We have long been fans of Tom Mighell’s iPad books, which include iPad in One Hour for Lawyers, iPad Apps in One Hour for Lawyers, and now the third member of the series, iPad in One Hour for Litigators. If lawyers have tended to fall in love with the iPad, litigators are becoming obsessed with it.

The small form factor, the ease of use and the ability to compete with large firms which have huge litigation budgets have all been factors. One thing we’ve seen as we lecture is that litigators buy the iPad and only then ask, “How do I use it?”

If you been wondering what to do with your iPad in the courtroom, the iPad in One Hour for Litigators is an essential starting point. The author’s language is comprehensible even to those who are not the least bit geeky and he introduces the wonder of the iPad in digestible bites.

Tom is quite candid, and we second this, that no resource on the iPad can ever remain wholly accurate. Within two days of publication of a book, something will have changed – the price of an app, new features – and whole new apps will crop up.

But understanding that, there are now a lot of apps that have been around for a while and proven their worth. Probably the two that we see used most often by litigators are TrialPad and TranscriptPad, both by Lit Software. Can TrialPad do everything that Sanction and Trial Director (the conventional trial presentation tools) can do? No – but it sure can do everything that most lawyers need it to do.

The book also takes you through the process of syncing files – these days, most commonly using Dropbox. Can this be done securely, protecting client confidentiality? Certainly, by password protecting files (PDF, Word, etc.) and thereby encrypting them. This is probably the most common question we are asked as litigators are still nervous about ethical issues involving Dropbox. And of course, there are Dropbox alternatives – but Dropbox seems to have won the beachhead and all software developers make sure their software works with Dropbox first.

The book conjures an imaginary case as a way of guiding you through apps that help with notetaking, calendaring, recording deadlines, taking depositions and reviewing transcripts, reviewing documents, researching, preparing for trial, selecting a jury and, of course, presenting your evidence.

There are a lot of great apps in this book, some heartily recommended by the author and some whose flaws are duly noted. We have already gotten to the point where there are so many legal apps that a useful book (and this one is!) will identify several of the best-known and most-utilized apps, but not all of the available apps – it is just too confusing.

While it is a “One Hour” book, as the author notes, it will take much more than that to read AND explore the apps mentioned. But whether you are starting from scratch or have been using the iPad in the courtroom for a while, you will find this book extraordinary helpful. We have had several litigators tell us that this book was the best investment (roughly $40) that they could have made in pursuit of understanding what the iPad could accomplish in their litigation practices.

You can purchase the book at the ABA bookstore online.

We are hopeful that you are familiar with metadata, especially as it exists in e-mail messages and word processing files. If not, then a brief refresher is in order. There are a couple of different types of metadata, but most regard the common definition to be data that is stored internal to the file (you can’t see it without knowing how to look at it) and is not explicitly defined by the user. The application (e.g. word processor) inserts data within the file such as the author, last time printed, fonts used or creation date. But what about image files such as those taken with digital cameras? What metadata do those files contain?

Digital photos can be an electronic evidence heaven. Digital image files typically contain information about the date and time the photo was taken, camera settings such as aperture and shutter speed, manufacturer make and model (and often the serial number) and in the case of smartphones, the GPS coordinates of where the photo was taken (pure evidentiary gold in many cases). This metadata is called Exif (Exchangeable image file format) and is a standard that specifies formats for files recorded by digital cameras. None of this information is added by the user at the time of file creation. As you can see, the information could be extremely valuable, especially in litigation.

Since we’ve established that metadata does exist in digital image files, should you care? It depends on whether you are the originator or the recipient of the information. The metadata could be extremely dangerous if revealed through social media channels, especially if the user is unaware of the consequences. Here’s a real world example. Adam Savage is one of the hosts of the popular science program, MythBusters, on the Discovery Channel. He posted a picture of his automobile parked in front of his house on Twitter. Even though Adam is a “science” guy, he apparently didn’t know or simply forgot that his photo revealed more information than the fact that he drives a Toyota Land Cruiser.

Embedded in the picture was a geotag, which provided the latitude and longitude of where the photo was taken. Since he announced that “Now it’s off to work,” a burglar would know that he was not at home and the geotag would also pinpoint where he lived. Adam certainly dodged a bullet.

Then there’s the famous story of the leaked Harry Potter and The Deathly Hallows book. Someone took a digital photo of each and every page and posted the entire book on BitTorrent networks such as Pirate Bay. Lucky for the photographer that they haven’t been caught, but they sure left behind a lot of electronic breadcrumbs. The metadata tells us that the camera he (we suspect a he since part of their hand and fingers are in many of the photos) used a Canon EOS Digital Rebel 300D camera running firmware version 1.0.2. The camera serial number is 0560151117. Canon identified the camera as being three years old and it had never been serviced. We’re sure that the camera is at the bottom of some river by now since it could lead the authorities to the owner.

Probably the most famous Exif story is that of John McAfee. While on the run from authorities in Belize in connection with a murder investigation, he allowed a journalist from a shady website to take a photo of him, which was then posted on the website complete with its Exif data. Turned out he was in Guatemala, where he was promptly detained and later deported to the U.S.

For those of you who care to know (and it seems everyone does), photos that are posted to Facebook or Twitter currently are stripped of their Exif metadata. On the other hand, Google+ preserves it.

We have many more metadata stories, but you get the picture [bad pun]. Digital image metadata is not readily viewable by the casual viewer. Perhaps that is the reason why we still find a plethora of metadata in the electronic evidence that we analyze for our cases. So how do you identify what metadata exists in the electronic file and is there a way to clear it out?

Viewing the metadata requires that you open the digital image in a piece of software that can readily show you the metadata values. You probably don’t even need to spend any money to do so. You can use the included Windows Live Photo Gallery or Windows Photo Viewer if you are running Windows 7. Once the file is open, just go to File, Properties to see a lot of the metadata values, including GPS location information if it exists.

But what if you don’t want to distribute the Exif data with the file? How do you get rid of it or at least change it? The function to modify the data as well as remove it is included in your Windows environment. If you right click on a file and select properties then the details tab, you have the opportunity to change or delete much of the embedded metadata. There is even a link at the bottom of the panel that will “Remove Properties and Personal Information.” You can use this hyperlink for an individual file or for all files in a folder. Once you click on the hyperlink, you can create a copy with all possible properties removed or selectively remove specific properties. There is also a free Windows utility called QuickFix (http://www.metabilitysoftware.com/products/metability-quickfix.html) that will strip GPS and other metadata from the image file. Give it a try, especially since it’s free and supports drag and drop. Finally, you can install a product like Litera’s Metadact-e, which will clean metadata from document files as well as image files.

No matter what approach you take, don’t just focus on the metadata in your word processing and spreadsheet files. Those digital photographs can hold valuable nuggets as well. Just ask John McAfee.

We recently had the pleasure of serving on a Fairfax Bar Association CLE faculty which included Circuit Court Chief Judge Dennis Smith, and Circuit Court Judges John Tran and Jane Roush. Their panel offering their insights on e-discovery in state courts was warmly received.

Judge Smith got the ball rolling by talking about the difference between digital immigrants and digital natives, terms coined more than a decade ago by author, educator and lecturer Marc Prensky.

Digital immigrants didn’t grow up with technology and digital natives did. Many judges are digital immigrants. Some will “learn a new language” and immerse themselves in the new technologies — others never will.

Because of this, the panel of judge emphasized that it is important to explain e-discovery issues to the court in simple terms, avoiding acronyms and “geek lingo.”

Most state court judges have been educated by the Sedona Conference and seem particularly struck by the commentary on proportionality. They are anxious to hear about that in each case.

On the other hand, Judge Tran described the phrase “unduly burdensome” as immediately inducing sleep. We might have said narcolepsy. No words contain, in and of themselves, so little help. Explaining factually why something is unduly burdensome is much preferred by the court.

And Judge Smith offered the strict observation that if all your objections to discovery requests are pro forma, hide the ball, non-specific objections, it is likely that the court will grant a motion to compel.

As all three judges noted, some of their best education comes from prepared counsel who can ditch the geek-speak and explain to them what they need to know. Such counsel and their experts operate as instructors and the judges are avid pupils.

All the judge complained of fishing expeditions. As they noted, when they see a focused, narrowly tailored discovery request, they know the attorney is well-prepared.

Collaboration is another theme. Right from the start, judges prefer that the attorneys on each side collaborate and share search terms, bearing in mind that searches have to be defensible, tested and transparent. So often, discord in e-discovery seems petty to the judges, with both sides striving to portray themselves as the “good guys” who are reasonable and conciliatory. As Judge Smith noted, “this is a nuclear war you don’t want to have.” Far better to collaborate and have a joint plan.

While deciding these disputes is painful, John Tran (a recent member of the bench) notes that he prefers deciding those disputes to arguing them. All the judges lamented the scorched earth litigation they so often see. But they do acknowledge that some issues need airing – just not as many as come before the court!

Judge Roush noted how much evidence we create, with young people putting every stray thought in digital form. As she noted tongue-n-cheek, “technology has taken all the fun out of adultery.” The digital evidence is always there and comes out in discovery.

The state court judges are becoming used to rolling productions, which are sometimes needed by the sheer volume of evidence and which show continuing good faith to bring forth evidence as quickly as possible.

They have seen only a few predictive coding cases. They surmise that the document intensive cases, because of their subject matter, are more likely to be in federal court than state court. However, they have no objection to predictive coding and believe it is a logical advance in e-discovery, assuming that the costs become more affordable.

Perhaps most telling was Judge Smith’s reference to the old adage, “What’s good for the goose is good for gander.” If one side asks for something and gets it, the court is likely to be receptive to a reciprocal request by the other side. Plaintiffs are always bemoaning what defendants have not preserved or produced but the truth is, plaintiffs often neglect to preserve and produce themselves, no doubt feeling themselves the aggrieved parties.

While we delight in the stories from the federal judges, the tales from the state court judges have a more small town, homespun feel. Not every case is a megacase and we applaud the commonsense approach of state court judges to “e-discovery writ small.”

Unless you’ve been hibernating, you know that support for Windows XP SP3 will end on April 8, 2014. This means that Microsoft will not be providing any security updates after that date. Should you care and quickly run out and purchase an upgraded operating system? Many critics are claiming that Microsoft is stopping support in order to increase sales of the more current operating system software. Others are predicting that the sky will fall as hackers are just waiting to release their latest malware right after April 8^th. We believe that there will be attempts to compromise Windows XP systems, but it is hard to believe that there will be a massive attack on April 9^th. Sometime in the future, yes. Immediately, probably not.

Why all this hoopla over replacing Windows XP? Many systems are currently running XP and you probably don’t even realize it. The majority of airport scheduling systems run XP to drive the monitors displaying departure times, gate assignments, etc. for the thousands of flights that occur every day. Image the impact if airport flight displays suddenly go dark. A bigger risk exists in the banking industry. Most ATMs run XP as the operating system. A compromise of an ATM could cause a huge amount of financial damage, especially if the exploit was spread across the entire ATM network.

Why should you care as a lawyer? Well, there’s an ethical duty for lawyers to protect the confidentiality of their clients’ information. Without the continuing security updates, your computer system could be compromised by the bad guys, putting your client’s data at risk. As a result, some bars may determine that you are subject to disciplinary action for failure to reasonably protect client data if you continue to use Windows XP after April 8^th.

Failure to comply with a lawyer’s ethical duties isn’t the only potential gotcha. Many law firms use their computers to process credit card payments from their clients. If the computer is running Windows XP, there is a possibility that it will be infected with malware after the XP end-of-life date. The malware could intercept the credit card payment information. This means you have to deal with possible fines for violating the requirements of PCI DSS (Payment Card Industry Data Security Standards), state data breach laws and a public relations disaster if you have a data breach. In short, it wouldn’t be a very good day. It will be even worse if you use QuickBooks on the same compromised machine. That would put all of your financial data at risk, including any trust account information. Your first bounced check would be an unwelcome clue that a hacker had just siphoned money out of your bank account following a successful attack on your XP-based computer.

So what are you waiting for? Run, don’t walk and replace that soon-to-be-malware-magnet XP machine. Unfortunately, there is no direct upgrade option from XP to one of the modern operating system. You’ll have to transfer your data manually and potentially upgrade some of your application software. No matter what, ditch that XP computer and keep those security updates coming.

Remember the childhood game of chasing all of your friends in an attempt to merely lay a finger on them so they could assume the role of the “it” person? It doesn’t feel much different these days when dealing with technology. There are a ton of “bad guys” trying to compromise your technology for a variety of reasons. Once your computer is infected it may be a long time before you are even aware of the compromise.

Advanced Persistent Threat (APT)

There are so many definitions of APT that it can make your head spin. It can refer to an advanced attack on a network. But today, an advanced persistent threat is more often defined as a body (e.g. a government) that has the ability and intent to target a specific entity with sophisticated intrusion techniques. Further, we describe an APT as dealing with a cyberthreat. Malware is installed on a computer or network device to gather intelligence and information about the selected target. Probably one of the more famous APTs is the Stuxnet worm, which targeted the computers for Iran’s nuclear program. Usage of APTs has grown tremendously over the last several years and we anticipate an even steeper growth given the recent revelations of spying activity by the NSA, Australian Signals Directorate and the British Government Communications Headquarters.

Mask

This is not the kind of mask that you wear on Halloween (or perhaps every night in New Orleans), but a recently discovered APT that has been around infecting computers for at least the last seven years. It is really a tribute to the programmers that they developed software that has been in hiding for so long. In fact, several researchers have said that the attack, dubbed The Mask or “Careto” (Spanish for “Ugly Face” or “Mask”) is the most sophisticated APT operation they have ever seen.

Kaspersky Labs discovered the campaign while investigating attacks on a patched vulnerability for some of their older products and wrote a blog post describing it. “What makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated piece of malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (iOS).” That’s some pretty scary stuff. They also found the word “Careto” contained within some of the software modules as shown in the included graphic.

Targets

Where did Kaspersky discover the malware? Researchers were able to identify 380 unique victims at more than 1000 IP addresses in 31 countries. The targets included government institutions, diplomatic offices and embassies, research institutions, private equity firms, activists, and energy, oil and gas companies. Many but not all of the victims were in Spanish speaking countries.

What does it do?

Once your machine is infected, the malware intercepts all the communication channels and collects the most vital information from the infected system. It is very hard to detect it since it has stealth rootkit capabilities. Besides the functions programmed into the malware, additional modules can be transferred to the infected computer from the command-and-control (C&C) servers. Since the malware is intercepting the communications, it can steal sensitive information such as encryption and SSH keys.

Safety first

Like so many malware infections, The Mask gets delivered through spear phishing e-mail. The e-mail campaign contains links to malicious websites containing a number of exploits designed to infect the user. If the infection is successful, you are redirected to a benign website that was referenced in the spear phishing e-mail.

The primary lesson is not to be stupid. Be wary of spear phishing e-mail and certainly don’t click on links that may appear in the messages or attachments. The good news is that the C&C network is shut down and no longer functioning. Kaspersky thinks the attackers shut down the campaign once they noticed they were being monitored. That’s not to say that it won’t come back in some other form so be careful out there.

Boy oh boy, is this a hotly debated topic – and we happened to attend a very illuminating presentation by Mark Jacobsen, the Senior Director of Strategic Development and Thought Leadership for FindLaw (long position title!). While I am normally somewhat skeptical of FindLaw (after all, they are in the business of selling websites/SEO), Mark did a great job of presenting a study done by FindLaw in a “teaching” rather than a “selling” way.

His presentation was entitled “The Futility of Chasing Silver Bullets: An Analysis of Aggregate Search Performance for Law Firm Websites.” They apparently like long titles at FindLaw. You can download the 2013 study here so long as you don’t mind giving up contact information. You will probably be contacted – we were. :)

Here are some of the highlights:

Branded searches account for 38% of all searches for law firm websites. In other words, they already know your firm, someone in it or some other aspect of its brand. Any competent SEO provider should be able to get you traffic for branded search.

But 62% of searches are non-branded. This is where the fight for results gets bloody. Most lawyers suffer from the misconception that “head-term phrases” (such as divorce attorney Los Angeles) is key to success and they waste a lot of money trying to get those phrases to come up on the search engine results (SERPs).

People also search for research reasons and for what are called “long tail searches with lawyer intent.” An example might be “lawyer in Virginia who specializes in appealing school decisions about student discipline.” Because of the sheer volume of those doing research, even though the click rate is very low, they will result in 66.9% of non-branded visits to your site. Long-tail searches will end up visiting your site 31.8% of the time and head-term searches will visit just 1.3% of the time.

The contact rates (what you care about most) are 0.8% for research queries, 4.6% for head-term/intent to find a lawyer queries, and 4.6% for long-tails searches with intent to find a lawyer.

By combining website traffic level and contact rates, the study determined the percentage breakdown of contacts generated by non-branded queries types. The percentages were: Research 26%, Long-tail with intent 71% and head-term with intent 3%.

Clearly, the lesson is this. For non-branded queries, research queries are high in volume but it is less likely that they will result in contacting the firm. Long-tailed queries with lawyer intent deliver the most contacts to the firm. Head-term queries with lawyer intent result in the least contact to the firm.

So for those of you who have been trying to deliver first page results for “geography plus area of practice” queries, you are probably spending too much money chasing too few results. Good SEO experts have known for years that the best results for unbranded searches come from long-tail searches. So rethink how you spend your SEO monies!

You’ve probably heard about the T-shaped lawyer. The origin of the term was the “T-shaped person” – a reference which first appeared in a 1991 London newspaper article on the subject of computing jobs. The premise is that a T-shaped person has a depth of knowledge in one discipline (this is the vertical stroke of the T) as well as a breadth of knowledge across multiple disciplines that allows for collaboration and innovation (the horizontal stroke of the T).

C-suite executives talk with enthusiasm about seeking T-shaped employees who can successfully collaborate and innovate with our rapidly changing times.

As applied to lawyers, the vertical line is obviously the depth of legal knowledge – and that was all lawyers once needed to know. But in an over-crowded legal market, having a breadth of knowledge across other disciplines can mean the difference between success and failure. Mind you, many possible fields, not just technology, come to mind – it may be useful to understand medicine, project management or many other disciplines.

But we submit that the biggest horizontal line for most lawyers is technology. This is where so many of them can differentiate themselves from their colleagues. In a world of data breaches and government surveillance, lawyers are now ethically required to understand cybersecurity – and those who do have something valuable to offer clients.

They utilize whole disk encryption, have robust encrypted back-up systems, understand safe computing and can train others, and know how to function securely in the cloud. They also understand when “in person” meetings may be necessary – knowing the dangers of technology is increasingly causing “old school” personal meetings.

Then there is e-discovery and digital forensics, a fact of life for many litigators. The attorney who understands predictive coding, proper preservation of evidence and how to retrieve deleted data or conduct a digital investigation has a big leg up when talking to a tech-savvy executive or General Counsel looking to hire a firm.

Data analytics (how to search across big data for meaningful trends, etc.) has a lot of appeal. And these same lawyers can use data analytic skills to compare how their firms stack up against other firms – or to figure out how to structure successful alternative billing structures that are a win-win for the client and the firm.

All this isn’t just for BigLaw. “TinyLaw” is thought to have $90 billion in untapped potential for small businesses and individuals. Hence the success of LegalZoom and its brethren, but there are lots of ways to automate – assuming, of course, that you understand how to automate.

Don’t understand social media? Then, as the boat captains would say, “You need to fish where the fish ARE.” And that’s where they are. Another significant skill set.

General Counsels and executives are tired of paying, usually by the hour, for technological incompetence. Many are demanding more competence (even the passing tech audits – and cybersecurity audits) to the chagrin of their law firms. The economic model of law firms has been fundamentally changed by this demand – and the cost of meeting it.

Have you heard the phrase “The Internet of Things?” This is where we are connected to the Internet all the time, through our computers, smartphones, smart watches, home appliances, fitness bands, security systems, video cameras and a plethora of other devices. The more this trend increases, the more technology knowledge a lawyer will need to have.

These are digestible tidbits of thoughts, but to us they add up to the need for more T-shaped lawyers with, in many cases, the horizontal line standing for technology.

Finally, a tablet that can replace a laptop. Much as lawyers love their iPads – and they are great for surfing, e-mailing and presenting evidence in court – they are not true laptop replacements when it comes to business productivity. This is the next true war – consumer tablets have reached a saturation point and consumers are not replacing them as fast as manufacturers had hoped.

Always in search of profits, the major manufacturers have finally come to recognize that the enterprise table market is hot hot hot for any company that can get the technology and the security right.

While we attended the ABA Annual Meeting in Boston, we had a chance to visit a Microsoft store and test drive the Microsoft Surface Pro 3. To put it mildly, we were both impressed and left the store discussing when we would buy them and with what configurations.

The only thing that irritates us is that the keyboard is “optional” (not if you want to work) and carries an additional charge of $129.99. That aside, we loved it – more information from Microsoft may be found here.

Business-grade tablets, those that can truly replace a laptop, are quickly becoming the next big thing in solo and small firm technology as well as in the general marketplace. We are being bombarded with questions on this topic at our CLEs. Everyone is looking for a laptop replacement.

Happily, you can now leave your 4.5 pound laptop and clunky travel bag at home when you need to hit the road.

The Microsoft Surface Pro 3 is truly a laptop replacement and has received some glowing reviews, which certainly could not be said of the preceding two generations of the Surface. The tablet boasts a 12” display with a resolution of 2160×1440. The 4^th generation Intel Core processor (i3, i5, i7) is the same processor that you will find in your laptop computer system, and provides this tablet with more than enough horsepower to run your business applications smoothly. The tablet comes preloaded with Microsoft Windows 8.1 Pro, which means that you can load and run any of your necessary business software –allowing users to get the same functionality out of this device as they can out of their laptop – at just a fraction of the weight!

The device can be configured with 4 or 8GB of memory and anywhere from 64 to 512GB of storage space. There’s a USB 3.0 port (unlike the iPad) and you can increase storage space by utilizing the microSD card capability. For network connectivity, this device comes with a wireless adapter supporting 802.11a/b/g/n and Bluetooth 4.0. It has both a front and rear facing camera, as well as a stereo microphone perfect for video-conferencing. We would recommend that you give serious consideration to the 8GB memory, 256GB storage, i7 unit.

The Microsoft Surface Pro 3 tablet can be purchased online from Microsoft’s webstore (www.microsoft.com) or from your local electronics retailer starting at $799.

The authors are the President and Vice President of Sensei Enterprises, Inc., a legal technology, information security and digital forensics firm based in Fairfax, VA.

Lawyers tend to cringe when they hear the word “encryption.” To most lawyers, encryption is a dark art, full of mathematical jargon and incomprehensible to the average human being.

When South Carolina suffered a major data breach of taxpayer data, what did Governor Nikki Halley say? “A lot of banks don’t encrypt. It’s very complicated. It’s very cumbersome. There’s a lot of numbers involved with it.”

Leaving aside the laughable notion that a lot of banks don’t encrypt data, the rest of her quote is in keeping with what we hear from lawyers. What we hear always translates into the same thing: Encryption is hard.

So let’s make this more fun with some things you can relate to.

Encryption is designed to secure data from prying eyes. It keeps secrets secret. Think about your childhood. Did you play with invisible ink? Did you watch the mailbox for a magic decoder ring? Perhaps you spoke Pig Latin with a sibling so your parents remained clueless about what you were plotting.

You’ve seen secrets hidden in the movies – remember the World War II Navajo code talkers in “Windtalkers?” Cryptography has been featured in many movies, including the National Treasure movies, Sneakers and, perhaps most famously, in The Da Vinci Code.

See? Cryptography can be fun. Really!

In the simplest terms, cryptography is the science of secret communication. It involves transmitting and storing data in a form that only the intended recipient can read. Encryption is one form of cryptography.

Encryption is the conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people. Decryption is the process of converting encrypted data back into its original form (plaintext), so it can be understood

Read those two definitions a couple of times and presto – you have the essence of what encryption is about. Want it simpler still? Here it is in graphic form.

It is a simple representation of a process that can be very complex, but this is the fundamental process that all encryption goes through from start to finish.

The goal of encryption is to make obtaining the information too resource-intensive (time, work and computing power) to be worthwhile. It is unlikely that there will ever be perfect encryption that can never be broken, particularly over extended periods of time. However, strong encryption, properly implemented, provides very strong protection.

Encryption can protect stored data (on servers, desktops, laptops, tablets, smartphones, portable devices, etc.) and transmitted data (over wired and wireless networks, including e-mail).

In the early days, people carved messages into wood or stone and the recipient had the “key” to know how to translate them. Today, cryptography is far more advanced and is found in streams of binary code that pass over wired networks, wireless networks and Internet communications pathways.

Fortunately, you don’t have to understand the math and computer science behind encryption in order to use it. There are now many easy-to-use encryption tools available for end-users. Many of our clients are adopting ZixCorp for e-mail encryption, which integrates with Outlook. You don’t need to use it all the time – just when you are transmitting sensitive data. Bottom line – it is EASY – and inexpensive. Clients love it.

While most attorneys will need help to set up encryption, it’s generally not difficult after set up – often automatic or point-and-click.

Trust us, it has now reached the point where all attorneys should have encryption available for use, where appropriate, to protect client data.

No less an expert than Edward Snowden has said that strong encryption is currently the best defense we have to protect our data. Now is the time to think about adopting encryption – its time has come – even for law firms, almost always the laggards in adopting security technology.

The authors, in collaboration with Pittsburgh litigator Dave Ries, are the authors of the book Encryption Made Simple for Lawyers, scheduled for publication by the ABA next March. This post is partially excerpted from the introduction to that book. Authors Nelson and Simek are the President and Vice President of Sensei Enterprises, Inc., a legal technology, information security and digital forensics firm based in Fairfax, VA. 703-359-0700 (phone) www.senseient.com.

Ever since Apple delivered an iPhone with Touch ID there have been all kinds of ways to defeat the fingerprint sensor. There have been some elaborate (and expensive) methods from using 3-D printing to using Gummi Bears and everything in between. Back in September of 2013, German hacker Starbug successfully proved that bypassing Touch ID was “no challenge at all,” according to Ars Technica. As Starbug mentioned in the interview, it took him nearly 30 hours from unpacking the iPhone to developing the hack to reliably bypass the fingerprint security.

At the recent 31C3 conference, the folks from Chaos Computer Club demonstrated how easy it was to grab the German Defense Minister’s (Ursula von der Leyen) fingerprint through press photos. The photos were taken using only a regular camera. They then used off-the-shelf software (VeriFinger) to take that fingerprint and make an image that ready for printing. It may take some planning to lift someone’s fingerprint, but Starbug contends that there are many likely candidates right on the smartphone screen itself and the casing.

An even lower tech attack is to lift the actual finger of the user. Harrison Green, the 7-year-old son of Johns Hopkins University professor Matthew Green did just that. He snuck into his father’s room while he was sleeping and pressed his dad’s fingerprint on the sensor. No faking or printing required. No software needed, but his attack works one hundred percent of the time. You can’t have a better success rate than that. The best part of the story is that professor Green teaches computer security and cryptology.

It’s not just Apple. The Samsung Galaxy S5 has a fingerprint sensor too. So does the HTC One Max. As the cost of the sensors keeps coming down, expect to see more and more smartphones equipped with them. Just because your smartphone has a fingerprint sensor doesn’t mean that you should use it. Sure it’s convenient, but it’s not very secure as we’ve already indicated in the examples.

Since it may take a lot of planning to lift a sample of your fingerprint, most people would think it is a pretty safe way to secure your smartphone. You might agree, but we wouldn’t recommend it. In fact, we wouldn’t recommend using any biometrics to secure a device. Once your fingerprint, retina, DNA or other biological data is compromised (more correctly the electronic representation of the biometric data) you’re toast. In all likelihood, you are not going to replace your fingertips or get an eyeball transplant.

Other than the security issue, there’s another reason NOT to use a fingerprint to secure your smartphone. In October, A Virginia Circuit Court Judge has ruled that you can be compelled to give up your fingerprint to unlock your device. Not so with a PIN. A PIN is considered “knowledge” and not something physical. So don’t spend that extra money just to get a fingerprint sensor that you probably shouldn’t be using in the first place.

The authors are the President and Vice President of Sensei Enterprises, Inc., a legal technology, information security and digital forensics firm based in Fairfax, VA. 703-359-0700 (phone) www.senseient.com

Recently, the Virginia State Bar Council voted to adopt changes to the Model Rules of Professional Conduct. The changes were based on the American Bar Association’s modifications to the Comments of Rule 1.1 respecting Competence (“…a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with technology…”) and Rule 1.6 respecting Confidentiality (“(c) A lawyer shall make reasonable efforts to prevent the unintended disclosure of, or unauthorized access to, information relating to the representation of a client.”)

What’s reasonable? The Comments go on to list relevant factors:

1. the sensitivity of the information
2. the likelihood of disclosure if additional safeguards are not employed
3. the cost of employing additional safeguards
4. the difficulty of implementing the safeguards
5. adverse effect on the lawyer’s ability to represent clients

The Comments also make it clear that the client can demand more security or, with informed consent, accept lesser measures. This was not adopted by the VSB Council, but many states have adopted it.

As to the remainder of the changes, which were adopted and will now be sent to the Supreme Court of Virginia for its blessing before becoming final, there was quite a firestorm prior to the final vote adopting the proposed rules.

Even before the Council met, there had been comments received on the proposals, saying things like “I believe it is unreasonable to expect a lawyer to become an IT professional in addition to all of our other responsibilities.” This was echoed at the Council meeting.

This is a misunderstanding of the requirement. The change does not require a lawyer to become an IT professional – indeed, for most lawyers, dabbling in IT would be dangerous. They need outside or inside IT help in most cases – the small firms generally contract IT work to an outside IT service company. But all lawyers should be aware of the benefits and risks of technology to be a competent lawyer in the digital era. Hence, the change to Rule 1.1 makes good sense.

Another comment made the point that technology is the only form of competence specifically referenced in the proposed rule.

We are all accustomed to taking CLE each year to maintain our competence as attorneys in the fields of law in which we practice. However, it is uncontroverted that the most disruptive force we have ever seen in the practice of law is technology. It is pervasive – and becomes more so with each successive generation of lawyers. We have reached the point in time where a lawyer cannot effectively practice law without technology – which makes it an imperative that lawyers know something about the technology they use.

We live in a “breach-a-day” world which suggests even more strongly that we need to pay attention to sensitive client data. According to a 2013 Mandiant Threat Report, law firms and consultants constitute 7% of the targets of advanced attackers. This has come to mean that we are the easy route to getting the data of our clients. Cybercriminals and state-sponsored hackers alike have attacked law firms, large and small – and they are all too often successful because employees are not trained in safe computing, security patches and updates are not installed, out-of-support software (receiving no security updates) continues to be used, and they do not employ encryption.

All of this can be addressed by a competent IT professional. Are there costs? Yes, certainly, but they are a matter of scale. The costs will be far greater for a large firm than for a solo or small firm practitioner. The measurement of “acting reasonably” is obviously different depending on the size of the firm.

In spite of all the rhetoric about “small firms can’t afford this requirement” the truth is that many reasonable precautions cost nothing. Installing security patches is free – yet it is frequently not done. It costs nothing to encrypt a Word or PDF attachment with a password before sending it. Encryption is already a built-in feature of modern computers and smartphones – it may need to be enabled, but it is there.

You can encrypt e-mail easily these days with inexpensive products like ZixCorp, to name just one. A lawyer doesn’t need to understand the mathematics of encryption – only how to use the products. And they are fast and easy to learn. You don’t need to use encryption all the time, but when you are sending sensitive data, you probably should. You know what you have to learn? How to hit the “Encrypt and Send” button. That’s it.

Using the cloud to hold data is fine, so long as you understand the security precautions. Chiefly, if you encrypt the data before sending it to the cloud, your data is safe because only you hold the decryption key. Holding the encryption key yourself means the cloud provider has “zero knowledge” of the decryption key – and that’s the kind of cloud provider you want. There is no additional cost to this – you just have pick the right provider. As an example, SpiderOak is a “zero knowledge” file synching cloud whereas Dropbox holds a master decryption key and will, if given the proper paperwork, turn over your data to the authorities. We like SpiderOak and others that are moving in the “zero knowledge” direction, a far better solution for lawyers.

There is no cost to forbidding employees by policy from connecting to the law firm network with personal devices. Who knows what malware may exist on those devices? Large firms may choose to use sophisticated techniques to manage personal devices, but smaller firms are better off simply forbidding them to connect to the network.

There is a long list of free or reasonably priced safeguards for data, but that’s why attorneys should go to CLEs – to learn them and see that they are implemented by their IT provider. How about making sure lawyers use strong passwords (and not same password everywhere) and change them (especially their network credentials) regularly?

The changes to the Model Rules require only reasonable safeguards and give a host of factors to be considered in determining what is reasonable. In some cases, where lawyers hold HIPAA data or data containing personally identifiable information, they may be governed by state or federal law beyond the scope of the proposed rules, which is noted in the new comments to Rule 1.6.

So why all the hoo-ha at the Council meeting? Largely, we believe that there are fundamental misunderstandings about the changes and what they mean. There is also a mentality – so common in the legal profession – that “we’ve always done it this way.” One person actually said that lawyers shouldn’t be required to do more to protect data in the digital world than they were in the paper world? Say what? It defies belief that this sentiment has such a strong hold on so many lawyers, but it does. Perhaps the speaker didn’t realize that over 93% of documents are created electronically and that more than 50% of them are never printed.

One young lawyer took the microphone to point out that the digital world is a new one – and requires us to adapt. We might add “or face extinction.”

Taken as a whole, what we cannot do is turn a blind eye to the impact of technology on our profession. There was a time when protecting client data involved locked file cabinets in a locked office. Today, we must still “lock” the data – digitally. The new modifications to Rule 1.1 and 1.6 are a measured and technology-agnostic step toward applying old rules to the 21^st century.

We all covet the latest and greatest of technology, not to mention possessing the fastest computer. One way to increase the speed of your computer is to use a solid state drive (SSD) instead of a mechanical one. Essentially, SSDs are flash memory devices that appear as a hard disk to the computer. It is very fast to write and read from memory as opposed to accessing data from the rotating platters of a mechanical disk drive. Solid state drives are three to four times faster than their mechanical counterparts when writing or reading large files. Sound good? Then you’ll love to hear that SSDs are hundreds of times faster for the smaller random reads and writes that are common for normal usage of a computer.

There are some big advantages to using SSDs. There are no moving parts so they travel well and aren’t impacted by vibration. Without moving parts, they use less power and don’t generate as much heat. The downside is that they are a little more expensive than a traditional hard disk. It used to be that solid state drives were a very expensive luxury, but not anymore. The price gap has narrowed. You can now get a really good 500GB SSD for around $200.

So which SSD should you buy? We recommend going for the 500GB Samsung 850 EVO drive. You should be able to find one for less than $200. According to test results, the drive is slightly faster than other 500GB SSDs. It also comes with a 5 year warranty. The drive is also rated at 150TB of writes, which is double other drives in the same price range. The best SSD vendors at least make their own flash memory, but use components from other manufacturers. Samsung is the only manufacturer that makes 100 percent of the SSD. That includes the controller, firmware and NAND type flash memory.

The Samsung drive also includes software to move the operating system and data files from your Windows environment to the SSD. There is an additional included utility called Samsung Magician toolbox, which is used for drive maintenance such as firmware updates. For those of us that are security minded, there is hardware support for full disk encryption. We’re big fans of full disk encryption and are constantly telling lawyers that it should be their only option. Encrypt the whole drive and you won’t have to worry if you placed that confidential client document in a secure folder. Just dump it anywhere on the drive and you’ll know it is safe since the whole disk is encrypted. If you are a Windows user (the drive can be used in Macs too), there is an additional feature that lets you use up to 4GB of your system RAM as a write cache for the SSD. That will boost the performance even more.

There are many great SSDs available for your computer. The variables are price, performance, software, reliability, etc. If you are not using SSDs in your current computers, now is the time to consider them especially since the price premium is not that great.

Let’s face it – whether you are talking about securing your data or describing the functions of legal IT products, the average lawyer audience may regard your presentation as useful, but hardly as “sexy.” Since we have been successfully lecturing on multiple topics for 18 years now, we have amassed a number of tips for making our presentations entertaining as well as educational. A friend suggested we share what we have learned. Here our twelve of our best tips:

1. Be a storyteller. Cold hard facts have very little allure. But everyone likes a good story. When we lecture on cybersecurity, we tell real-life stories of law firm breaches. Dropbox used as a data breach mechanism? They are spellbound. If we’re talking about, say, which cloud provider to use, we tell them about the real-world cloud outages and breaches – and how they happened. When we talk about controlling e-mail Inboxes, we show screenshots of Inboxes with 40,000 plus e-mails in them and tell the stories of lawyers whose inability to control their Inboxes has gotten them in trouble with the state disciplinary authorities – that catches their attention.
2. Speak with passion. That is easy for us – we are indeed passionate about our subjects. But all too often we see speakers who speak professorially, often in a near-monotone. You are not supposed to be a soporific!
3. Use your hands. Using your hands is part of keeping an audience’s attention and engaging them. Of course, not the same movements over and over. We actually think about motions that go with our PowerPoint slides. They rev up the presentation.
4. Use your presentation software well. In a panel situation, you may not need slides, or only a few that, for instance, have the language of the statutes being discussed. Whether you are using PowerPoint, Keynote, Prezi or something else, less is more when it comes to words and larger is better when it comes to graphics. Ditch the text-heavy slides and offer short bullet points that summarize the points being made. Infographics and large photos that complement the text are attractive to audiences. Where appropriate, humorous images have a place. Don’t have one slide up forever – we probably use 30-40 slides for a one hour presentation. We book along – and audiences seem to like it – they really have to listen to keep up and that retains their attention.
5. Prepare for a tech disaster. Make sure there is an extra laptop and that you have your presentation on a flash drive. Be prepared to have no technology at all – challenging, but it has been known to happen. Hence, we always have an outline of our slides in (it kills us to say this) paper form.
6. Be good to your hosts. Speakers who get their written materials in on time, come prepared with a good PowerPoint, and have sent in bios and photos or other paperwork in a timely way are greatly valued by conference organizers. Our only special request is to have a pitcher of water or water bottles available – hardly a “high maintenance” request. Be courteous to the AV guys (they actually may know their own equipment better even if you are a technologist), the people at the registration desk and everyone else you come in contact with. People remember the speakers who have a ready smile, a handshake and a warm thank you for their help after the conference is over. Probably the compliment we hear most often from organizers is “You guys are so easy to work with – it was such a pleasure.” If you want to be invited again, remember that invitations don’t come ONLY because you gave a terrific presentation – they come because you followed all the rules and displayed good manners!
7. Engage your audience. This is actually more difficult (usually) than you would think. Unless the entire presentation is an interactive conversation, the point is for the speakers to convey their expertise on a subject in a relatively brief amount of time. It therefore tends to be mostly a one-way street. We always tell audiences they are welcome to ask questions throughout, which sometimes means our presentations get “hijacked” – which is perfectly ok if you have good written materials and the audience has come with a ton of questions. Once, we didn’t make it past slide #6, but the audience came primed with questions and they were enthused that we had answers. Part of being a good presenter is being flexible!
8. Front load your presentations with the substance that is absolutely critical to convey. Note tip #7 – you may get hijacked by questions. If this happens, at least your audience won’t miss the most critical points. Once in a while, we ask the audience to hold questions so we can get to a certain pivotal point in the presentation.
9. Make yourself available after the presentation. We always say that we will stay for questions. If we are to be followed immediately by other speakers (a ‘hot swap’ in our business) we will tell audience members that, out of courtesy, we need to remove ourselves and our equipment, but will meet them in the hall outside if they have questions. Likewise, if there is a lunch, reception or dinner, we invite them to ask questions there.
10. Have no fear of saying “I don’t know.” What we have learned over time is that we usually do know the answers to the questions we receive. But questioners will take no offense if, for instance, you tell them that you are unfamiliar with a particular product and will need to get back to them. Ask for their business card. Whatever you do, don’t give out misinformation in an effort to answer the question or otherwise try to dodge the fact that you don’t know – that ploy does not sit well with attendees.
11. Assess your audience. We can do IT or cybersecurity for beginners, those with mid-level knowledge and experts. We can even use the same PowerPoints for all three groups. But we need to have some sense of who is in the room. Lawyers? Paralegals and legal assistants? Large, medium or small firms? Asking questions in the very beginning is useful – it engages the audience and it will tell you what levels of skill, size, etc. you need to tailor your presentation to.
12. Have fun. We couldn’t be more serious about that. It is so apparent that we are having fun when we lecture that it’s infectious. And there’s not an audience member anywhere that doesn’t enjoy having fun while they are being educated!

There are lawyers – mostly family and criminal defense lawyers – who know at least a little about the Deep Web and the Dark Web. But the average lawyer? Not so much. In fact, after the Ashley Madison breach, a lot of family law colleagues began asking us questions about the Deep Web and the Dark Web – where the full steamy contents of the Ashley Madison breach were published in many places. Most had no clue that there was any distinction between the Deep Web and the Dark Web.

So what is the Deep Web? Think of the Web we search (via Google or other search engines) as an iceberg. Conventional browsers only index about 4% of the Web – that’s the top of the iceberg. Everything beneath the waters is the Deep Web – 96% of the Internet content. That content is deliberately kept away from conventional search engines, via encryption and masked IP addresses – and accessible only by special web browsers.

Much of the Deep Web is perfectly legitimate. Many privacy advocates are there, wishing to operate without being tracked. Journalists are often there, generally concerned about government prying. You can also find whistleblowing sites. Some of it is also dynamically generated web pages or forums which require registration.

We’re not sure how much of the Deep Web is also the Dark Web though experts say it is a small percentage. The Dark Web contains the seamy places where drugs and guns are sold, human trafficking occurs, criminals offer their services for hire, hackers and cybercriminals operate and child porn is viewed, distributed and sold. And those are only some of the activities on the Dark Web.

Most people, if they know the Dark Web at all, know it because of the black market website called Silk Road – which was shut down twice by the FBI in 2013‑2014. Silk Road’s founder, Ross Ulbricht, was convicted of a number of crimes, including several attempted murders-for-hire.

Sometimes, the Dark Web is known as the Darknet. By whatever name you use, it is accessed via Tor (The Onion Router), Freenet or I2P (Invisible Internet Project), all of which use masked IP addresses to allow users and website owners to operate anonymously. In common parlance, when you use Tor, you are in Onionland.

It amazes most lawyers when we tell them that Tor was originally funded by the U.S. Department of Defense. While it is now a nonprofit run by volunteers, it is funded in part by the U.S. government and the National Science Foundation.

Why would the U.S. government support it? Because it is part of the State Department’s Internet freedom agenda, allowing people in repressive countries to have access to data censured by their governments. Even Facebook has a version of its site on the Dark Web in order to make it easier to use in countries that restrict Facebook, such as China and Iran.

We spend some time there because of our work as criminal defense expert witnesses as part of our digital forensics work. And recently, we’ve helped family law colleagues ferret out some of the Ashley Madison evidence.

Make no mistake about it – the family law grapevine is rife with stories about snaring clients since the AM breach. And as many conventional sites began to remove Ashley Madison information upon request, or to report the information only in part, the lawyers surged to Tor to find more evidence in their cases.

Since we find questions about the Deep Web and the Dark Web popping up frequently in our recent presentations, we though a small primer would be timely. Happy travels in Onionland – just be careful which streets you walk down!

Our friend and colleague Bob Ambrogi thinks LinkedIn is losing its luster – and we agree. He wrote a blog post recently on this subject. So we tip our hat to Bob before we begin.

Author Simek isn’t active on any social media other than LinkedIn, largely because he is a professional testifying expert on IT and digital forensics topics – and he didn’t want to risk being hung by his own petard because of something he had posted on other kinds of social media. But LinkedIn, in its original incarnation in 2002, was pretty much a resume site and seemed fairly safe. Lawyers and others joined in hordes – and it now has more than 380 million members.

Lawyers like the idea of connecting with others on a resume driven site and many lawyers who were dismayed by Facebook felt comfortable on LinkedIn. As we write, author Nelson has 2407 connections and author Simek has 562 (slacker).

Like many people, we experimented with belonging to LinkedIn groups. Sadly, we found most of them dominated by marketers. The noise ratio was high, some posts were indistinguishable from spam and we pretty much gave up on those, finding legal listserve discussions to be far more useful.

We find ourselves occupied, on a daily basis, with trying to figure out if we want to accept connection invitations. This is annoying. More annoying is the number of people in marketing, sales, business development, etc. We NEVER accept such invitations because we know we’ll get pummeled with marketing spam in short order if we connect. And ditto for the folks who buy and sell businesses, commercial real estate brokers and wealth advisers. A river of spam will follow any connection with them. Website designers and SEO experts – don’t even get us started.

Once you make the mistake of connecting with someone who wants to sell you something and effectively spams you, you have to go to the time and trouble to disconnect from them.

Recently, we’ve seen an increasing number of what we can only call “odd” requests – someone we don’t know in India, a private in the U.S. Army, a waitress in Chicago, etc. There seems no reason to connect but it takes time to screen the requests. And if there’s anything lawyers are loathe to give, it’s their time.

Overall, we still find LinkedIn somewhat useful, giving us an easy way to search for colleagues, companies, etc. of interest to us for one reason or another. Since we organize conferences and host podcasts, we frequently connect with people via LinkedIn because we may not be able to easily find their e-mail address or other contact information.

It is useful enough that we will probably remain on LinkedIn but we are somewhat disenchanted by recent developments and some of our colleagues (like Bob Ambrogi) seem to be suffering from the disenchantment syndrome as well.

Endorsements have been particularly annoying on LinkedIn, because lawyers are ethically required to review them and make sure they are accurate and not misleading. All too often, LinkedIn simply suggest endorsements for those you are connected to and it seems that people tend to willy-nilly click on “endorse all.” And some people engage in quid pro quo endorsements – hardly in keeping with our ethical duties.

It is annoying to have to review and hide endorsements. Another black mark.

This does not bode well for LinkedIn, which hasn’t seemed to find as many ways as Facebook to monetize its product. You can upgrade to the Premium version, but how many people think they need the Premium version? Most of our friends do not. You can buy ads, but not many people seem to do that. When it comes to monetizing social media, Facebook is a runaway champion.

LinkedIn isn’t exactly on its way to the poorhouse. In 2014, 61% of LinkedIn’s third-quarter revenue, totaling $345 million, came from recruitment services sold to both professional recruiters and employers. Marketing accounted for 19% of total revenue, or $109 million, from a combination of advertising sold to online marketers and the sale of “sponsored updates” posted to a target audience of members in the LinkedIn feed. They also annoy us.

The remaining 20% of revenue, or $114 million, was generated through premium subscriptions. Premium subscriptions allow members to increase their search results significantly, send messages on LinkedIn’s e-mail system rather than just receive them, contact members outside of their networks and see information about people who have viewed their profiles. Only 15.1% of total users had premium subscriptions as of May 2014. Glad we looked that up – we always wondered about the number, which is actually higher than we would have expected.

We ask people all the time to tell us their LinkedIn success stories – we hear a few, but not many. They generally are from people who knew each other at school or work, lost touch and then reconnected through LinkedIn. Happily they are now in a position to help one another on the business front.

We have sent notifications to connections about CLEs in which we were presenting. We can’t say we noted any difference in attendance. We suspect the notifications mildly annoyed our connections and our belief that it might lead to people disconnecting led us to stop the practice of sending such notifications. And indeed, many people don’t elect to have their LinkedIn notifications and messages sent to their e-mail – and don’t read them when they visit the site. We suspect that for most people those notifications and messages are a graveyard of unread messages.

We have asked people about LinkedIn Pulse – a fairly new development. Pulse had been around since 2013 and got a major redesign in June of 2015. You can read more about it at http://www.theverge.com/2015/6/17/8793547/linkedin-pulse-news-reader-app-update. While there are those who trumpet it, we have yet to see much in the way of people crossing over to post their work on Pulse. It sure doesn’t strike us as a runaway success. There are simply too many sources of data coming at us and people have to choose.

Like all sites, it has gotten more complicated, offering a wide range of services, largely of no interest to us. So our current assessment of LinkedIn is simply “meh.”

We should be grateful for other peoples’ data breaches – they help us to improve our own security. In our breach-a-day world, we seem to have more data breaches than ever. They come fast and furious – rare is the day when we don’t hear of one or more breaches on the evening news or through online media. Attack vectors change constantly – those of us in information security have a deep sense of humility in the face of constant changes in threats as well as technology, policies and training to defend against those threats.

Herewith, a few of the famous data breaches of 2015 (and one from 2014) with lessons to be learned from how they happened.

Office of Personnel Management

This was probably the most controversial breach of 2015. In May, the federal Office of Personnel Management (OPM) reported a breach affecting 4.2 million current and former federal employees. A few days later, it revealed a second breach (lesson here: don’t speak too quickly about data breach specifics). The second breach brought the number impacted to 22 million people who had applied for government jobs or security clearances. Data from some applicants’ family members was also compromised. The data taken included names, addresses, names of relatives, employment histories and health care histories. There was a lot of talk about the fact that 5.6 million digital fingerprints were compromised, giving rise to concern about the security of biometrics. Members of law enforcement, the intelligence community and the federal court system were all impacted. Some of the data included information on peoples’ sex lives, drug and alcohol problems and debts, all of which could be used for blackmail.

The press confirmed through multiple sources that the government had concluded that China was behind the hack. But it declined to overtly accuse China because revealing technical details of how they attributed the breach to China would tip off hackers to the ways that American intelligence agencies track them.

Computer security firm CrowdStrike, which has close ties to U.S. law enforcement, said it had traced the breach to hackers it said were “affiliated with the Chinese government,” using forensic information from the hack provided by the government. The Director of OPM resigned.

The breach went undetected for 343 days – it was ultimately discovered when anomalous SSL traffic and a decryption tool were observed within the network.

Though the U.S. has not talked publicly about how the breach happened, U.S. Department of Homeland Security official Andy Ozment testified that the attackers had gained valid user credentials to the systems they were attacking, likely through social engineering.

VTech Holdiings

This Hong Kong digital company was the victim of one of the year’s biggest hacks in November when its Learning Lodge database was compromised, permitting hackers to get adults’ profile information, e-mail addresses, passwords, chat logs and audio files – and the names, home addresses, first names and birthdates of millions of children and their photographs. Some of the audio recordings were of children’s voices from VTech’s Kid Connect, a service that allows parents and kids to chat via a mobile phone app and a VTech tablet. The release of the information of children was particularly disturbing and garnered a lot of publicity.

So how did the information of over 6 million people get exposed? According to security researchers, the hacker used a SQL injection to gain root access to VTech’s web and database servers. Users’ passwords weren’t properly scrambled and hashed. The MD5 algorithm that VTech used had been known to be vulnerable for a decade or more. Worse yet, the company stored customers’ security questions and answers in plain text, a clear security no-no. The reported hacker said that the entire purpose of the hack was to expose the security flaws and said he would not use or publish the data.

Besides mishandling the data from a security perspective, one wonders why the company needed to store this much data to fulfill its business purposes. It is a common problem – storing data one does not need, which itself creates a potential vulnerability.

Anthem

In February, heath insurer Anthem said that hackers had accessed its servers and downloaded the personal data of employees and those who were insured by Anthem. Even those who were not Anthem customers may have been impacted because Anthem handles paperwork for smaller insurers. Data stolen included names, addresses, birthdates, Social Security numbers, and employment information, including salaries. 79 million records were compromised and dumped online – this was the largest data breach of 2015.

This breach occurred because the hackers had gained access to the login credentials of employees with system access. How? Reportedly, the credentials were obtained through a watering hole attack. A watering hole attack is a security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit. The goal is to infect a targeted user’s computer and gain access to the network at the target’s place of employment.

In this case the attackers created a bogus domain name “we11point.com” (based on Wellpoint, the former name of Anthem). In this cases, the hackers set up subdomains which were designed to mimic real services such as human resources, a VPN and Citrix server. By then sending phishing e-mails, users may have been lured to infected websites and entered their log-in credentials. A number of security companies believe the hack came from Deep Panda, a Chinese-based hacking group.

The breach was undetected for nine months and was discovered when a systems administrator noticed that a legitimate account was querying internal databases but without the legitimate user’s knowledge.

There are similarities between this attack and the breach of Premera Blue Cross in 2015, impacting 11 million people – are they related? Impossible to say, but another bogus domain name “prennera.com” was discovered in the Anthem investigation.

Pentagon

In July, alleged Russian hackers hacked an unclassified e-mail server of the Pentagon. U.S. officials announced that Russia had launched a “sophisticated cyberattack” against the Pentagon’s Joint Staff unclassified e-mail system. The officials added that the cyber-attack compromised data belonging to 4,000 military and civilian personnel who worked for the Joint Chiefs of Staff.

As the attack was later described a “spear phishing attack”, it doesn’t on the face of it sound all that sophisticated. However, Department of Defense officials continued to call it the “most sophisticated” cyberbreach in U.S. military history. Officials spent 10 days scrubbing the system and creating mock hacking scenarios before giving military personnel access to it again. The spear phishing attack targeted the personal information of scores of users. What may have made this attack sophisticated is that the hackers used “an automated system rapidly gathered massive amounts of data and within a minutes distributed all the information to thousands of accounts on the Internet.” Encrypted social media accounts were used to coordinate the attack. If true, that might qualify this attack for the adjective “sophisticated.”

Ashley Madison

The Ashley Madison dating site breach impacted 37 million people and gave high-value entertainment fodder to pundits everywhere. This was an unusual hack, in that it seemed to be rooted in the moral convictions of the hackers, called The Impact Team. They wanted the site, whose tagline is “Life is short. Have an affair,” to take the site down. They also wanted Avid Life Media’s “EstablishedMen.com” site taken down. When the site’s owner refused to take the sites down, the data was made public in spurts.

The breach was reported in July, and data compromised included e-mails, names, home addresses, sexual fantasies and credit card information. All of the user data released on August 18, 2015. More data (including some of the CEO’s emails) was released on August 20, 2015. The release included data from customers who had earlier paid a $19 fee to Ashley Madison to allegedly have their data deleted. It turned out to be a boon to divorce lawyers everywhere. No doubt many members were shocked to find out that most of the women on the site were “bots” – employees who pretended an interest in an affair as part of inducing additional payments to Ashley Madison – and of course users had no clue that they had agreed to the use of bots when they accepted the terms of service.

The data was made vulnerable by a bad MD5 hash implementation. We are not sure how the hack actually happened but The Impact Team itself said this: “Nobody was watching. No security. Only thing was segmented network. You could use Pass1234 from the internet to VPN to root on all servers.”

In an interesting side note, as of January 1, 2016 Ashley Madison’s membership has supposedly increased by more than 4 million since the breach. Go figure.

According to Security Magazine, the number of ransomware attacks is predicted to increase in 2016. For the second quarter of 2015, more than 4 million samples of ransomware infections were identified as compared to 1.5 million in the third quarter of 2013. That’s a pretty big increase.

Ransomware

So what is ransomware? Ransomware is a piece of malware that encrypts your data and holds it hostage until you pay a ransom. The idea is that after you pay the ransom, you receive the decryption key in order to decrypt your data and make it accessible again. The payment is made in bitcoins since the bad guys don’t accept VISA or MasterCard. Previous versions of ransomware infect your local drive and any other data that appears as a drive letter to your computer. That could be the external USB drive that shows up as L: or the flash drive that identifies itself as the E: drive to your computer.

One of the latest versions of ransomware is called Locky and has brought the infection risk to a new level. Locky is delivered as an evil Word macro. The good news is that execution of macros is disabled by default. So the first lesson is: Don’t run the macro when you see the warning box. The really scary part about Locky is that it will encrypt network shares that use a UNC (Universal Naming Convention) path. You will recognize a UNC path as being defined as \\<server name>\<share name>. You can recognize a Locky infection as it changes all the file extensions to .locky after it encrypts the contents. Many system administrators were using UNC as a way to get to network resources instead of drive letters to minimize the impact of ransomware infections. With the release of Locky, even UNC paths won’t help you. As the bad guys evolve, so must we.

Training

So what can you do to minimize the potential of ransomware infection? Probably the most effective method is training employees to recognize the delivery mechanism for ransomware. Obviously, don’t click on any suspicious links or open unexpected attachments. Essentially, it’s a two-step process to get infected with Locky. First you have to launch the Word attachment, which you shouldn’t have done in the first place. Second you have to allow the macro to execute after you get the warning message. In other words, you’re not just stupid once, but twice. Regular training should significantly reduce the stupid factor.

Technology

There is no 100% solution to prevent a ransomware infection. There are software solutions that are designed to stop installation and execution of ransomware, but there are new variants that will get by the technology solutions. You can implement Group Policies in a Windows domain environment to prevent certain software installations or access to particular areas of the computer.

Backups

Since no solution is a 100% guaranteed, you need to make sure that your data is protected and can be restored should you get hit with a ransomware attack. This means that should your data get encrypted, you can just restore a non-encrypted version and avoid paying the ransom. In order to achieve this, your backups need to be engineered to be safe from a ransomware infection. If you are using external USB drives to backup data, unplug them once the backup is complete. If you leave them plugged in, the contents will also get encrypted if you contract ransomware. Remember, any data that presents itself as a drive letter is a potential target to be encrypted. Larger organizations will want to backup their data using agent based systems in addition to backing up data to the cloud.

It’s hard to find statistics identifying how many people are currently running Windows 10. One thing we do know is that there were 14 million downloads within 24 hours of the release. Some estimates put the installed base at over 75 million devices. No matter what the right number is, it appears that Microsoft has added another hit operating system to its list. But is everything about Windows 10 a good thing? Not so fast. When Microsoft released Windows 10, it also updated its privacy policy. Should attorneys be concerned? The answer attorneys love to hate is…it depends. Perhaps if more people read the terms of service for software and services that they use, they would be a lot more informed as to the data vendors are collecting.

Microsoft is no exception. Suffice it to say, Windows 10 collects a lot of data and you agreed to it when you installed the operating system. According to the privacy policy, Microsoft collects information about your use of the software and services as well as about the devices and networks on which they operate. Some examples of the type of collected information include your name, e-mail address, preferences and interests; location, browsing, search and file history; phone call and SMS data; device configuration and sensor data; voice, text and writing input; and application usage. Many experts say that the data is anonymously sent to Microsoft and is primarily composed of telemetry data.

The one section of the privacy statement that attorneys should be aware of states:

“We may also access, disclose and preserve information about you when we have a good faith belief that doing so is necessary to:

1. comply with applicable law or respond to valid legal process from competent authorities, including from law enforcement or other government agencies;
2. protect our customers, for example to prevent spam or attempts to defraud Microsoft’s customers, or to help prevent the loss of life or serious injury of anyone;
3. operate and maintain the security of our products and services, including to prevent or stop an attack on our computer systems or networks; or
4. protect the rights or property of Microsoft, including enforcing the terms governing the use of the services—however, if we receive information indicating that someone is using our products or services to traffic in stolen intellectual or physical property of Microsoft, we will not inspect a customer’s private content ourselves, but we may refer the matter to law enforcement.”

This would suggest that the data really isn’t anonymous and could be turned over to law enforcement or some other government entity. The good news is that you can actually opt out of all the features that might be considered invasions of privacy. Of course, most users will find that they are opted in by default.

It’s a fairly simple matter to adjust the privacy settings in Windows 10. First, open Settings and then click on Privacy. From there just walk through all the options and turn off anything that you are not comfortable having Microsoft collect. We would certainly also suggest that users dump Cortana, Siri, Alexa and any other voice assisted service. After all, you really don’t know what the vendor is doing with the data or how long they retain it.

Recently, the Virginia State Bar Council voted to adopt changes to the Model Rules of Professional Conduct. The changes were based on the American Bar Association’s modifications to the Comments of Rule 1.1 respecting Competence (“…a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with technology…”) and Rule 1.6 respecting Confidentiality (“(c) A lawyer shall make reasonable efforts to prevent the unintended disclosure of, or unauthorized access to, information relating to the representation of a client.”)

What’s reasonable? The Comments go on to list relevant factors:

1. the sensitivity of the information
2. the likelihood of disclosure if additional safeguards are not employed
3. the cost of employing additional safeguards
4. the difficulty of implementing the safeguards
5. adverse effect on the lawyer’s ability to represent clients

The Comments also make it clear that the client can demand more security or, with informed consent, accept lesser measures. This was not adopted by the VSB Council, but many states have adopted it.

As to the remainder of the changes, which were adopted and will now be sent to the Supreme Court of Virginia for its blessing before becoming final, there was quite a firestorm prior to the final vote adopting the proposed rules.

Even before the Council met, there had been comments received on the proposals, saying things like “I believe it is unreasonable to expect a lawyer to become an IT professional in addition to all of our other responsibilities.” This was echoed at the Council meeting.

This is a misunderstanding of the requirement. The change does not require a lawyer to become an IT professional – indeed, for most lawyers, dabbling in IT would be dangerous. They need outside or inside IT help in most cases – the small firms generally contract IT work to an outside IT service company. But all lawyers should be aware of the benefits and risks of technology to be a competent lawyer in the digital era. Hence, the change to Rule 1.1 makes good sense.

Another comment made the point that technology is the only form of competence specifically referenced in the proposed rule.

We are all accustomed to taking CLE each year to maintain our competence as attorneys in the fields of law in which we practice. However, it is uncontroverted that the most disruptive force we have ever seen in the practice of law is technology. It is pervasive – and becomes more so with each successive generation of lawyers. We have reached the point in time where a lawyer cannot effectively practice law without technology – which makes it an imperative that lawyers know something about the technology they use.

We live in a “breach-a-day” world which suggests even more strongly that we need to pay attention to sensitive client data. According to a 2013 Mandiant Threat Report, law firms and consultants constitute 7% of the targets of advanced attackers. This has come to mean that we are the easy route to getting the data of our clients. Cybercriminals and state-sponsored hackers alike have attacked law firms, large and small – and they are all too often successful because employees are not trained in safe computing, security patches and updates are not installed, out-of-support software (receiving no security updates) continues to be used, and they do not employ encryption.

All of this can be addressed by a competent IT professional. Are there costs? Yes, certainly, but they are a matter of scale. The costs will be far greater for a large firm than for a solo or small firm practitioner. The measurement of “acting reasonably” is obviously different depending on the size of the firm.

In spite of all the rhetoric about “small firms can’t afford this requirement” the truth is that many reasonable precautions cost nothing. Installing security patches is free – yet it is frequently not done. It costs nothing to encrypt a Word or PDF attachment with a password before sending it. Encryption is already a built-in feature of modern computers and smartphones – it may need to be enabled, but it is there.

You can encrypt e-mail easily these days with inexpensive products like ZixCorp, to name just one. A lawyer doesn’t need to understand the mathematics of encryption – only how to use the products. And they are fast and easy to learn. You don’t need to use encryption all the time, but when you are sending sensitive data, you probably should. You know what you have to learn? How to hit the “Encrypt and Send” button. That’s it.

Using the cloud to hold data is fine, so long as you understand the security precautions. Chiefly, if you encrypt the data before sending it to the cloud, your data is safe because only you hold the decryption key. Holding the encryption key yourself means the cloud provider has “zero knowledge” of the decryption key – and that’s the kind of cloud provider you want. There is no additional cost to this – you just have pick the right provider. As an example, SpiderOak is a “zero knowledge” file synching cloud whereas Dropbox holds a master decryption key and will, if given the proper paperwork, turn over your data to the authorities. We like SpiderOak and others that are moving in the “zero knowledge” direction, a far better solution for lawyers.

There is no cost to forbidding employees by policy from connecting to the law firm network with personal devices. Who knows what malware may exist on those devices? Large firms may choose to use sophisticated techniques to manage personal devices, but smaller firms are better off simply forbidding them to connect to the network.

There is a long list of free or reasonably priced safeguards for data, but that’s why attorneys should go to CLEs – to learn them and see that they are implemented by their IT provider. How about making sure lawyers use strong passwords (and not same password everywhere) and change them (especially their network credentials) regularly?

The changes to the Model Rules require only reasonable safeguards and give a host of factors to be considered in determining what is reasonable. In some cases, where lawyers hold HIPAA data or data containing personally identifiable information, they may be governed by state or federal law beyond the scope of the proposed rules, which is noted in the new comments to Rule 1.6.

So why all the hoo-ha at the Council meeting? Largely, we believe that there are fundamental misunderstandings about the changes and what they mean. There is also a mentality – so common in the legal profession – that “we’ve always done it this way.” One person actually said that lawyers shouldn’t be required to do more to protect data in the digital world than they were in the paper world? Say what? It defies belief that this sentiment has such a strong hold on so many lawyers, but it does. Perhaps the speaker didn’t realize that over 93% of documents are created electronically and that more than 50% of them are never printed.

One young lawyer took the microphone to point out that the digital world is a new one – and requires us to adapt. We might add “or face extinction.”

Taken as a whole, what we cannot do is turn a blind eye to the impact of technology on our profession. There was a time when protecting client data involved locked file cabinets in a locked office. Today, we must still “lock” the data – digitally. The new modifications to Rule 1.1 and 1.6 are a measured and technology-agnostic step toward applying old rules to the 21^st century.

In the summer of 2016, author Simek had the pleasure of joining a Pennsylvania Bar Association panel comprised of both testifying experts and judges to explore how to find and effectively use a good expert.

It seemed to author Nelson, sitting in the audience, that she was hearing a series of rapid-fire tips so she endeavored to jot them down, in no particular order, to offer the collective wisdom of the panel. Here are some of the many valuable tips she heard:

• It’s important to find an expert who will be cool under fire, as they must survive cross-examination with their credibility intact – this is the most dangerous moment in litigation
• It can be helpful to watch a video deposition of the expert (if available) to see how cool under the fire the expert is – or is not
• It is important that the expert’s testimony be concise and to the point
• The expert should avoid technical or obtuse language
• Body language is always significant – no smirking or looking sarcastic
• A great trait for an expert to have is to use analogies that summon up pictures for a jury, e.g. “It was the size of a soccer ball” or “It weighed as much as a 5 pound bag of sugar.”
• Lawyers need to train their experts – many don’t testify all the time
• Lawyers should comprehensively know their expert’s CV
• Make sure the expert knows it is ok to say “I don’t know”
• Make sure the expert knows it ok to pause after a question is asked to collect his/her thoughts
• Encourage the expert to tell a story and encourage the expert to think of his/her role as a teacher
• Urge the expert to use TV and sports analogies likely to be familiar to a jury
• If you want your expert to treat you with respect, you must do the same – make sure the expert is promptly advised of case developments, especially those which impact the expert’s calendar
• Don’t assume the expert is always available to you – the expert has other clients to manage too
• Don’t write the expert’s affidavit or report – a good expert will not sign an affidavit or report which does not reflect the expert’s opinion – and you don’t want “an expert for hire” – that always shows and hurts your case
• It is ok to ask if your expert could phrase something differently – but if the expert is uncomfortable with the change, try to understand why – a good expert is probably right and being careful to stick to the strict truth
• Research your experts on social media to avoid surprises – there are some who are quite unprofessional on social media – and the other side will find anything which reflects badly on the expert
• Be familiar with their writings (books and articles and, if they are speakers, what they speak on – the other side may well cite the expert’s own words in a cross-examination)
• Watch out for experts who just want the business and will tell you anything – make sure the expert’s CV matches your need for testimony. Mismatches are common – and never turn out well
• Clearly establish your expert’s credentials in court
• Be familiar with your expert’s prior testimony in cases
• Make sure the expert is properly attired – professional and not casual
• Make sure you rehearse with your expert – make questions easy to understand – there have been cases where there were so many double negatives that the expert had no idea what to answer
• Follow the wise advice of your expert, e.g. if your expert has said “avoid asking about whether a computer virus could have resulted in child pornography being downloaded” – then avoid it – your expert is trying to keep you away from a cesspool, so try not to jump in with both feet.
• Provide all the relevant information you have to the expert – it won’t go well if the expert is confronted on the stand with information you had and didn’t share – happens all the time
• If your case involves technology, don’t assume you know how technology works – knowing a little bit can be more dangerous than knowing nothing

Understand that this is a mish-mosh of tips, colorfully presented by judges and experts who had been on the front lines and had the stories to prove it. The tips are by no means comprehensive, but they sure offered a lot of practical and often overlooked advice!