

After comparing what we found, we settled on a definition proffered by virtual lawyer Stephanie Kimbro, who says that a virtual law office is a professional law practice that exists online through a secure portal and is accessible to the client and the attorney anywhere the parties can access the Internet. A VLO provides attorneys and clients with the ability to securely discuss matters online, download and upload documents for review and to handle other business transactions in a secure digital environment. More recently, she has updated her definition to note that a VLO can be integrated into a traditional law practice to expand the firm’s market – something we imagine will happen more and often.

The tendency of lawyers – and remember that ABA survey statistic – is to go where the clients are. Without any question, the clients are now online in droves.

If you do the math, you can certainly understand the appeal of the VLO. Subtract almost all the traditional overhead, add a tiny overhead for technology to enable the VLO and put that in the hopper with the increased revenues from working and marketing online and you’ve got a winning proposition. A VLO might be a perfect situation for a parent staying at home with young children or taking care of an elderly parent. The low overhead might allow a young lawyer to slowly nurture a practice without the financial risks of setting up a traditional law office.

The flexibility of a VLO appeals to many. We have a friend who runs a VLO from a log cabin overlooking the Blue Ridge. If work comes in, he deals with it via computer, leaving him a great deal of time to ramble in the forest or just gaze at nature’s majesty. We’re pretty sure our friend is smarter than we are in his working arrangements. VLOs can provide a terrific work-life balance solution.

On the downside, it is hard to nurture the old-fashioned sort of client relationship over the Internet. The online fast and relatively impersonal transaction is just not as conducive to creating a loyal and lifetime relationship with a client. Generally, you can’t stroll down the hall to consult with a colleague – and while you can replace a portion of this online, the depth and character of the encounters are not quite the same. 

That said, VLOs are very well suited for high volume, low customization work. As a friend of ours is fond of saying, a well-run VLO can make you money while you sleep.

The ABA has suggested that there are minimum requirements for delivering services online, notably ensuring client confidentiality. Is your data backed up? If you are using Software as a Service (SaaS), is your data stored locally as well as offsite? Is it encrypted in transport and in storage? Is it stored in a datacenter? If so, where? Are there any cross-border issues? What is the datacenter’s physical security? Are there redundant power sources?

Have you read the Service Level Agreement (SLA?). Authors’s note: Our experience is that the customary answer is “no.” What happens if the provider bellies up? What if you want to leave with your data? What’s the process and charge? 

Additionally, the ABA reminds lawyers that they still need to do conflict checks, to have a disclaimer indicating where they are licensed to practice, to have a retainer agreement, to have website terms and conditions and to make sure, if they are accepting payments online, that they are mindful of PCI (Payment Card Industry) compliance.

So what tools are these lawyers using? Two we hear about frequently are Clio and Rocket Matter, which both provide web-based law practice management services. In addition, VLOTech is a very well regarded platform for VLOs. Their pricing varies with the size of the firm, but you need to contact them to get the prices. 

Another contender is an online dashboard furnished by DirectLaw. Clients can purchase legal documents bundled with legal advice for a fixed fee. It has a lot of state-specific forms which generate first drafts for customization by attorneys. It offers file sharing, calendar function, e-invoicing and voice-recognition software. There’s also a secure site for client communication, which avoids telephone tag. The monthly fees vary with what you want for services, but they are plainly spelled out on the website. Though we don’t have current figures, more than 60 law firms were subscribed as of late 2009.

The transformation of the practice of law, long predicted by such visionaries as Richard Susskind, certainly seems to be taking place very quickly. Just a few years ago, we marveled at lawyers using what were then cutting edge services such as Legal Typist or Ruby Receptionist. While such services are still valuable, the modern VLO is to the early VLO as NASA’s Space Shuttle is to the Mercury spacecraft. We expect the speed of the transformation to increase over the next decade, so fasten those seat belts and prepare for warp speed.

Two years ago, we began to say in lectures that we had seen a 200% rise in the number of cell phones passing through our forensics lab. Today, we are beginning to say that the increase is more like 500%. And it isn’t primarily standard cell phones – virtually all of the phones are smartphones. 

We’ve checked with others in our industry and they confirm that they are increasingly seeing smartphones as a source of electronic evidence. In particular, deleted e-mails and deleted text messages seem to be in play. It often seems that evidence which is missing from workstations and servers seems to be preserved on smartphones.

The question we are always asked when lecturing is: Which is the most secure smartphone? We must admit, that’s a softball. It is without doubt the BlackBerry. Hence, the consternation in India, Saudi Arabia and the United Arab Emirates, which have promised to ban the use of certain BlackBerry features within their borders. The UAE's telecommunications regulator has said that travelers to the city-state of Dubai and the important oil industry center of Abu Dhabi will – like 500,000 local subscribers – have to do without BlackBerry e-mail, messaging and Web services starting October 11th, even when they carry phones issued in other countries. The handsets themselves will still be allowed to make phone calls.

UAE authorities say the move is based on security concerns because BlackBerry transmissions are automatically routed to company computers abroad, where it is difficult for local authorities to monitor for illegal activity or abuse. The truth, to no one’s surprise, is that governments which try to control communications content hate the BlackBerry’s very secure system. We can tell you that we generally find very little data on the BlackBerrys which go through our forensics lab. In addition, a BlackBerry device is typically configured to encrypt stored and transmitted information. Obviously, this makes “Big Brother” a little upset.

This is a far cry from the data-rich iPhone – there is always applause when iPhones arrive in our lab. And yes, there is a wealth of deleted data there as well. Somewhere in the middle are most of the others, including the Droids and the Windows Mobile smartphones.

So why have smartphones proliferated so dramatically in computer forensics labs?

As a society, we seem increasingly to regard our cell phones as an appendage of our bodies. To confirm our addiction to our phones, Nielsen recently conducted a study which offers some interesting stats. They studied the monthly phone bills of 60,000 U.S. customers and here's what they came up with:

Women spend 22% more time chatting on their phones than men, spending an average of 856 minutes on the phone monthly compared to 667 minutes for men.

Women also text more, sending or receiving an average of 601 texts per month – the number was 447 for men.

Black, Hispanic and Asian users text more than white users – no explanation why was given.

It comes as no surprise to anyone that teenagers are obsessive texters, texting a mind and thumb-numbing 2,779 texts per month.

Texting has been a boon to computer forensics, supplementing the gold nuggets so often found in e-mail. Divorce cases most often involve cell phones in our shop, closely followed by theft of proprietary data cases. And as the teens grow up, we can only imagine that the volume of this kind of electronic evidence will increase dramatically. Being in the business we’re in, we are not adverse to that thought.

Everyone knows you’re not supposed to do a data dump in e-discovery. But oh boy, is there a temptation to drown the other side in a case with an avalanche of useless data. Too often, law firms and their clients succumb to this temptation.

In SEC v. Collins & Aikman Corp. (S.D.N.Y. 2009), the SEC dumped 1.7 million records (10.6 million pages) on the defendant saying that the defendant could search them for the relevant evidence and asserting that it didn’t maintain a document collection relating specifically to the subjects addressed. As the court correctly noted, Rule 34 of the Federal Rules of Civil Procedure prohibit, “simply dumping large quantities of unrequested materials onto the discovering party along with the items actually sought.” The court also found that asking the defendant to do the plaintiff’s work involving a huge of outlay of time and money constituted “undue hardship by any definition.” The Court ordered the SEC to perform its e-discovery duties in accordance with the rules.

More recently, in Felman Prod. V. Indus. Risk Insurers (S.D. W.Va. July 23, 2010), Plaintiffs admitted that nearly 30% of their production was irrelevant. As the court noted without humor, the production included “car and camera manuals, personal photographs, and other plainly irrelevant documents, including offensive materials.” So the judge took the Plaintiffs to the woodshed. Having produced thousands of attorney-client documents inadvertently in what the judge called a “ridiculous” production, he found that Plaintiff’s review and production methodology was not reasonable and that the attorney-client privilege had therefore been waived. As an added bonus for Defendants, the production was so sloppy that there were a couple of real gold nuggets in the now non-privileged attorney-client e-mails. We are quick to note that a software glitch may have caused some of the problems in this case, though proper review should have caught it – and some experts have challenged the judge’s math, but clearly this was not a case in which all the rules were followed. The judge’s irritation with over-production is consistent with the mood we have seen on the bench.

It is fairly common to hear complaints about federal government data dumps. In U.S. v. Stevens (D.C.C., Defendant’s Motion to Compel Discovery, Sep. 2, 2008), the Defendant complained that the government had produced thousands of documents in an unusable format that “appeared to be an undifferentiated mass, with no discernible beginning or end of any given document.” As courts tackle this issue, it is becoming clear that litigants must label the documents produced in response to requested subject areas. Data must be organized, searchable and indexed. Obfuscation is not acceptable production. 

In criminal law, attorneys frequently report to us that the prosecution will do a data dump on defense counsel, effectively burying any exculpatory information in a sea of data. Several courts have noted that a deliberate data dump, done for the purpose of avoiding adherence to Brady obligations, would not be permitted. This is an area ripe for clarification, as many defense lawyers have reported that prosecutors are “opening their files” to the defense rather than specifically providing exculpatory information.

Most of the buzz is in the civil world where it is widely alleged that large law firms use data dumps to overwhelm small law firms. And perhaps so. But the real question is: How do we prevent this abuse of the e-discovery process?

For one thing, the Meet and Confer happens way too late. That's why everyone is turning to "early case assessment" which has become a buzz phrase. The minute you know you're involved in litigation (or likely to be), you're under a litigation hold. Now you have to decide what to preserve, preservation being broader than production. Already you need to do three things: 

1. Retain an e-evidence expert (we wish they would, but often they hire an expert much later, when everything is now an emergency and cost-saving advice is coming very late in the game, after way too much has been spent already).

2. Talk to your opponent and start getting consensus about the scope of preservation on both sides (which means the exchange of a lot of info)

3. Within the litigation hold team, begin early case assessment. 

Who are your key players and what sources of data do they have (workstations, laptops, home machines, smartphones, voicemail, flash drives, etc?) What other data may be relevant? Do third parties hold data? What's the likely volume of data that will be preserved? How can it be winnowed down?

It is never too early to talk to the other side about the format of data to be produced or to begin talking about search methodologies, although that often occurs at the Meet and Confer. From early case assessment through the Meet and Confer, the ways to reduce data volume should be at the forefront.

 Native format is both cheaper and the "best evidence." You often need searchable PDF (or TIFF with load files) in order to redact/Bates stamp. Requesting a “mixed” production (primarily native) is perfectly acceptable. You can agree on rolling productions if there's a lot of evidence. 

As for the snake pit that is “searching”, we often see attorneys trying to construct searches themselves and the results are always deplorable. As judges have said, this is an area "where angels fear to tread." In order to keep costs down, you need search methodologies constructed by searching experts. And, even then, studies have shown that they will retrieve only 20-22% of the relevant data on the first pass, no matter what methodology they use (keywords or concept searching). You therefore "learn" from the first pass and then do iterative searches. This is the appropriate approach for the producing party, which will comply with both the letter and the spirit of the federal rules.

 Clearly, this process would be for a larger case, and less will done in a smaller case because proportionality (every judge's darling these days) will come into play, as well it should. The smaller the case, the less e-discovery.

The larger the haystack, the harder it is to find the needle. This is the danger of data dumps. And very few recipients are sophisticated enough to find the needle in a data dump. Searching will invariably result in a lot of "false positives," all of which need to be reviewed for relevance and privilege. Attorney review is ALWAYS the most expensive part (by a huge factor) in e-discovery. This is another reason for getting the original volume of data to be searched reduced. 20-22% of 10 GBs will result in much less to be reviewed than 20-22% of a terabyte. And that's the other part of the equation. In the old days (sadly, only five years ago) we were rarely dealing with anything more than gigabytes. Now we deal in terabytes on a regular basis and are anticipating petabyes of data in the near future. The universe of ESI expands daily. 

Part of the solution is to have counsel cooperate. This may be wishful thinking, no matter how many judges preach cooperation. More often than not, one side or both are on the warpath and have arrows drawn on a regular basis. Most of the time, if they let their experts talk to one another, the experts will agree on how to proceed (assuming competent experts on both side who want to do a good job for their clients AND hold the costs down). A regular problem is that EDD companies and lawyers both make more money if the volume of responsive data remains large. Processing (by volume) charges and attorney review fees are much higher. So when we see sloppy work or advice, is it due to incompetence or greed? Our anecdotal sense from being involved in so many cases (nothing to back this up with other than our now finely-honed radar) is that it is about 50-50.

All good experts will tell you that they have tried in many cases to steer the client down the right, and cost-efficient path, only to have their advice ignored. It can be very trying – and you worry that the judge in the case will never know that you tried to get the client to do the "right" and cost-efficient thing only to be blown off for reasons that the expert generally can only guess at. When this happens to us, our staff has clear instructions to document the advice given, so that nothing will come back to bite us. 

Data dumps are just another way to “hide the ball” which judges uniformly hate. Counsel would be well-advised to avoid this practice, but as the old saying goes, “The easiest way to get rid of temptation is to succumb to it.” We predict that sanctions for data dumps are going to spike in the very near future – hopefully, that will impress upon attorneys that courts intend to curb data dumps and punish those who do not honorably discharge their e-discovery duties.

Introduction

Some call it flirting. Others call it harmless fun. When minors are involved, however, the police and district attorneys have had another word for it – child pornography. If you haven’t guessed it, we’re talking about sexting. Sexting is defined as the sending or receiving of sexually-explicit or sexually-suggestive images or video via a cell phone or the Internet. Most commonly, the term has been used to describe incidents where individuals take nude or semi-nude images of themselves and then send those pictures to others. Yet, despite the widespread and often breathlessly erotic media coverage of teenage sexting stories, almost everyone has gotten in the act. In fact, the AARP Monthly magazine recently published an article called “Sexting Not Just for Kids,” which advised tech-competent seniors to try sexting as a way to spice up the over 50 love life–complete with a “sexting dos and don’ts” section. And we won’t even get into the high-profile celebrity incidents — ahem, ‘nuff said about Tiger Woods and Brett Farve. 

A recent study [PDF] conducted by The National Campaign revealed some startling statistics — statistics which we believe are, if anything, an under-representation of the prevalence of sexting. First, with respect to the percentage of teenagers who have sent or posted nude or semi-nude pictures or video of themselves, 20 percent of those surveyed reported that they engaged in such activity, with slightly more teenage girls (22 percent) than boys (18 percent) admitting doing so. What’s worse, 15 percent of those who have sent or posted a suggestive photograph of themselves stated that they had done so to someone they only knew online. Sending or posting sexually suggestive messages are even more common. In total, 39 percent of all teenagers surveyed have sent or posted sexually suggestive messages, usually to a boyfriend or a girlfriend. However, 44 percent of teen girls and boys reported that it is common for these messages to get shared with individuals other than the intended recipient. Finally, the survey tended to demonstrate that teens don’t think about the consequences’ — many reported that they sent messages or pictures as a “sexy present,” to be “fun or flirtatious,” in response to such content they received, or (heaven forbid) simply as “a joke.”

Flirting with Danger

At first glance, sexting might appear to be relatively harmless. It’s hard to argue that the exchange of “naughty” pictures or messages between boyfriends and girlfriends (over the age of 18 of course) are not too troublesome if kept between themselves and merely ogled over in private. In fact, it would appear that as long as sexted images are taken voluntarily and shared consensually, they are unquestionably protected expression under the First Amendment. Yet, this is almost never the case. Far too commonly, once these images are created, they create vast social harm as they are disseminated publicly online and, sometimes, are even sent to strangers over the Internet. 

As we alluded to above, for minors and those interacting with minors, sexting is an entirely different matter. Child pornography laws, which are designed to protect children from adult predators, criminalize any form of sexting – consensual and non-consensual – where the person in the photo is under 18 years-old. Put another way, if either individual — the recipient or the sender — are minors, prosecutors have not hesitated to levy felony child pornography charges for taking, sending, disseminating, and/or possessing sexual images of themselves and/or other minors. For instance, In June 2010, eight students from Susquenita High School learned a tough lesson about sexting. These students, ranging in age from 13 to 17, were accused of using their cell phones to take, send, or receive nude photos of one another and in one case a short video of oral sex. The activities resulted in a felony pornography charge for each minor. Similarly, in March 2009 a 14-year-old boy in Brooksville, Florida and a 14-year-old girl from Passaic County, New Jersey both faced child pornography charges after they took sexually explicit images of themselves and allowed others to view them. Specifically, in those instances, the teenage boy sent a picture of his genitalia to the cell phone of a female classmate and the young girl posted 30 explicit picture of herself on MySpace.com. If convicted, all of these individuals could be legally labeled as sex offenders and be forced to carry a stigma that could haunt them throughout their lives, all for what many might label a youthful, sophomoric indiscretion. Just ask Donald Kellison, a young adult, who now has a record for possession of child pornography after his then underage teenage girlfriend sent sexy photos to his cell phone. While Kellison appealed the ruling and argued that the photos did not meet the “lewd exhibition of nudity” requirement, the Virginia Court of Appeals found no error in the lower court’s decision and upheld the conviction.

Further compounding the problem of sexting is the very real danger of sextortion, a newly minted term which has caught fire in the media. In essence, sextortion arises where an individual contacts someone who has sent a sexually suggestive image of him or herself and threatens to expose the image to friends, family, or the public at large unless more explicit images are sent or unless the victim agrees to have sex with sextortionist. While no one currently tracks the number of cases involving sexual extortion in state and federal courts, it is fairly safe to say that the numbers of incidents are increasing dramatically. For instance, a Wisconsin man received 15 years in prison after it was discovered that he had been posing as a girl on Facebook to trick male high school classmates into sending him nude photos, which he them used to extort them for sex. Likewise, a 31-year-old Californian man was arrested in June 2010 after the FBI accused him of hacking into over 200 computers and threatening to expose nude photos he found unless their owners posed for more sexually explicit videos. What’s worse, 44 of the victims were juveniles and authorities have stated that the accused was able to remotely activate some victims' webcams without their knowledge and record them undressing or having sex.

Finally, other stories demonstrate the real harm that can result, which can stretch far beyond “sexual exploitation, and embarrassment to commercial exploitation and even death.” For example, in Syracuse, New York, a group of teenage girls were shocked to learn that another boy had collected revealing pictures they had sent to their boyfriends from the Web and was selling a DVD of them. And then there was the tragic case of 18-year-old Jessica Logan, who committed suicide after she sent a nude photograph to her boyfriend that was later spread throughout her high school. Logan was harassed daily at school by a group of girls and eventually became so depressed that she was afraid to go to school.

Addressing the Problem with Text and Technology

Given the relatively recent nature of the sexting phenomena, the law and technology have been slow to adapt. First, with respect to the law (and as illustrated above), state and federal legislatures have been left to shoehorn sexting into traditional child pornography laws — laws that were not intended to address sexting and thus, the legal consequences for teens engaging in sexting are often truly bizarre. Likewise, technology has also been unable to keep pace. As a result, parents have often been left completely in the dark or only able to tell their children to “be careful” or “use good judgment.” Fortunately, all the recent media attention has resulted in both legal and technological changes.

Text

Between 2009 and 2010, at least 28 states introduced legislation aimed at tackling sexting. Generally speaking, the legislation can be seen as addressing one of two issues. The first type aims to deter and apply appropriate penalties to youth who engage in sexting. The second looks to close loopholes in existing criminal laws so that sexual predators are prohibited from using text messages to contact children. With respect to the former category of laws, many states have opted to reduce penalties for teenagers rather than eliminate them altogether. North Dakota, Utah and Vermont have already passed legislation that reduces penalties for teenagers engaging in sexting. Another 14 states have considered reducing penalties for minors so they are not punished under the same laws designed to punish child pornographers. Yet, it is important to note that while states have adopted reduced penalties for teens, minors can still be convicted of sexting and face misdemeanor charges, which can include jail time. In Arizona, for instance, the maximum penalty for youth sexting can be up to four months in jail. 

In addition to the reduced punishments, some states have also chosen to add an educational aspect to their sexting legislation. These educational programs can either be a separate component or, in the case of New Jersey and New York, used in lieu of jail or severe punishment.

 There are also those that have advocated for proposed federal legislation to combat the sexting issue. Many of these individuals support the proposed School and Family Education About the Internet Act (SAFE Internet Act) as an alternative federal remedy for sexting. If approved, the legislation would provide approximately $175 million in federal funding to the Bureau of Justice Assistance (BJA) to make grants for schools, state agencies and non-profits. These grants would be designed to help provide research-based Internet safety education programs that feature sexting as an important topic. 

Make no mistake, we believe that these recent changes are a great first step. However, standardized sexting legislation might better serve to address the problems. Because sexting can take many forms, state legislators have struggled to define the term. As a result, there are numerous definitions that vary across states, which could result in considerable confusion, especially given the ease with which electronic communication travel across state lines. Likewise, standard penalties would also serve society-at-large and provide clarity on a fuzzy topic. Here, however, we would stress that penalties need to fit the crime. There must be a delineated format tailored to a variety of circumstances. Clearly, a man who hacks into hundreds of computers (some of which are owned by minors) deserves more than a simple slap on the fingers. But, a boyfriend and girlfriend that share a suggestive photograph that accidentally winds up in the hands of others hardly deserve to be labeled as sex offenders. 

Technology

Technology too has attempted to address the sexting problem. Both Apple and Google have created apps for their respective cell phone platforms. For Apple, it recently announced that the US Patent and Trademark Office had approved its 2008 patent for a program designed to prevent users from sending or receiving “objectionable” text messages. While the patent does not actually mention sexting, it appears pretty obvious that the program was designed with that problem squarely in mind. Basically, the program includes a control application, which evaluates whether or not the not the communication contains approved text based on, for example, objective ratings criteria or a user’s age or grade level, and, if unauthorized, prevents such text from being included in the text-based communication. Specifically, if the unauthorized text is found, the control application could be programmed to alert the user, the administrator or other designated individuals of the presence of such text. In addition, the control application can be set up to require that the user replace the unauthorized text or even automatically delete the text or the entire communication.

Not to be outdone, Google also has a similar program available for the Android operating system. Dubbed the Mobile Nanny, this parental control system allows parents to monitor, filter and restrict what a child sends and receives on his or her Android phone. Specifically, Mobile Nanny, which is a stealth application, gives parents access to every action their child performs in an easy online account. This includes every text message sent or received, every call dialed or received and every photo captured. Parents can also use the program to block any phone number from SMS and calls. Web sites and applications can also be blocked. Moreover, a parent can even set up a specific time schedule that the phone can be used, thus restricting the time their child can use the device. Mobile Nanny also includes instant SMS commands the parent can send to the child’s phone, which allows the parent to track where their child is at any given time using the Instant GPS Locate command. It also provides an anti-theft feature for tracking the number of any SIM inserted into the phone in case the phone is lost or stolen.

Again, this new technology is certainly a step in the right direction. And, when in the hands of a concerned parent, it undoubtedly will be quite useful. However, it’s not hard to see the potential for abuse. If either program were installed on someone’s cell phone by an individual with malicious intent, that person would effectively have control over a large amount of personal data and would be in a position to watch all activity on the smartphone. It is not hard to imagine suspicious spouses or paramours engaging in this activity, which is really no different than the covert installation of spyware on computers which we see all the time.

Conclusion

For those who believe in Sodom and Gomorrah, the advent and prevalence of sexting and sextortion must surely seem like humanity is crying out for divine punishment. The truth is that teenagers with raging hormones have always behaved foolishly — we’ve just given them tech toys that allow them to do so quickly and with little consideration of consequences. That, coupled with peer pressure, certainly seems to explain how we got to this juncture so quickly. And, indeed, child predators have always been quick to adopt new technological means to their own deviant ends.

For once, we’ve been pleased to see that the law has hastened (a relative term when applied to the law) to address this new phenomenon. Far too often, we’ve seen Draconian punishments handed out to foolish and immature young people who are not, by any stretch of the imagination, child pornographers or predators. Grappling with this new behavior promises to be challenging — and with each new technological advance, another challenge seems to await us. We can only imagine what five more years of technological advances will bring.

[This column was also co-written by Jason Foltin, a paralegal with Sensei Enterprises.]

Hackers and cybercriminals have been having a field day recently. Even big oil companies with expansive security budgets can’t keep the bad guys out. In an operation dubbed “Night Dragon” by security company McAfee, Chinese hackers have been targeting several global oil and energy companies since November of 2009, in an attempt to steal sensitive proprietary information about oil and gas field bids and operations. You would think that oil companies would have first class security and defense-in-depth. Apparently, not so.

Law firms should take these attacks against big oil as a warning – and should bear in mind the FBI’s advisory in late 2010 that law firms are increasingly the targets of hackers.

We read about data breaches daily online or hear about them on the evening news. Law firms aren’t immune, as we saw a record number of reported data breaches in 2010. Even the small law firms have become victims of data breaches.

There are a number of reasons hackers and cybercriminals target law firms – clientele, insider information having financial value, litigation tactical advantages – just to name a few. Law firms must understand the severity of this threat and be proactive in dealing with it.

Buried within the details of the “Night Dragon” report (we won’t bore you with the technical aspects) are the graceful steps, a work-of-black-art, which the hackers used to attack the big oil companies in a methodical and progressive manner. Knowing exactly how the bad guys successfully thwarted the defenses of the largest companies in the world can help to identify potential areas of weaknesses within a law firm’s security strategy –assuming they have one — and ultimately drive them to harden its defense – from threats both external and internal.

Naturally, just like any castle or fortified-defense, the security of a computer network (or stone building) is only as secure as the weakest link – end users. End users are often the problem. Whether it’s using simple or no passwords, or falling for a phishing attempt, end users can open the doors to a law firm’s most critical data in a matter of seconds. With the Internet, the bad guys are only milliseconds away, even if they’re attacking from across the globe.

End users were a primary target exploited by the hackers in operation “Night Dragon.” To help fortify these areas of weakness, law firms should:

(A) Require every employee to review and sign a computer and Internet usage policy
(B) Require user passwords to be a minimum length of 12 characters and contain both upper and lower-case characters, as well as numbers and symbols. Passwords should also be set to change frequently, usually every 30 days. Passwords should not be re-used.
(C) Educate end users on spam and phishing techniques. There are even phishing tests your users can take online – to grade their ability to detect fraudulent e-mails such as the one here:
http://www.washingtonpost.com/wp-srv/technology/articles/phishingtest.html
(D) Verify that antivirus and antispyware definitions are kept up-to-date, that client computers and servers are scanned on a periodic basis and are operating as configured.
(E) Laptops should only be used with hardware or software encryption. No encryption – no laptop – no exceptions.

Besides taking advantage of careless end users, hackers were also able to gain access to web servers that were connected to both the Internet and internal corporate networks. Once hackers had control of these systems, they were on the “inside.” Game Over. The hackers used Structure Query Language (SQL) injections to exploit these systems. If logging had been configured at a bare minimum, these actions should have been captured and triggered alerts. Whether logs were reviewed by a person or some program, the intrusions might have been detected during the initial stages of the operation – not after the fact.

If a law firm is facing a decision to host its own website, e-mail or other service on a computer system that is both accessible from the Internet and is on the local computer network, extreme prudence should be exercised to protect and monitor the system for suspicious activity that might signal or warn of an impending or ongoing attack. Ongoing monitoring (regardless of the type of system) should include the review of any antivirus or security software log files and alerts, system and security event logs, and any application specific or firewall logs.

Why have law firms become the darlings of the hacking community? Their systems tend to have a weak underbelly. Law firms are not generally very sophisticated about technology. Law firms hate change, which security requires constantly. Security costs money, and law firm are often pennywise and pound foolish, especially where the confidential data of clients is concerned. Complacent for years, and thinking they were not a target of hackers, law firms are just beginning to understand the extent of the dangers they face externally and internally. Every law firm should have a security assessment annually – and semi-annually is generally better. Lawyers have an ethical duty to take reasonable measure to protect their clients’ information – and the definition of ‘reasonable’ has certainly changed to require more of law firms than ever before.

There was a time when many lawyers, settled in their ways, thought that they could ignore alternative fee arrangements. That day is clearly gone. The 2010 Fulbright Litigation Trends Survey announced that 51% of the corporate counsel responding to the survey were using some form of alternative fee arrangements.

Why? They cite lower costs first, then predictability, and then risk sharing. So what kind of AFAs do they favor? It’s a very mixed bag with fixed fees, conditional or contingent fees, blended rates, capped fees and performance/reward-based fees. Clearly, there is a lot of exploration going on and a lot of innovative thinking about the kinds of AFAs that may work in particular situations.

Mind you, there is still a way to go for AFAs - while they are now mainstream, the billable hour still rules, with only one quarter of respondents estimating that AFAs exceed 30% of their total litigation budget. 

What strikes us is how new AFAs are, relatively, and yet how quickly they have gained a foothold even in major law firms when they were once the province of solos and small seeking to counter a bad economy.

Why the fast track? We think there are several reasons:

• There has been intense pressure from in-house counsel to lower litigation budgets, especially in a fairly uncertain economy
• The smart folks in law firms began to see that they would be more competitive if they adopted AFAs and promoted that adoption
• They make sense, often when the billable hour does not. Why be more efficient when inefficiency pays so handsomely? Why invest in technology which will only contract the amount of time billed? With hourly billing, the client bears the risk of higher fees, complications and delay. Under an AFA, the law firm bears those risks. No wonder companies are starting, in earnest, to move away from hourly billing.

The Orick law firm now handles all of Levi Strauss’ legal work worldwide for an annual fee. United Technologies requires fixed-fee arrangements with its law firms. And Cisco Systems now buys all of its legal work via AFAs. The list could go on and on.

Lawyers often ask us if they should go “all AFA.” This is usually not a good idea. Our experience is that most lawyers really don’t know how long most tasks take, so they may inadvertently enter into an agreement and then find themselves working for $20 an hour. Take the tasks that you know the best, where you are almost certain to earn the equivalent of your hourly rate (or more). See how it works out and measure the results. 

One way of implementing AFAs is to bundle services. Perhaps you agree to form a corporation, act as a registered agent for a year and provide four hours of phone or in-person consultation for a fixed price. This can be attractive (and very predictable) to a client. 

To be successful, you need to keep refining the process. And it is very important to institute a way to do a “change order” if the scope of work is modified. Make sure you have the client’s agreement in writing – even a modest change should be approved via e-mail by the client – and large changes should require that both parties sign a modification agreement. It should go without saying that you’ll have to be very careful to define the scope of work lest there be a misunderstanding.

There are many of what author/visionary Richard Susskind would call “disruptive technologies” in the legal world. We can work today from anywhere at any time. We are always connected, unless we choose not to be. We have hardware and software that can get our legal work done in a fraction of the time it used to take. There are online legal resources – think LegalZoom – that pull in clients who would otherwise seek an attorney.

The days when clients would pay 500% of value vanish when they have the option, in small matters and large, to pay far less by finding a lawyer or firm which has done everything it can to promote efficiency in tendering legal services. This means that software for billing/accounting, practice management software, document automation software and document management software become the fundamentals of your AFA toolkit. 

Those who have adopted AFAs very consistently report success in attracting clients, especially when they aggressively market their alternative fee arrangements. Is it easy moving to these new models? Of course not, and you’ll trip yourself up now and again and really may work for $20 an hour on a case. But you’ll learn, perfect the system, and hopefully enhance your bottom line.

[The authors thank colleague Paul Unger for sharing some of his research on this topic.]

What exactly is virtualization and why is there so much buzz about it these days? Virtualization can occur in many forms, but most initially think of using virtualization to consolidate servers into a single hardware platform. Essentially, you can run multiple servers on a single piece of hardware, where each “server” has its own memory “footprint” within the host machine. Servers are the most common devices when firms embark down the virtualization path. There are many other forms of virtualization such as desktop, network and storage virtualization. Desktop virtualizations occur in the larger firms all the way down to solos.

Virtualization has been around for a long time and was commonly used in the big iron mainframe days. The big mainframes had sections “carved out” that were running different operating systems and applications. This takes advantage of the investment in hardware. It is similar to having multiple people riding on a single train. The more people riding, the more cost effective the operation. It gets very expensive to operate the train if there is only one passenger. By virtualizing servers, we can reduce overall power consumption, cooling requirements and maintenance costs. This very “green” impact has been one of the big drivers towards virtualization.

Cloud computing is also a very popular term these days and a lot of providers also use virtualization as part of their solution. What exactly is cloud computing? Basically, it is using an application or computing services that don’t normally reside on your premises. Typically, an application that uses the Internet for access is considered cloud computing or software as a service (SaaS). Google Docs is a good example of SaaS and cloud computing. The application resides in the Internet and you access your data with a browser. Another feature of cloud computing is its on demand nature. You can activate services very quickly with very little setup time.

These new uses of technology bring along some challenges, especially when dealing with the electronic data as part of discovery. We’ll go into some more details about the technical issues for e-discovery, but let’s get through some of the propeller head stuff first explaining how the technology works.

Let’s talk a little bit about some of the terminology you’ll hear when dealing with virtualized environments. There will be multiple independently installed virtual machines (VMs) or guests that may even be running different operating systems. These virtual machines run on the same physical hardware, otherwise known as the host. This can be done by running the VMs on top of a host operating system with virtualization software or by running on top of specialized virtualization software called the hypervisor, which has direct access to the hardware. Microsoft’s implementation of this is called Hyper-V and is a very popular (and free) method to facilitate virtualization. Besides Microsoft, VMware products are widely used in the virtualization market. Another term you may hear is P2V, which is physical to virtual. Essentially, this takes your physical server and converts it into a virtual environment. Another thing to remember is that each virtual machine is unaware of the other VMs running on the host system.

About now, we expect we’ve achieved that classic “deer in the headlights” look from many readers. But please, read on, because virtualization is an incredible asset to law firms large and small.

Why would you even consider virtualizing servers at your law firm? Besides the reduction in energy costs and the savings in physical space, virtualized machines make it very fast to recover from failures or to even provide a high availability environment. Each running machine is really nothing more than a bunch of files that are independent of the hardware. This means that if there is a failure, you can take your backup files and “stand up” another instance of the VM somewhere else. This usage of virtualization is very attractive for disaster recovery purposes. As an example, we utilize a backup device that takes snapshots of the data every 15 minutes. Should one of the servers fail (e.g. File and Print server), we can virtualize the server on the backup appliance utilizing the latest 15 minute snapshot. This means that we are back in operation very quickly running a VM in place of the failed server. And we’ve lost no more than 15 minutes worth of data – what’s that worth to you? This same process can be followed for virtualized servers too.

As a design goal, you want to run your host hardware at around 60% utilization. This maximizes the number of VMs on the host and provides room so that each VM can burst up and use the remaining processing power of the host. So don’t get greedy and try to max out the utilization – you’ll potentially do yourself a great deal of harm going down that road.

Is virtualization only for the large law firms? Not at all. Certainly, large firms were the first to implement virtualized environments, but there are advantages for small law firms as well. You could have one virtualized server to test updates to applications, new applications or even operating system patches. We’ve seen small firms virtualize several servers (E-Mail, File and Print, Domain Controller, Database, etc.) onto a single platform. If you are running Terminal Server, it is a good idea to virtualize that too since other applications may have issues running alongside Terminal Server at the same time. In our own environment, we currently run Terminal Server as a guest VM along with a guest instance of the BlackBerry Enterprise Server Express (free) on the same host.

Another advantage of virtualization is rapid deployment and flexibility. This is not quite the same thing as providing for a disaster backup as we’ve already mentioned. Rapid deployment means that you can take the VM and move it to another host very quickly with little or no impact. Remember that a virtual machine is nothing but a bunch of files so moving it to another host is really nothing more than copying files. Changing the characteristics of the virtual machine is another great advantage. You can adjust memory and hardware availability on the fly. As an example, we just increased RAM for one of our VMs from 2GB to 3GB with just a couple of mouse clicks. There may be limitations in sharing the host peripherals among the VMs depending on the product you are using. As an example, we can’t define any of the USB ports to a virtual machine with the version of Microsoft Hyper-V we have running on one of our hosts. VMware is a lot more flexible and we haven’t had problems sharing any of the host peripherals with the guest VMs.

Servers aren’t the only reason for virtualization. Many lawyers using Macs are very familiar with virtualization. Lots of Mac users are running VMware or Parallels with a copy of Windows (in the virtual machine) to run some software that doesn’t have a Macintosh version. This allows the Mac user to continue to use a Windows-based application until the vendor produces a Mac native version. Virtualization for Macs doesn’t just mean that Windows is a guest system all the time. You can even run Mac OS X as a guest VM on a Windows system.

What are some of the other considerations for virtualization? Just because you can run multiple virtual machines on a single host doesn’t mean that everything is free. There are licensing costs associated with each VM you have running. This means that you’ll still need to pay for the operating system license, the mail server licenses and any other application license cost. Be sure to check the terms of licensing since it is a rapidly changing landscape. Software manufacturers are addressing licensing since virtualization has become very popular. Some provide special terms for licensing in a VM environment where each instance is at a far reduced rate. As an example, your anti-virus provider may offer a per server cost that is much lower than individual pricing if the software was running on separate hardware for each server.

Another consideration is the skillset required to configure and maintain a virtualized environment. Running a VM on a single workstation is pretty straight forward. As an example, installing Parallels on a Mac and then installing Windows in the Parallels VM is a task most attorneys can handle without any trouble. However, sizing and designing a server environment is a lot more complicated. If you are a larger firm, get your IT staff some training in the virtualization hardware/software that you intend to deploy. If you’re a smaller firm, make sure that your IT support folks are certified or trained in particular products and not just going through the “read me” file that came with the software.

Virtualization has spread like wildfire recently. Because of its many advantages, it is here to stay and we predict that more and more firms will be implementing it over the next several years. Besides the overall cost savings, it’s a great environment to minimize downtime to the firm. When you discuss guaranteed business continuity with a law firm and tell the lawyers that they can ensure that will never lose more than 15 minutes of data, trust us, you have their rapt attention. So if you haven’t thought about the advantages of virtualization yet, seize the moment and put it high on your to-do list.

By now we’re sure you’re sold on virtualization and many of you (and your clients too) already have virtual environments. But what do you do when there’s litigation? What do you preserve and are there special considerations? You bet. Let’s start with a virtualized environment that you control. As we’ve already mentioned, it is very easy and fast to preserve a VM in its current state by just taking a snapshot. Perhaps that’s all you really need to do for preservation. It’s a simple and cheap process. This assumes that you don’t need a forensic image of the VM. If you do, then things get a lot more complicated and frankly not really necessary. If you really do want to forensically preserve the VM environment, then you need to do the entire piece of hardware. This would include the host OS along with all disks in the machine.

Electronic discovery in the cloud is a different beast. Many cloud providers use virtualization to achieve efficiencies and keep end-user cost down. As an example, if you buy a cloud “server” from a provider, they will normally give you a VM that is running along with VMs of other companies. That’s where things may get sticky. What if a company is being investigated by the DOJ and they seize the hardware where the VM resides? It’s just your bad luck if your VM is also on the same hardware. Essentially, you are at the mercy of the cloud provider. Will they move your VM to a different piece of hardware before the Feds arrive or are you out of business? This particular situation is something that needs to be addressed as part of the terms of service with the provider.

What ability does the provider have to preserve electronically stored information as part of litigation? What logging and auditing do they provide? How will the ESI be produced? In what format? Will they maintain chain of custody? Are there cross border or privacy issues? As you can see, there are a lot of issues that can arise when your data is physically out of your control. You should try to address all of these issues before litigation. Bottom line is that you are pretty much stuck with the capabilities of the cloud provider and how they handle the data.

It is critical to understand data location when using cloud services. If data resides in a foreign country, you may not even be able to access it in extreme cases. Different laws may apply and you may need to get legal assistance from someone familiar with the storage country’s laws. Even if the data is completely within the United States, you may be faced with other challenges. Most reputable cloud providers have multiple data centers and replicate data between them. This is a way to provide high reliability and availability. It also means that data may be in multiple places. This may actually increase your litigation exposure because of the different jurisdictional entities.

So how many of you use Dropbox? Isn’t it a clever cloud service? We absolutely love it. Not just because it seems to be the most practical way to get data to and from an iPad, but because of the potential evidence sources. Remember that data is synchronized to each computer where Dropbox is installed. This means that there may be different versions of a document on each computer, assuming that it hasn’t connected to the Internet in some time. We don’t know of many folks that encrypt the data before handing it off to Dropbox, but the potential evidence source is certainly something you should be investigating.

Some questions that you can consider are:

• What types of data will you store in the cloud?
• Will you be encrypting the data?
• What will the cloud provider give you in regards to data protection, access, retention, security and logging?
• Where will the data be stored and can you specify the geographic location?
• Who can access the data?
• How will the data be returned and in what format? How long will it take and is there any charge?
• How does the provider deal with metadata and is it preserved?

These are just items to consider as you move to the cloud.

Cloud computing and virtualization are very powerful technologies for businesses today. You can help your clients by preparing them for the e-discovery challenges before they are involved in litigation. Make sure you have properly addressed issues with the service provider and their terms of service. All responsibilities and actions need to be identified in the contract terms. Don’t be afraid to dip your toe into the cloud and virtual world, just make sure you know where the evils and challenges may reside.

To answer the question, we interviewed our friend and colleague Matt Kesner, the CIO of Fenwick & West LLP, a West Coast law firm representing high tech and bio-tech clients. Matt has “walked the walk” when it comes to security and protecting data.

Is the data at a law firm really different or are there “special” considerations when dealing with security within a law firm? Matt suggested that there are a lot of tensions at play within a law firm. There’s always the tension between IT and end-users. The end-users are more difficult to tame and are more independent than most other users. They don’t necessarily want to comply with the stated policies and procedures, thereby making security a more difficult task. Also, they tend to be driven by what the client wants, which may be in contradiction to the security procedures of the firm.

The press hasn’t really identified many data breaches that have involved law firms. Since law firms are very much reputation based, they are not all that willing to publicize any data breach that may have occurred. Current data breach laws have changed that practice, but we still don’t hear of many specifics concerning law firms. Matt acknowledged that there have been two breaches at his own firm. His advice for security is to learn lessons from breaches so you can avoid a recurrence – at least a recurrence of the same sort of attack. Fortunately for Matt’s firm, the security incidents did not involve access to their network. Both occurrences involved their website, which was hosted externally.

We are aware of some other firms being compromised, primarily through mobile devices and unprotected laptops. As a minimum you should have a lock code on your mobile device and the drives on laptops should be fully encrypted. Matt’s excellent advice is “When in doubt, encrypt it.”

Not to scare our readers (OK, maybe just a little), but Matt confirmed that law firms are seeing an increase in hacking attempts. Reviews of his own firm’s logs show repeated “door rattles” and attempted infiltration of the network. They are being probed a lot more often, tested with various scripts being used to determine vulnerabilities and have experienced a higher proportion of successful malware and phishing attacks against their users.

Many attacks appear to be originating from China, which is consistent with our experiences gleaned from security investigations involving these attacks. Our own government has cautioned us that every cell phone and smart phone that goes into China has spyware downloaded on it by the Chinese communications infrastructure. This spyware pretty much has unfettered access to the data that you are sending and receiving even if it is encrypted in transit. Another concern is bringing laptops to China. Matt advised us to weigh the laptop before and after taking it to China as many times hardware monitoring devices will be installed in the laptop itself. He also suggested taking a disposable cell phone when traveling to China. Many in the security field have stated that we are seeing activity from China’s “C-level” (rookie) hackers since law firm systems are fairly easy to penetrate. China isn’t even wasting the efforts of their “B-level” or “A-level” teams when attacking U.S. systems. Essentially, China’s entry level hackers are practicing on U.S. law firm networks before “graduating” to more advanced hacking activities. Matt told us that Chinese students actually take hacking classes and hack Western websites as part of their homework. Pretty scary stuff.

Increased usage of the Internet, voluminous amounts of data and the sharing of that data for legitimate purposes has made the task of security even more difficult. There are many more attack points as the data grows and reaches out to many more parties as part of our normal business activities. Matt cautioned us to be wary of USB flash drives that we obtain at conferences since they may be infected with malware such as the Stuxnet virus.

We queried Matt if there really is a fix for the security state that we are currently observing. The answer, as you might have guessed, is that there is no silver bullet for security. His primary advice is to partner with a trusted security advisor and be prepared to budget some funds for security. Your firm needs to be constantly vigilant since the security risks of tomorrow will be different from those we see today.

If you’d like to listen to our interview with Matt on Legal Talk Network’s Digital Detective podcast, you can find the podcast at http://legaltalknetwork.com/podcasts/digital-detectives/2011/07/is-it-possible-to-secure-law-firm-data.

Lest anyone have forgotten Rule 1.6 of the ABA Model Rules, here it is – and similar rules apply everywhere:

Rule 1.6 Confidentiality Of Information

(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).

(b) A lawyer may reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary:

(1) to prevent reasonably certain death or substantial bodily harm;

(2) to prevent the client from committing a crime or fraud that is reasonably certain to result in substantial injury to the financial interests or property of another and in furtherance of which the client has used or is using the lawyer's services;

(3) to prevent, mitigate or rectify substantial injury to the financial interests or property of another that is reasonably certain to result or has resulted from the client's commission of a crime or fraud in furtherance of which the client has used the lawyer's services;

(4) to secure legal advice about the lawyer's compliance with these Rules;

(5) to establish a claim or defense on behalf of the lawyer in a controversy between the lawyer and the client, to establish a defense to a criminal charge or civil claim against the lawyer based upon conduct in which the client was involved, or to respond to allegations in any proceeding concerning the lawyer's representation of the client; or

(6) to comply with other law or a court order.

The trick, of course is how to keep client data secure in the digital era. It isn’t easy. Computer security is expensive – and it takes time to understand it – and you will never be done learning because technology morphs constantly.

Are lawyers abiding by their ethical duty to preserve client confidences? Our opinion is that they are not. Here are a few reasons why we have that opinion:

• Security expert Rob Lee, a noted lecturer from the security firm Mandiant has reported to us that Mandiant spent approximately 10% of its time in 2010 investigating data breaches at law firms.
• Security expert Matt Kesner, who is in charge of information security at a major law firm, reports that his firm has been breached twice – and that he is aware that other law firms have suffered security breaches – and failed to report them to clients.
• Our own company, Sensei Enterprises, Inc., has never performed a security assessment at a law firm (or for that matter, at any kind of business) without finding severe vulnerabilities that needed to be addressed.

Why do otherwise competent lawyers fail so miserably in their ethical duty to maintain the confidentiality of client data? Here are some of the reasons.

• Ignorance – they simply need education.
• The “it can’t happen here” mentality. This is flatly wrong – even the FBI issued an advisory in 2009 that law firms were specifically being targeted by identity thieves and by those performing business espionage – much of it originating in China and state-sponsored, though of course the Chinese government has vehemently denied involvement in such activities. Matt Kesner, mentioned above as an expert, reports that the Chinese don’t bother using their “A” squad hackers to infiltrate law firms – their security is so bad that the rookie “C” squads are able to penetrate law firms.
• It’s expensive. And it is. Protecting the security of client data can present a big burden for solos and small law firms. This does not take away a lawyer’s ethical duty, however – and it is one reason why the authors lecture so often on computer security. Once a lawyer sees the most common vulnerabilities, he or she can take remedial steps – or engage their IT consultant to do those things that are beyond the skill of the lawyer.
• Vigilance never stops. You cannot secure your data once and think you’re done – the rules of information security change on darn near a daily basis – certainly someone in the firm needs to keep up with changes on a regular basis or the firm needs to engage an security consultant to do periodic reviews – the standard advice is that security assessments need to be done twice a year. While that is desirable, it is in our judgment mandatory that assessments be done at least annually.

In the paper world, keeping client data confidential was easy and cheap. In the digital era, abiding by this particular ethical rule is hard and expensive – but it must be done.

There are some very interesting items in the T&C (Terms & Conditions) that most people never read. The tendency is to click, click, click just to get to the end quickly. The T&C for iCloud is around 12-13 pages long, depending on the device used to view it. So let’s dive right into some of the “features” presented in the T&C and what they may mean.

First, you are required to have a compatible device, duh? It also states that “…certain software (fees may apply)…” whatever that means. There are a lot of words about the location-based services and what Apple and its partners can do with the collected data. Make sure you understand the cloud collects GPS location, crowd-sourced Wi-Fi information, cell tower location, device ID, Apple ID, etc. That sounds like enough information to be personally identifiable to us. There are no words on how long they store the data, if at all, but we’re pretty sure they don’t throw it away after processing. You can opt out of the collection by not using any location-based services, which we doubt many will do.

One interesting item is “The Find My iPhone and Find My Mac features are intended for your personal use only.” Does that mean you cannot use the features in a commercial setting? Probably not, but it’s not very clear.

Apple doesn’t take any responsibility for the integrity of any content stored in iCloud. In other words, you are on your own so don’t assume that you can actually use any of the data that you may transmit to iCloud. There’s a whole sentence in capital letters that states “…Apple does not guarantee or warrant that any content you may store or access through the service will not be subject to inadvertent damage, corruption, loss, or removal in accordance…” Geez, you call that a backup solution? Apparently not, since a few pages later they say “You are responsible for backing up, to your own computer or other device, any important documents, images or other Content that you store or access via the Service.” Also, if you enable the iCloud “backup” your device will no longer get backed up to iTunes during a sync. Does that make sense? There is no guarantee that content in iCloud will be usable AND it won’t be in iTunes any more. To us, that is pretty amazing.

You might reasonably think you’ll be notified whenever the terms change or the service is terminated but we doubt it. “Apple may post on our website and/or will send an email to the primary address associated with your Account to provide notice of any material changes to the Service.” That word “may” is a killer. Sure, Apple may protect your privacy too, just like Facebook. We’re not exactly buying the “trust me” language in light of the historical evidence.

Be aware that Apple will automatically bill you for any storage upgrade fees in advance of the service being provided. This means your credit card will be charged on an annual basis until you cancel so make sure you cancel prior to the renewal time. At least Apple will give you 30 days notice via email so you can react accordingly. Good thing since any fees and charges paid by you are not refundable unless you contact Apple within 45 days of the yearly payment.

One of the more disturbing provisions states that Apple will give your data to any law enforcement authority, government official or third party if they feel it appropriate, necessary or legally required. That’s pretty scary and there is nothing that says Apple will even give you notice that they are giving over your data. Apparently your data is not encrypted in iCloud or Apple has the decryption keys, which still means unintended parties can see your data. This means that iCloud is NOT an acceptable service for attorneys that keep client information on their iDevices.

Another scary provision allows Apple to change your content “…to comply with technical requirements of connecting networks or devices or computers.” We assume this means the changes are such things as image size, etc. and not the actual substance, but the words don’t restrict even that.

Towards the end of the T&C, there is a section that says you can’t sue Apple, its affiliates, officers, employees, etc. (they mention anyone that even remotely associates with Apple). You can say that all you want, but we’re not sure that it will hold up in court. And it sure doesn’t give any attorney a lot of comfort that he/she is dealing with a reputable vendor.

The message is to always READ the terms of service. After reading this one, we can’t see why anyone, especially an attorney, would want to use the iCloud service – it looks like a per se ethics violation to us.

Machine-Assisted Review

Let’s start with a very hot if not very sexy topic. You may have heard of new technology called predictive coding or technology-assisted review. Recently, we’ve seen the phrase “machine-assisted” review a lot. They are all the same thing. A rose is a rose is a rose, but we have not yet settled on a name for this nascent technology.

The way most lawyers engage in traditional keyword searches is, as others have suggested, the equivalent of “Go Fish.” The requesting lawyer makes his best guess about which keywords might produce relevant evidence without having much knowledge of the other party’s “cards.” Even worse, the attorney for the responding party often doesn’t know what is in his own client’s cards. So no one is talking from a standpoint of incisive knowledge.

To make this explanation as non-technical as possible, machine-assisted review means using sophisticated algorithms to enable a computer to determine relevance based upon training by a human reviewer. Generally, a senior partner or team will review and code a “seed set” of documents. As the reviewer continues to code, the computer begins to predict the coding based upon the human’s prior decisions. When the computer’s predictions and the lawyers coding pretty much coincide, the reviewer has confidence that the computer can code the remaining documents.

No one doubts that 2012 will be a break-out year for this technology but we have two serious caveats to pass along. First, it’s very expensive – the point of entry is generally six figures. This is not a small or mid-sized case solution. Typically, it takes the review of several thousand documents to become confident that the computer can code accurately – again, suggesting that this technology will remain in the stratosphere with the major league cases.

E-Discovery Review for Under $1000

So what are you supposed to use for review when your cases aren’t mega-cases? We suggest you check out Digital WarRoom by Gallivan, Gallivan and O’Melia. At a price point of $895 for a one-year license, we’ve seen many attorneys who are thrilled with this review platform. We’ve been recommending it for a long time, but in the interest of full disclosure, GGO recently began sponsoring our Digital Detectives podcast on Legal Talk Network. That aside, we are unaware of any oother product which does what Digital WarRoom does at such a friendly price – and the website will allow you to schedule a demo or use the product on a trial basis, so check it out and see if it works for your firm. Other experts across the country have also praised this product.

Smartphones

Boy oh boy are we seeing a lot of smartphones. Perhaps a 300% increase, which is a testament to how tied we are to these devices 24X7. We joke (although it really isn’t a joke) that smartphones are actually computers that happen to be able to make a phone call.

In general, the iPhones are rich with data, the BlackBerry is all but devoid of data (don’t waste your money – you need the computer the device was synced to). All the other smartphones are somewhere in the middle. Lawyers have had a tendency to go after computers and neglect the smartphones, so make sure you are thinking about smartphones in cases where they might be important, especially if you are interested in text messages.

Never let your client receive a smartphone as a gift. Increasingly, we are seeing spyware pre-loaded on the “gift.” Now, that’s a gift that keeps on giving – to the giver of the gift. In October of 2011, a suspicious husband gave his wife a new iPhone with the iOS 5 operating system – the phone contained an application called “Find My Friends” designed to help folks track and meet friends. The app led him straight to his wife at her lover’s house and gave him powerful evidence in his divorce case. He was quick to post his appreciation to Apple on a social media site.

Social Media

There has been an absolute explosion in the use of social media as evidence. Facebook is the big kahuna, but we’ve seen LinkedIn, Twitter, YouTube and blogs as well. Clients still fail to understand that their friends may be their undoing – from the world of family law, here is an excellent example.

In Kentucky, an appellate court affirmed a lower court’s decision to award primary custody to the father, based in part on Facebook photos showing the mother partying and drinking against the advice of her mental health providers. Though she admitted the photos were authentic, she said she had never authorized the postings which were done by her friends but “tagged” her by name.

Personal injury and employment law cases tend to be rich in social media evidence. A man who claimed to be unable to do anything requiring exertion posted photos of his skiing trip. Another man with the same claim saw that his wife was videoing him as he was using a chainsaw to cut wood and decides to do a little Irish jig for the benefit of the camera. She (of course) places the video on YouTube where the insurance company finds it.

Then there was the video of a Broadway mogul’s wife who said there had been no sex in the marriage but that she had his stash of condoms, pornographic movies and Viagra – she called his stunned assistant live on the video and asked what she should do with the stash. That stunt so irritated the judge that he gave the defendant a divorce on the grounds of cruel and inhuman treatment by the wife.

As to Facebook in general . . . .

Facebook has once again mucked with privacy settings and even had to sign an agreement with the FTC agreeing to a 20 year monitoring of its privacy practices. The lesson here for lawyers is that clients should be advised to post cautiously on social media and to periodically go through their privacy settings. They also should not accept a friend request from someone they do not know. They should think of every single post as potential evidence in a future matter. They should not drink or do drugs and post. They should not post when they are angry. As one of our friends says, “nothing good every came of a 3 a.m. post.” If in doubt, don’t post.

Preserving Social Media and Website Evidence

There are a lot of good products to preserve websites and social media evidence, including Iterasi, Hanzo, NextPoint and Reed Technology’s Web Preserver. Web Preserver is very cost-friendly at $35 per seat for 10 GB of data. It is also an excellent research tool, allowing you to create folders for subjects you’re researching and curating relevant articles and other materials you might find online. We used it to research this column.

(Also by Jesse M. Lindmar)

With an average of 193.1 billion text messages sent every month in the United States, the importance and use of text messages in litigation is ever-increasing. As a consequence, the importance of text message preservation for e-discovery is also growing. Understanding how text messages can be preserved and the pitfalls to avoid is essential. While we recommend engaging the services of a digital forensics service provider who is familiar with the complexities of mobile phone forensics, there are certain situations in which the end-user can at least create a preserved, forensically sound copy that a digital forensics expert can later access and produce data from.

For the purpose of this article, we are assuming that the text messages are sent or received by a mobile telephone. We'll start by lumping most of the mobile phones in use today into two major categories: Smartphones and Feature Phones. The most popular Smartphones would include Apple’s iPhone, Google’s Android, Microsoft’s Windows Phone, and RIM’s BlackBerry devices. Feature phones are pretty much everything else; having some of the basic "features" of smartphones, but lacking in overall integration with the phone's operating system and hardware, and with limited user-customization options.

Feature Phones

For feature phones, the end-user is limited as to their preservation options. Depending on the service provider, the feature phone may or may not be equipped with a Subscriber Identity Module (SIM) card. The SIM card contains information that will validate the phone on the service provider's network, but can also be used as a repository for received text messages. Text messages can also be stored on the phone itself, and in some situations, messages are stored on the phone and SIM card. There are a number of SIM card readers and software products that, when used together, allow a user to explore and manage the contents of a SIM card. However, if the user doesn't fully understand how to use the hardware/software safely, he or she could just as easily alter or permanently erase the very data they are trying to preserve.

There are several products used within the forensic community to preserve text messages from many feature phones – from both a SIM card and the phone itself. This will result in an electronic copy of the text messages being extracted from the SIM card and/or phone, and will include not only the content of the message, but also the date and time the text message was sent/received and information about the sender (phone number and/or contact information for a phone number if the user has added them to the phones address book). Furthermore, SIM cards and many feature phones have a limited number of "slots" to store text messages, and the number of slots will vary across manufacturers and can even vary across similar phone models from the same manufacturer. When these slots are full, the phone will begin to overwrite the older text messages with the newer ones – a process that renders the older messages unrecoverable. With an average user sending or receiving sixty text messages per day, the likelihood of this happening increases dramatically.

For a digital forensic expert, the ability to recover deleted text messages from a feature phone is dependent on the make/model of the phone, the length of time that has passed since the messages were deleted, the number of new text messages that have been sent/received since the messages were deleted, and whether the deleted messages have been overwritten. Furthermore, the make/model of phone will need to be supported by the forensic hardware/software the expert uses – if the hardware/software cannot communicate with the phone, the data cannot be accessed and preserved. Recovery from a SIM card is a little more straightforward as its architecture is standard; however, the same usage rules apply to it.

This is why we never make promises about what we can recover. It is more or less a crap shoot every doggone time.

Smartphones

For smartphones, and depending on the make and model of phone, there are several options for preserving text messages. Although a smartphone may be equipped with a SIM card, text messages are not typically stored there. Instead they are stored in a database file or another organized collection format, located on the phone itself – it is this file(s) that will specifically need to be preserved.

The iPhone, in conjunction with iTunes (Apple's software program for playing, downloading, saving, and organizing multimedia files on a computer or Apple iOS device), will allow an end-user to create a backup of the existing user-data from the phone – including the database file that stores the text messages. When the user connects the phone to iTunes, this backup will typically happen automatically, but a user can also initiate the backup at any time. iTunes will only store one backup at a time, so creating a new backup will cause the deletion of a previously created backup. The backup file will be buried in a system area of the computer used to create the backup, but with a little assistance it can be located. A user won't be able to access the data in the backup without special software, but a qualified digital forensics expert will be able to open the backup, access the text message database, and extract the necessary text messages. To a degree, deleted text messages may also be recoverable from the existing text message database. However, if a significant amount of time has passed, and depending on the user's text messaging habits, deleted text messages will not be recoverable via this method. A digital forensics expert will need to create a more thorough backup of the phone that will allow them to potentially recover deleted text messages using more advanced techniques.

Similar to the iPhone, BlackBerrys also allow for a backup to be created that will contain existing text messages. This backup can be created using the BlackBerry Desktop Manager software that comes with the phone or is available for download from the BlackBerry website. Unlike the iPhone, multiple backup files will exist on the computer used with the Desktop Manager. Like the iPhone backup, a user won't be able to access the data in the backup without special software, but a qualified digital forensics expert will be able to open the backup and extract the necessary text messages. Deleted text messages can only be recovered using a combination of specialized hardware and software used by digital forensic service providers specializing in mobile phone forensics. In some situations, only the removal and analysis of the phone's memory chip, a process that will destroy the phone, will allow for the recovery of deleted text messages. For obvious reasons, this route is ordinarily something undertaken primarily by law enforcement.

Google Android and Windows Phone smartphones do not have a native method for preserving text messages. A digital forensics expert will use tools and techniques specific to the type of phone they encounter. However, for the end-user, there are several third-party applications that advertise the ability to backup existing text messages from these devices. Any application the end-user chooses should offer the ability to export the messages and their attributes into an uneditable format, so there is no question as to their authenticity.

Not all makes/models of phones are supported by forensic products and electronic versions of the existing text messages are not always obtainable. In these situations, even the best forensic examiner will be forced to painstakingly take digital photographs of the existing text messages as they natively appear on the mobile phone. And yes, these are admissible in court. As far as deleted text messages are concerned, if they still exist on the phone, even in a fragmented form, a digital forensic expert should be able to recover them as long as the analysis computer can communicate with the phone.

Regardless of the method used, it should not alter any of the original text messages, the process and results must be reproducible and the preserved information must be identical to the original source information. Although an end-user may be able to assist with some of the initial stages of text message preservation, a digital forensics expert will be able to extract and produce verified and accurate text message data from the preservation data set. In most situations, engaging a digital forensics expert to complete the entire project life-cycle – from preservation to production – will allow for a more accurate and defensible use of text message data.

The temptation to DIY this sort of project should be resisted. If you’re going to throw the dice and gamble monies on the recovery of text messages, hiring an expert will give you the best odds of rolling a seven.

Why do we care about deleting data from mobile devices? Usually, we are trying to get back data that we inadvertently deleted. It could be that we “fat fingered” an e-mail or text message or blew away a photo that we really wanted to use as a background image. But what about when we are upgrading our smartphones, iPads or other mobile devices? Do you really know what confidential or personal information resides within the memory of your prized possession? As lawyers, we have an ethical obligation to protect the information of our clients. This means that we better be darn sure the data doesn’t stay on our smartphone when we sell it, give it to our kids or donate it to a worthy cause.

Many lawyers don’t believe there is any confidential information of their mobile device, especially if they never specifically took steps to save any data. The unfortunate truth is that smartphones, iPads, etc. automatically save data even if you don’t want them to. As an example, every time you hit the “home” key on an iPhone, a screenshot is saved to the phone. What if you had an attachment open? A picture of that attachment now resides on the phone even though you didn’t explicitly save the attachment. Data is automatically saved on other platforms too, so it is best to assume that your mobile device does contain confidential information that must be removed. The ability to securely delete data varies by operating system and platforms. Some are built-in and some require third party products.

Let’s start with one of the easier platforms to deal with – BlackBerry. BlackBerry devices have a built-in feature to securely delete data. Navigate to Options. Select ‘Security Options’ and then ‘Security Wipe’. You will need to confirm your wipe selections and intent by typing the word “blackberry” at the bottom of the screen. Once confirmed, the device will clear the selected data. The procedure is slightly different for older versions of the OS. Wiping the PlayBook is similar as well and accessed through the Settings icon. As an alternative, you can remotely wipe the BlackBerry if you are connected to a BES (BlackBerry Enterprise Server). The administrator issues the remote wipe command from the BES console and no user action is required.

There are a couple of different ways to clear the data from the iPhone, iPod Touch and iPad. The more difficult method is to use iTunes to restore the device back to factory defaults. First launch iTunes and connect the device. Select the device and click on ‘Restore’. You will be prompted to back up the device. It is up to you whether to back up or not. Following your selection, there will be a prompt to restore the device to factory defaults. Click the Restore button and the process will begin. You will receive a confirmation message once the device is restored to the original factory settings. Like the BlackBerry, remotely wiping is an option.

Apple has changed the method for remote wiping from the original Find My iPhone application. You are now required to sign up and configure iCloud in order to use the Find My iPhone service. Make sure you read the Terms and Conditions when agreeing to use the iCloud so that you understand what Apple can do with your data. We’ve already written an entire article about iCloud Terms and Conditions so we won’t rehash it here. Once you have set up and enabled iCloud, you need to configure the Find My iPhone app on the device. Essentially, you need to turn it on, but you’re not done yet. Download and install the free Find My iPhone app. The app allows you to locate the device if it is lost and remotely wipe the data. You won’t be able to remotely wipe the data if you haven’t configured and installed the appropriate software prior to initiating the wipe request. Understand that once you initiate a remote wipe, the device will be reset to factory defaults. This means you won’t be able to find out where the device is located. You may elect to do a remote wipe instead of using iTunes, especially if you are in possession of the device.

Android devices are trickier to deal with, primarily because there are so many variants of operating systems and manufacturer capabilities. We certainly don’t have the time or column inches available to run through all the variations. The simplest way to clear the data from an Android device is to reset it to factory defaults. This is done by going to Menu -> Settings -> Privacy -> Factory data reset. If you care about the information on the phone, make sure you back it up prior to resetting the phone. Is the data really gone when you factory reset? It’s hard to tell without testing each and every phone and operating system combination. The short answer is probably not, but it’s good enough. Forensic software and techniques may be able to recover data after a factory reset, but “Joe Six Pack” isn’t going to be able to retrieve it.

While we’re on the subject of factory resets, almost all other mobile devices are cleared in this way. Here is where Google is your friend. Do a search for how to factory reset your particular mobile device and we’re sure you’ll find the procedure. We had an attorney contact us and he wanted to know how to get rid of some nasty program that had infected his feature (non-smartphone) phone. His phone was acting strangely after clicking on a link in a text message that appeared to come from his son. We told him to Google the manufacture, model and term “factory reset” to get the instructions. He was very grateful to have his phone back to normal operation. [Note to self: Don’t click on things you shouldn’t!]

Finally, don’t forget to wipe the data from any memory expansion cards that may be in the phone. The iPhone users don’t have to worry about this since you can’t expand the memory, but all others may have a 2GB, 4 GB or larger SD or micro SD card for memory expansion. The card may contain attachments, pictures, etc. that should be wiped prior to disposal. There are several alternatives for dealing with these memory cards. The easiest is to just remove them and don’t give the cards away. More often you will want to give the cards away and need to wipe the data. You can remove the cards from the phone and put them in a computer that can read the contents. Sometimes you can just connect the phone (with the card installed) to a computer and see the memory card contents. Once you can access the card, use software to wipe the data. A product like BCWipe will do the trick, but there are many others available.

Remember – the best tip in this article is to Google the method to remove the data from your mobile device. The advice we’ve given is current as we write, but as we know too well, things change in one heck of a hurry in the legal tech world.

We’ve been seeing a lot Gerry Oginski lately. He is a practicing lawyer but is also a frequent lecturer on lawyer videos and he has recently written Secrets of Lawyer Video Marketing in the Age of YouTube. We were curious to read the book because we know something about videos and have our own Sensei YouTube channel with dozens of videos.

Clearly, anyone who is a video novice would benefit from reading Gerry’s book, but we found things in his book that we didn’t know. If you are a lawyer who has not yet embarked on lawyer videos, you are very late to the party. This is definitely a book you should read.

There are testimonials in this book (fair warning) but we found even those helpful as they gave a sense of what it was like to go through the “make a lot of videos at once” process. With proper preparation, it is not unusual to shoot 50 videos a day. And that’s actually a very effective use of time since you’ve compressed it into one marathon day.

The “trick” of a video that will work for you is to find out (through Google or elsewhere) how people are searching for the services you offer. Or – better yet – something related to your services. You must always give away useful information. But if give away information about a specific kind of injury or illness to someone searching for them, you’ve helped them. And very often, those folks need a lawyer. Gerry offers some excellent tips on how to locate and “give away” the right kind of information in his book.

When we grilled Gerry via e-mail with various questions, he was incredibly responsive and generous with his time, even allowing us to discuss costs – something we rarely see videographers do.

So how much does it cost? Let’s start with Findlaw – which offers its services at what seems like an exorbitant price. According to Gerry, Findlaw creates 12 minutes of edited video from a 1 ½ day shoot. You must be a premium member of Findlaw to participate, at a cost of $3,700 over a two year period. The cost to shoot your 12 minutes of edited video is $26,000 – and you are restricted to putting your video on YouTube, your website and Findlaw for two years. The terms won’t allow you to place your video to any other marketing distribution system.

By way of contrast, Gerry has multiple programs where he flies to any law office in the country, with all travel costs included in the pricing. The total price will range between $16,000-$40,000.

Here’s what you get:

50+ video program plan -100-150 minutes of edited video.

100+ video program plan -200-300 minutes of edited video.

The content belongs to you and you can put it anywhere. Gerry also has a program where you can fly to N.Y., stay in a luxury hotel and have dinner with Gerry the night before the shoot, which allows you to pick his brain about marketing. This tends to be considerably cheaper since Gerry doesn’t have to shut down his office for three days. You also receive spotlight annotations in your video program along with an interactive transcript and a blog post to accompany each video.

So what’s an interactive transcript? It allows search engines to index your transcript, not just the title of your video. You create a transcript in a Word document and then convert it to a .txt file. In your control panel in YouTube, click on captions. Upload the transcript, give it a name and let the search engines return results based on your words. Good stuff that we didn’t know.

Every lawyer needs to know about how to make effective videos. We can tell you that a single video of ours generates an average of three e-mail queries and three phone calls per day. That video has made us quite a pot of money.

Can you DIY it? Not a chance unless you’re willing to make a sizeable money investment in technology and a sizeable time investment in learning how to use it. Even if you put that home video camera on a tripod, you won’t have the lighting or sound equipment to make your video look like something more than an amateur smartphone capture complete with grainy video and sound quality like you’re talking in a cave. In our minds, this is clearly something to be left to a trusted expert.

If you’re hesitant, remember that paper ads line bird cages and train puppies after they are read. Videos, unless they become obsolete, are ongoing marketing for you. We’ve never seen such a high return on investment. As an added bonus, when Google acquired YouTube, it changed its algorithm to give videos more weight in the search results.

This is a train that has left the station, but if you run a bit, you may still be able to hop aboard.

Earlier this year, we had a violent 24-minute derecho in Virginia – and lots of law firms went down. Lawyers, when their technology bellies up, panic. Immediately after the derecho, law firms started asking us about moving to the cloud.

John and I were long-time cloud curmudgeons. Not until we carefully considered the words of law practice management advisor Jim Calloway did we begin to change our minds. Jim said, in his Oklahoma drawl, “I’m kinda thinking that cloud providers offer better security than the average solo or small firm lawyer for client data.”

Sadly, that is true. Most smaller law firms pay little attention to data security, even in the wake of all the recent law firm data breaches. By way of contrast, a datacenter (because that’s where data in the cloud resides) would rapidly be out of business of it didn’t provide adequate security.

Now that we have survived Hurricane Sandy, more law firms are already asking about moving to the cloud. Honestly, natural disasters are making an excellent argument for moving to the cloud. Datacenters offer the glorious "five 9s" – 99.999% uptime for electricity and Internet connectivity.

The law firms who have had us move them to the cloud were just fine during Sandy. One lawyer noted that he moved back and forth between drafting a document for a client and tying down furniture on his deck. Sandy made multitaskers of us all. John and I brought in all the garbage/recycling cans and Halloween decorations while writing articles and addressing client concerns about the impact of Sandy from home.

More and more law firms will undoubtedly make the choice to head for the cloud. Even if lawyers have no power at home, many datacenters (including ours) offer offices for rent so lawyers can gather there to work. In our highly competitive profession, we simply cannot be out of work for long – and clients will begin to notice which law firms are reliable during disasters and which are not. That alone will drive law firms to the cloud, because the ability to work when others cannot is a true differentiator.

The real sticking point is getting the average datacenter contract to address the ethical requirements for lawyers. The larger cloud providers (like Amazon and Apple’s iCloud) rarely budge on terms, but the smaller ones are apt to be more flexible in order to get your business. It took three rounds of negotiation before we got an agreement we were happy with, but once that was behind us, we started moving clients to the cloud, slowly at first, but with increasing confidence as we ironed out the wrinkles.

If the “cloud” scares you, it is reassuring to take a physical tour of the datacenter you are considering. The physical security of a good datacenter is impressive. We have to use our proximity cards (complete with name and picture) and biometric access (fingerprint reader) two times just to get into the lobby – plenty of time for the security folks to eyeball us and to lock the center down if something seems amiss. Twice more, we go through the same drill before actually getting to the room where our data is housed. Even there, each company has their own locked cabinets containing their computer and network equipment. And you are on camera just about everywhere but in the restroom. Even the watchers at the entrance are themselves watched by cameras.

So . . . if you are thinking about moving to the cloud, this may be a good time start investigating the process. Blizzard season is almost upon us!

It is nothing short of astonishing that more than 75% of South Carolina’s residents had their social security, credit card numbers and other personally identifiable information breached. News of the breach came in October, though it actually began in August. Who uncovered the breach? Usually it is the FBI, but this time it was the Secret Service that notified S.C. on October 10th.

How did the breach happen? Someone, as yet unknown, stole legitimate credentials from one of the 250 state employees with access to the South Carolina Department of Revenue (DOR) database.

Why was the attack so easy? Because (pulling our hair out here) the data was not encrypted. While this was horrific enough, the statements by S.C. governor Vikki Haley may have been more alarming. With 3.6 million of her citizens affected, Haley was in full defensive posture, saying that encryption was “complicated and cumbersome technology.” Perhaps using an actual car key instead of pushing a button to start your car is cumbersome too? It just isn’t that hard Governor.

No wonder we teach a seminar entitled “Encryption Made Simple.” The fallacy that encryption is rocket science apparently will keep our data in danger of being purloined.

Haley leaked other dirty secrets when she said “The industry standard is that most Social Security numbers are not encrypted. A lot of banks don’t encrypt. A lot of those (government) agencies you might think encrypt Social Security numbers actually don’t . . . It’s not just that this was a DOR situation, but an industry situation.”

Well Governor Haley, you may have overstated the truth in your zeal to defend the indefensible. Today, encryption is fairly routine in any environment governed by the PCI-DSS (Payment Card Industry – Data Security Standard). While the governor may have been correct about state governments, it is hard to conceive of a bank not using encryption. And of course no specific examples were offered.

It wasn’t just citizens that were impacted – businesses had their data breached as well. The attackers wasted no time in making use of their ill-gotten gains – not only for identity theft purposes but also state-sponsored attacks against manufacturers, the defense industry and other government agencies.

Why are we not getting the critical need for encryption? It certainly isn’t because the need for encryption isn’t clear. Even before the S.C. data breach, the Privacy Rights Clearinghouse identified 18 data breaches in October involving the compromise of tens of thousands of Social Security numbers.

One spot on comment came from industry expert Adrian Lane, the CTO of Securosis. He said, succinctly and accurately: “In most cases, encryption or other forms of obfuscation (masking, tokenization) can be done transparently to business operations and at a reasonable cost. It need not be complicated – but you have to actually invest some time and money to get it done, and that’s how most states fail.”

No doubt you will be shocked to learn that Governor Haley has said S.C. is now considering encryption as an option. Why is it that this always happens when all the horses have left the barn? Now we want to shut the door. Sigh. The state has agreed to pay for a year of real-time credit monitoring for anyone who signs up. It has also provided $1 million in insurance to pay for data breach investigations.

Governor Haley, who seems to suffer from chronic foot-in-mouth syndrome, has said, “This is a situation where a sophisticated, intelligent criminal got into a database and it’s unbelievably creative how they did it.” Really? Stealing credentials is not exactly unheard of. And leaving data wholly unprotected from access due to stolen credentials is reprehensible in the extreme. This incident wasn’t just predictable – it was inevitable. Leaving data unprotected is an engraved invitation to criminals and state-sponsored hackers.

It is time for all governments and private sector entities to recognize that encryption’s time has come in spades. Failure to encrypt personally identifiable data is almost certainly going to be deemed by the courts as per se gross negligence in the near future – and under some laws, now.

At the behest of our good friend, D.C. Superior Court Judge Herbert Dixon, we noodled a bit on the future of courtroom technology for an article Judge Dixon is writing. Having brainstormed the topic, we thought it might be fun to take some of our random thoughts and make them marginally coherent.

At the outset, it is clear that there will be disruptive technologies that no one will anticipate. Having covered our collective posterior on that score, some things seem relatively certain. As courts strive to accommodate the needs of citizens, it is likely that we will one day see affordable virtual translation firms pop up so that on-site translators don’t need to be tracked down, often delaying proceedings. We have also started to see assistive listening devices in Virginia but expect them to become universal. Long ago, we remember a client in a wheelchair being transported to a courtroom on a freight elevator – very demeaning. We are making great strides in providing accessible courtrooms and the future may see us fully achieve accessibility for all.

Appellate courts (the bane of lawyers who need to preserve a paper record) will go paperless. We’re not dumb enough to predict when, but it will happen. Even the hidebound U.S. Supreme Court will go paperless – in time. In fact, it will probably be the last court to adopt nearly every technological enhancement. Pretty safe prediction, that one.

Court proceedings will be routinely recorded – audio and video. Access to them may actually be sold to the media – perhaps even the public directly over the Internet as courts seek to use technology to provide badly-needed revenues. For similar budgetary reasons, it is likely that all court personnel functions will be studied to see where technology can replace people. We don’t think robots will replace bailiffs in the near future, but you never know.

Can anyone doubt that e-filing will be universal? Or that the day will come when the only kind of courtrooms that will be built will be high tech? To avoid the problem of those who have and those who have not, courts will furnish as much technology as possible, as well as training on the technology. As for the archaic rules some courts have about restricting the use of wireless networks in the courtroom, those rules will go the way of the Tyrannosaurus Rex. New rules to govern new technology that jurors, parties and spectators bring to the courtroom are certain – perhaps there will technology to monitor or control the use of technology.

The “touch revolution” will reach the courthouse in spades. And how will those in courtrooms exchange documents? By near field communications devices, which will be especially helpful when documents are annotated on the fly.

Hackers will breach court security systems and information security will become a constant focus for those who manage court IT systems. Court IT personnel will need to have multiple backup solutions in place, in different geographic areas, to meet the combined threats of hackers, technology meltdowns and natural disasters. It may well be that courts move their data to the cloud – particularly to cloud providers with excellent reputations for providing security, perhaps better security than in-house personnel.

Video conferencing will boom. Judges will talk to lawyers, at least outside of trials, primarily though video conferencing. This technology will be used for scheduling conferences, hearing motions, etc. In fact, it may become common for video conferencing to be utilized in just about all family law, traffic, juvenile and small claims courts. Judges will begin to ask “Who really needs to be at the courthouse and why?”

We have already seen technology assisting judges in family law cases. Parents have been ordered to provide Skype or Facetime to children so they can communicate with the other parent. They have also been ordered to use apps like “Our Family Wizard” to track parenting time, reduce divorce conflict and remove the "he said/she said" that keeps families returning to court over custody and co-parenting issues. One can only imagine what apps that courts might employ in different areas of law to keep matters out of court.

Pugnacious attorneys warring over e-discovery may be ordered to videotape their “Meet and Confer” conferences and to record the audio if they confer by phone. One or two judges have already employed this methodology and find that the number of discovery disputes declines rapidly when conversations and meetings brilliantly illustrate who is being reasonable and who is being a jerk.

Online resolution of disputes, through the private sector and perhaps through courts as well, are likely to become more common, perhaps lessening the number of court cases.

And finally, there absolutely will be a successor to Judge Judy who will have a high tech courtroom and star in a reality show which has nothing whatever to do with reality but which will be avidly consumed by the next generation of reality show devotees. You can bet the mortgage money on that prediction.

Most American lawyers became aware of British Professor Richard Susskind after he wrote The End of Lawyers? in 2008. The book generated a lot of controversy among lawyers with some proclaiming that he had indeed “seen” the future of law and others protesting that the practice of law would certainly not undergo the kind of radical changes that Susskind foretold.

Susskind is back generating controversy once again in his latest book, Tomorrow’s Lawyers. We are unabashed fans of Susskind’s prophesies, even those we may not wholly agree with, because he forces the legal profession out of its natural complacency.

He refers to that complacency in the very beginning of his book, quoting Alexander Graham Bell: “When one door closes, another door opens, but we often look so long and so regretfully upon the closed door that we do not see the ones that open for us.”

We know a large percentage of lawyers who believe that the economic downtown is at the root of all their troubles – they continue ardently to believe that when the economy rights itself, the practice of law will return to the world they knew before 2008.

Professor Susskind does not believe that, and neither do we. Susskind paints with a broad stroke, showing us the prevailing winds from 10,000 feet. In details, he may be wrong, but in general, we find his arguments compelling. He states that, in the next two decades, the practice of law is very likely to change more than it has in the last 200 years. Susskind is worried that we are not preparing our law students and young lawyers for this new world.

The greatest driver for change is unwelcome to lawyers, but Susskind calls it the “more for less” challenge of delivering more legal services at less cost. That is something that all clients, especially corporate clients, are asking for. The hard reality is that, to do so, law firms must become more efficient or their bottom line will suffer.

Susskind identifies the second driver for change as liberalization, meaning that non-lawyers will be permitted to deliver services that currently are provided only by lawyers. The U.K. is far ahead of us in pursuing this course, but we have seen glimmerings of the path to come. A host of “legal” services is now being provided online. LegalZoom may be the big kahuna, but it has lots of company and more each day.

To no one’s surprise, the third great driver is technology. Not only is it “disruptive technology” but it refuses to sit companionably beside the traditional working world of lawyers. The fact that computers allow us to work so much faster, repurpose previous work and cause hundreds of other legal functions to speed up has driven legal costs down and increased the client clamor for value-based billing. There is a nice list of disruptive technologies provided in the book which will cause some lawyers to reach for the Advil because so many of these technologies did not exist when they graduated from law school and they have little or idea how to adapt to them. Online dispute resolution services? Litigators may wince, but they are upon us.

Susskind cautions that the Golden Age of Law may be over – that we will never return to our old ways of work. To survive, we must make efficiency and collaboration our watchwords. Law firms must strive to become more efficient (which has not previously seemed in their best monetary interest) and clients must band together to share the costs of some legal services. As an example, Susskind references banks. Much of their compliance work is administrative and non-competitive – if they “clubbed” together and had one law firm doing that sort of work, the savings could be substantial. Of course, the other law firms whose banking departments would be impacted would be most unhappy.

There is a great deal in this book about commoditization, which most lawyers now agree is here to stay. But by decomposing legal tasks, letting some be performed by non-lawyers and some by different levels of lawyers, some in-house and some outsourced, we may save clients money – and thereby retain old clients and attract new clients.

For law firms which have built their profitability around hordes of junior lawyers furiously billing, retooling their firms means plotting the obsolescence of what now provides their sizeable incomes. Many will rage against the inevitable, but they cannot stop the future from coming. To twist Susskind’s words to the American side of the pond, “turkeys rarely step forward to vote for an early Thanksgiving.”

Are our law school adequately training young lawyers? Susskind clearly believes that they are not. There has been some progress with legal clinics and classes in law practice management and technology, but the progress is scant compared to growth of the problems that law school graduates face. By in large, Susskind believes we are training young lawyers to become 20^th century lawyers rather than 21^st century lawyers.

For those who are young lawyers, we were particularly impressed by Susskind’s suggestions of questions that they might ask in an interview to make sure they are entering a law firm that has a viable future. We were even more taken with Susskind’s list of supplemental education possibilities that young lawyers could undertake to make themselves more valuable to a potential employer (law firms and other entities), from understanding legal technology, mastering legal project management, performing systems analysis, etc. Sadly, a law degree alone will not suffice for most. Even at that, the high incomes once promised to young lawyers are no longer guaranteed. Only a few will reach the exorbitant incomes of the past.

Susskind hones in on the essence of his advice when he quotes the famous ice hockey player Wayne Gretzky, who counseled, “Skate where the puck’s going, not where it’s been.” Indeed, if “tomorrow’s lawyers” wish to succeed, they will have to project where the puck will be and make sure that they are there. There is no better guide to doing so than Professor Susskind’s book.

The authors thank D.C. Superior Court Judge Herbert Dixon, who maintains a two-way street of information sharing with us on this subject.

It was inevitable that, after lawyers flocked to social media, judges would follow. Unsurprisingly, stories of judicial misconduct are beginning to appear. But let us begin with the biggest news story of 2013 involving judges and social media.

ABA Formal Opinion 462

In the most striking recent development, the American Bar Association issued Formal Opinion 462 on February 21, 2013. While it was not groundbreaking, it certainly reaffirmed the general trends among states which have looked the implications of judges using social media.

The fundamental conclusion was: “A judge may participate in electronic social networking, but as with all social relationships and contacts, a judge must comply with relevant provisions of the Code of Judicial Conduct and avoid any conduct that would undermine the judge’s independence, integrity, or impartiality, or create an appearance of impropriety.” The opinion notes that it does cover blogging, participation in listserves and messages board and interactive gaming.

Judges need to be mindful that their conduct should promote confidence in the judiciary, which means they need to realize that whatever they post might wind up almost anywhere. And they are urged to avoid establishing social media relations with people or entities where it might be thought that those contacts are in a position to influence the judge.

As the opinion notes, the trickiest part thus far has been determining whether judges may “friend” lawyers – and the states have varying opinions on this. If they do have lawyers who are social media friends, must they disclose that fact? Context is important here – is there truly a significant relationship? Is there anything about the relationship that would suggest any connection to a particular case? The opinion suggests that the affirmative need to disclose, whether the relationship is with an attorney, party or witness, would probably be rare.

If common sense dictates it, a judge may decide to disclose that the judge and a party, a party’s lawyer or a witness have a social media connection, but that the judge believes the connection has not resulted in a relationship requiring disqualification. Obviously, the judge is not compelled to search through all social media relationships for each case to determine whether a relationship might exist.

Truly, the essence of the four-page opinion is simply this: Be mindful of the existing rules regarding judicial ethical conduct and how they might apply to social media. If you had to boil it down to three words, it might be, “Use common sense.” Then again, common sense isn’t all that common, as some judges have proven.

The 2012 CCPIO Report

The Conference of Court Public Information Officers released its third report on New Media’s Impact on the Judiciary on August 2, 2012. According to the findings, 46.1% of judges use social media, with 86.3% of that number using Facebook and 20.6% using LinkedIn.

Elected judges are more likely to use social media though the study does not say why. We assume that social media elevates their public profiles and permits them to solicit contributions, either directly or by publicizing events at which monies are raised.

Asked to react to the statement, “Judges can use social media profile sites, such as Facebook, in their professional lives without compromising professional conduct codes of ethics,” more than 45% still disagree. But the number of judges who agreed with that statement has more than doubled since the 2010 survey, suggesting that judges are beginning to warm to the notion of participating in social media.

In a similar fashion, judges indicated that they were also warming to the use of new technologies in the courtroom. They are also very much aware of how much social media impacts jurors: More than half (60%, up 4.5% from 2010) of judges report routine juror instructions that include some component about digital media use during trial. Now that’s an amazing shift in numbers!

Judicial Misadventures with Social Media

A North Carolina judge was reprimanded in 2009 when the judge friended an attorney on Facebook while he was presiding over a child custody case in which the attorney represented the father. There were posting about whether the father was having an affair, which led to the judge’s post that he “had two good parents to choose from” and the lawyer’s response: “I have a wise judge.”

In January of 2013, Texas Judge Lee Johnson posted on his Facebook account about a star Texas A&M quarterback who was ticketed for speeding – the judge had graduated from a rival university. Perhaps chastised for the posting, Johnson then posted “I meant to say ‘allegedly’ speeding, my bad.” The city manager apologized to football star Johnny Manziel and called the posting “insensitive and inappropriate.” The judge has also reached out to apologize and an investigation into the judge’s conduct is underway. And “my bad?” Seriously?

In 2010, a Georgia judge stepped down after he made contact via Facebook with a party appearing before him. Over the course of their social media relationship, they went to lunch, she borrowed money from him, they talked about her case, he visited her apartment, he advised her on case strategy and he released her on personal recognizance. When the details of the relationship became public, the judge resigned.

Judicial misconduct doesn’t have to take place on social media to find its way there. In our era, judicial misconduct such as texting and adultery may find its way onto multiple social media platforms. Go to YouTube and search on Judge Wade McCree and you’ll see what we mean. Don’t do this at work!

What we have seen so far is likely only the tip of an ugly iceberg since it often takes a while for misconduct to come to light. As more and more judges board the social media train, we will probably see increasing news reports of judicial misconduct.

The authors are the President and Vice President of Sensei Enterprises, Inc., a legal technology, information security and digital forensics firm based in Fairfax, VA. 703-359-0700 (phone) www.senseient.com