This resource was created as part of the practicePRO
risk management initiative (www.practicepro.ca)
by the Lawyers' Professional Indemnity Company (www.LAWPRO.ca).
The full booklet is available at www.practicepro.ca/securitybooklet
Computers and the Internet have transformed the practice
of law, and how lawyers handle confidential client information.
Where once paper documents were the norm, today clients,
lawyers, and law office staff routinely work with electronic
documents and data. Protecting the security and confidentiality
of that information, however, is as important today
as ever: Both the Rules of Professional Conduct and
the Personal Information Protection and Electronic Documents
Act (PIPEDA) apply equally to paper-based files and
to electronic documents, such as a computer files or
A failure to take appropriate steps to protect the
electronic data in your office could have disastrous
consequences. This could include an embarrassing release
of sensitive information, a malpractice claim, a complaint
to the Law Society, or the theft of your personal identity.
At the very least, the theft, loss, or destruction of
client or practice-related data will be disruptive to
you and your practice. In the extreme case, it could
cause your practice to fail.
To minimize the risk of any disclosure or loss of confidential
client or practice data, you should understand where
the risks are, and implement office management practices
and appropriate technology to ensure all of your data
remains confidential and secure.
This booklet provides a comprehensive review of various
steps you should take to ensure that the electronic
information in your office remains confidential and
secure. Although some of the suggested steps may not
be relevant to every lawyer, all practitioners will
find helpful information in this booklet. Even if you
do not have the expertise to implement the suggested
measures yourself, you’ll be in a better position
to direct the work that technology consultants or others
must do for you.
If you do nothing else – the lucky 13 things
you must do
An unprotected computer can be infected or hacked within
seconds of connecting to the Internet, so protecting
your electronic data is a must. The question is: How
much time, effort and money are you willing to invest
in that task? Ultimately, you need to find a balance
between the allowable risk and an acceptable cost and
effort. From a best practices point of view, there are
13 steps that you should systematically take to protect
the electronic data in your firm against the most common
threats. Most can be completed quickly, and at little
or no cost. More detail on each of these steps is provided
in the remainder of this booklet. In part two of this
series, we’ve listed steps 5 through 8.
Steps #1- #4 appeared in the
previous issue of LPT.
Step #5 Install a firewall on your Internet
connection: When you are connected to the Internet,
the Internet is connected to you. Information can flow
freely both ways across your Internet connection. You
need a firewall to act as a gatekeeper to prevent unauthorized
access to your computers and network.
Step #6 Be aware of and avoid the dangers of
e-mail: E-mail is an essential communications
tool in most law offices, but it is also one of the
most dangerous tools. E-mail is one of the most common
ways that viruses will enter your office, causing breaches
of confidentiality and other serious problems. You and
your staff must appreciate the dangers of e-mail, and
know how to use it safely.
Step #7 Beware the dangers of metadata: Are
you unwittingly sending confidential information to
clients or opposing counsel? If you have e-mailed a
Microsoft Word or Corel WordPerfect document to either,
the answer to this question is likely yes, and you need
to learn more about metadata.
Step #8 Lockdown and protect your data, wherever
it is: Electronic client data is everywhere,
both inside your office (on servers and desktop computers),
and outside your office (in e-mails, on laptops, cell
phones, and PDAs). People can access data across networks
and even across the Internet. You need to understand
who has access to your data, and how to limit or prevent
access to it.
Don’t be tempted to skip or skimp on one or more
of the suggested steps. Remember, your data is only
as safe as the weakest link in your security plan. When
you leave on vacation, you lock every door and window
in your house. Leaving just one door or window open
gives a thief easy and instant access. To make sure
the security and privacy of your electronic information
is properly protected, it is critical that you fully
and properly implement all of the above steps. Working
your way through this booklet will help you complete
all the work necessary to protect the security and privacy
of your data.
Lastly, look inside your firm for potentially the most
dangerous people, your own employees, and be especially
careful of departing employees.
Step #5 - Install a firewall on your Internet connection
Regardless of whether you use a high-speed Internet
connection, or dial-up modem, your systems must be protected
by a firewall – a type of gatekeeper that ensures
all incoming and outgoing communications are legitimate.
For computers to transmit data back and forth over
the Internet, lines of communication must be established.
These work through ports which are opened on each computer.
The problem is that all the computers on the Internet
can see one another, and these open ports can allow
unauthorized people to access a computer. A firewall
watches these ports and will warn you about or prevent
Firewalls come in two varieties: software and hardware.
Software firewalls are easier to set up, usually protect
a single computer, and are adequate for personal use.
ZoneAlarm Pro (www.zonealarm.com)
is a highly rated software firewall that is easy to
install and use, and costs $70 per year. The more basic
ZoneAlarm is free for personal use, and suitable for
a home computer.
Hardware firewalls are usually used to protect an entire
network of computers. D-link, Linksys, Netgear and others
make relatively inexpensive hardware firewalls, which
are suitable for a small office network, Cisco and others
make firewalls for larger networks.
Windows XP’s built-in firewall called the Internet
Connection Firewall protects you only from incoming
threats; it does not monitor or stop outgoing communications.
XP users should consider a more robust hardware or software
firewall. Note, you should disable the XP firewall if
you use another firewall.
Probe your ports to test security vulnerabilities
is a free online program that scans your computer and
its Internet connection looking for disclosure of personal
information, open ports and other vulnerabilities. Within
minutes, you’ll know if your Internet connection
has any security vulnerabilities.
Step #6- Be aware of and avoid the dangers of e-mail
E-mail has become a vital tool in every law practice.
Yet its widespread use exposes your firm to significant
risks, including embarrassment, Law Society complaints,
or malpractice claims due to the unintentional disclosure
of confidential information, as well as data loss or
destruction due to viruses or the downloading of other
Firms should educate their staff on the dangers of
e-mail, and have a clear, written policy on the proper
use of e-mail.
Password protected access
All e-mail programs can be configured to require a
password at login. To prevent people from reading other
peoples’ e-mail, or from sending a message in
someone else’s name, make sure all e-mail account
logins require a password.
Take care before hitting send
It’s easy to inadvertently send an e-mail to
the wrong person, potentially disclosing confidential
or privileged information. The following steps can help
you avoid making this mistake:
- Make sure each client’s e-mail address book
listing includes the client’s full name. Using
generic addresses such as Fred007@aol.com alone can
- Make it an office policy to double-check that e-mail
is addressed to the correct individual before it is
- Educate your staff about the necessity of protecting
confidential information, so they can recognize circumstances
where information should be protected and not disclosed.
Many firms include a privacy statement in their e-mail
messages, often in the signature text at the end of
a message. From a practical point of view, anyone who
mistakenly gets the message will have read it before
they read the privacy statement. For this reason, some
question their real value, but most feel that having
such statements are worthwhile. There is also some suggestion
that you should only put privacy statements on messages
that contain sensitive information as putting them on
every message could lessen their credibility.
Theoretically, e-mails are easy to intercept, and as
they are usually sent in an unencrypted format, they
could be read by anyone who intercepts them. Practically
speaking, intercepting an e-mail message is very difficult
in most circumstances. The use of encryption software
is not mandatory for all e-mail communications. However,
the risk of interceptions and the options to encrypt
messages should be discussed with any client you intend
to e-mail. When information is extraordinarily sensitive,
a lawyer should use, and advise the client to use, encryption
software to help maintain confidentiality.
Unfortunately there are no universal standards for
encryption of e-mail messages. Some e-mail programs
can encrypt messages; as well, there are many different
third party e-mail encryption programs. Verisign (www.verisign.com)
and PGP Personal 8.0 (www.pgp.com)
are among the more widely used. Others include FileAssurity
SecExMail Personal (www.bytefusion.com),
and CenturionMail 2.0 which integrates with Outlook
Web-based ZipLip (www.ziplip.com)
and Hushmail (www.hushmail.com)
offer on-the-fly message and file encryption. Both allow
replies to be encrypted.
Don’t be fooled by phishing
Did you know that e-mails appearing to come from companies
you trust might actually be from criminals trying to
steal your money or identity? So-called ‘phishing’
e-mails have quickly become one of the most devastating
scams on the Internet.
Phishing scams use spoofed (faked or hoax) e-mails
and Web sites to trick you into providing your personal
and financial information. By using the trusted brands
and logos of online retailers, banks, or credit card
companies, phishing scammers trick surprising numbers
of people. The phishing e-mail directs users to visit
a Web site where they are asked to update personal information,
such as passwords, and credit card, social insurance
and bank account numbers.
Legitimate companies will not ask you to update your
personal information via an e-mail message. Don’t
get tricked by phishing scams.
On a daily basis you undoubtedly receive unsolicited
commercial e-mail, commonly know as spam. To combat
spam, many firms use spam filters, which detect unsolicited
and unwanted e-mail, and prevent those messages from
getting into a user’s inbox. Like other types
of filtering programs, spam filters use various criteria
to identify spam messages. Simple filters will watch
for particular words in the subject line or sender’s
name, while more sophisticated filters attempt to identify
spam through suspicious word patterns or word frequency.
Anti-spam products also use blacklists, which intercept
messages from recognized spammers; and whitelists, which
let through messages only if they come from your personal
list of recognized e-mail addresses.
Given that a significant proportion of spam messages
also contain viruses or other malware, spam filters
can also help protect your systems, and may prevent
phishing scams from getting through.
While spam filters can significantly reduce the amount
of spam you receive, they are not perfect. They will
sometimes let spam through, and will sometimes block
legitimate messages (these are called false positives).
If you are using anti-spam software, you should scan
blocked messages to ensure an important message wasn’t
missed. You also need to consider whether messages you
send to others were intercepted by anti-spam software.
Anti-spam software can be installed on e-mail servers
and/or on desktop computers. Some e-mail programs include
anti-spam features. Popular third-party anti-spam products
include Norton’s antivirus software which includes
anti-spam functionality (www.norton.com),
SpamNet from Cloudmark (www.cloudmark.com),
and Postini (www.postini.com).
E-mail savvy staff can help stop infections
Teaching your staff to avoid dangerous activities can
also help reduce your exposure to potential infections.
Employees should be taught to take great care in opening
e-mail attachments, and not to open attachments that
they are not expecting. Even if the message is from
someone they know, they should not open it because it
is easy to fake or spoof the sender’s name. They
should also be taught to take extreme care in downloading
and running programs on their computers. Implementing
a “no downloads rule” is the best protection.
Step #7 -Beware the dangers of metadata
Are you unwittingly sending confidential information
to clients or opposing counsel? If you have e-mailed
a Microsoft Word or Corel WordPerfect document to either,
the answer to this question is likely yes. When you
create and edit your Word or WordPerfect documents,
information about you and the edits you make is automatically
created and hidden within the document file. This information
is called metadata. Metadata can be simply described
as “data about data.” Think of it as a hidden
level of extra information that is automatically created
and embedded in a computer file.
On its Web site, Microsoft indicates that the following
metadata may be stored in documents created in all versions
of Word, Excel and PowerPoint:
- your name and initials (or those of the person who
created the file);
- your firm or organization name;
- the name of your computer;
- the name of the local hard drive or network server
where you saved the document
- the name and type of the printer you printed the
- other file properties and summary information (see
- non-visible portions of embedded OLE objects;
- the names of previous document authors;
- document revisions, including deleted text that
is no longer visible on the screen;
- document versions;
- information about any template used to create the
- hidden text, and
Similar (although less) metadata exists within WordPerfect
files, and metadata data security issues affect the
documents created in most other software programs.
While some metadata can easily be viewed within the
program that has created a file, in most circumstances
hidden metadata can only be seen with special software.
However, hidden metadata can become visible accidentally
– for example, when WordPerfect opens and improperly
converts a Word file, or when a corrupted file is opened.
In these instances, both of which are quite possible
in a law office, the normally visible text and hidden
metadata can appear on a computer screen.
The problem with metadata, especially for lawyers,
arises when people electronically share files as an
attachment via e-mail, on a floppy disk or CD-ROM, over
a network, or through an extranet. Electronic document
files include both the information you see on the screen,
and all the metadata you don’t see. This metadata
can often be sensitive or confidential information,
and can be potentially damaging or embarrassing if seen
by the wrong eyes.
Metadata in Word
How can you view metadata in one of your Word documents?
(WordPerfect users should jump ahead to “Metadata
in WordPerfect,” on page 25.) Find and open a
letter or agreement that you recently e-mailed to a
client or opposing counsel. Click on File, then Properties.
This opens the Properties dialog box, which contains
a variety of summary type information about the file.
On the General tab you can see on which hard drive
the document was stored, and the time and date it was
created, last modified and viewed. On the Summary tab
you can see the name of the author, your firm name,
as well as the name of the template that was used to
create the document.
The Statistics tab contains information about the size
and structure of the document, including the Total editing
time in minutes. This statistic is really the total
amount of time the file was open on a computer, regardless
of whether someone was editing it or not. What if a
client saw this information, and the time indicated
was significantly less than the amount of time you docketed
for working on this document? This discrepancy could
be completely justifiable, but you could find yourself
explaining it to an upset client.
In WordPerfect you can see the basic file summary type
of metadata you see in Microsoft Office documents by
selecting File, then Properties.
WordPerfect also has a feature called Undo/Redo History.
It can allow you to view hundreds of past changes in
terms of what text was cut, copied and even deleted
from the document. Open a WordPerfect document. Click
on Edit, then Undo/Redo. This opens the Undo/Redo History
dialog box which lists past changes to that document,
assuming Undo/Redo is turned on. Click on the Options
button, and then uncheck Save Undo/Redo items with document
to turn it off. Look at some of your WordPerfect files
to see if you can view summary metadata or the Undo/Redo
The danger of using existing documents as precedents
In many instances lawyers will adapt a document they
created for a previous client. This makes perfect sense
from an efficiency point of view. However, the text
deleted from the original document can remain within
the revised document. What would happen if your client
sees confidential information about the client for whom
the document was originally created, or if opposing
counsel saw changes that were made in an agreement at
the drafting or client review stage?
How do you remove metadata?
Being aware of metadata is just the start. You should
also reduce or eliminate the metadata in your documents.
Sending a fax or paper copy by regular mail would solve
the problem, but will likely not be an option in many
circumstances. If you want your client to review and
edit a document, sending it electronically is the only
practical option. In many cases, clients, opposing counsel
and even the courts expect to receive documents electronically.
There are a number of options to reduce or eliminate
metadata from your documents.
Word, PowerPoint and Excel users should turn off the
Fast Saves feature. To do this click on Tools, then
Options, then the Save tab, and uncheck Allow fast saves.
In older versions of Microsoft Office products it will
be turned on by default. This feature lets a computer
more quickly save a file by not removing deleted text.
If you use features such as tracked changes, document
versions or comments, make sure you delete the information
that is being kept within the document with these features.
Office XP includes some new features to help reduce
the accidental disclosure of metadata. Even more features
are included in Word 2003 and the other Office 2003
applications. They now include a Security tab in the
Options dialog box (select Tools, then Options to view
this tab). You can specify that some metadata not be
saved in a document in this dialog box. The Information
Rights Management feature in Office 2003 can also be
used to reduce paper trail types of metadata being stored
Converting files to PDF format with Adobe Acrobat or
other PDF creators will usually strip out most metadata.
For this reason, many firms have adopted a practice
of sending only locked PDF documents to clients or opposing
counsel, especially if the recipient doesn’t need
to edit the document.
While converting a file to PDF format will help strip
out metadata from the original document, remember that
PDF files can also contain their own metadata. Select
File, then Document Properties to view the summary metadata
information within a PDF file. In this same dialog box
you can add further restrictions on how the document
can be accessed, used, copied and printed in the Security
If you want the recipient to edit the document, send
it in its native format, but without metadata. Several
programs can help identify and clean metadata from your
documents. Microsoft’s Remove Hidden Data Add-In
permanently removes hidden and collaboration data, such
as change tracking and comments, from Word, Excel, and
PowerPoint files in Office XP and Office 2003 only.
For Word, Excel and PowerPoint documents, one of the
most widely used metadata scrubbers is the Metadata
Assistant, sold by Payne Consulting Group (www.payneconsulting.com)
for US$79. Other metadata removal programs for the Microsoft
suite of products include: Out-of-Sight (www.softwise.net);
Workshare Protect (www.workshare.net);
and iScrub (www.esqinc.com),
which integrates with Microsoft Outlook and will prompt
a user to clean an outgoing attachment.
Unfortunately there is no software program that easily
and automatically removes metadata from WordPerfect
For more information on metadata, see the following
- Word, Excel and PowerPoint users should visit the
Microsoft support page at http://support.microsoft.com/.
For more detailed information on removing metadata
from Word 97, 2000 or 2002, see respectively, Knowledge
Base articles 223790, 237361 or 290945.
- WordPerfect users should visit the Corel knowledge
base at http://support.corel.com/
and search for “minimizing metadata.”
Step #8 - Lockdown and protect your data, wherever it
Gone are the days when you had to worry about only
one copy of each document, which you could easily secure
by keeping it locked up in a file cabinet. Today, client
data exists in electronic form in many different places
inside and outside your office. You need to know where
that data exists, who can access it, and what steps
should be taken to secure and protect it.
Access to servers, routers and phone switches
Protecting your server and other key telecommunications
equipment such as routers and phone switches starts
with physical security. Intruders who have physical
access to a server can get direct access to files and
data on the server’s hard drives, enabling them
to extract usernames and passwords of every user on
the system, destroy data, or give themselves a backdoor
for accessing the server remotely. Even curious employees
who want to change settings can unintentionally cause
serious problems. Lock up your servers and other key
telecommunications equipment to protect them from unauthorized
Access to individual computers
To protect information on them and on the network,
every computer in a law office should be configured
to require a password at startup. Without this password,
it is more difficult to access the data on the hard
drive. Although all versions of Windows accommodate
this requirement, Windows 98 users should note that
a login password will not protect data on a computer,
as simply pressing the Esc key will bypass the login
and give you full access to the hard drive.
Put a password on your screensaver
Activating a password-protected screensaver is a simple
and very effective way to prevent an unauthorized user
from rifling through the files of a computer that have
been inadvertently left logged on. All versions of Windows
include password-protected screensavers.
To activate this feature, click on Start and select
Settings to open the Control Panel. Click on the Display
icon, and select the Screensaver tab. Check the Password
protected checkbox, enter a password, and set a Wait
time that is appropriate for you. This is the amount
of time the computer will wait after keyboard activity
ceases before starting the screensaver. Once started,
you require the password to exit the screensaver.
Access across a network
Anyone who has worked on a computer network will recognize
that they have the ability to access computer files
on another computer in the office, usually a central
server. How does this work? The hard drive on a server
contains various computer files and folders. To be seen
and accessed across a network, folders and files on
the server must be configured to be shared. To control
access to files or folders (and all the files in them),
the level of sharing and access can be limited, by either
individual users or groups of users. Files and folders
that are not shared can’t be seen or accessed
across a network. For example, you might give litigation
staff read-only access to the folder with firm precedents
so they can access them, but can’t change them.
You might limit access to folders with payroll information
to your bookkeeper and managing partner. Client work
product would go in a folder to which all staff had
The configuration of servers and networks will vary
from office to office. Take time to understand what
information is stored on your servers, and who has access
to that information. Configure your network shares and
access rights so that access to sensitive information
is limited or prevented. Remember that privacy legislation
requires that you limit access to some types of personal
information on a need-to-know basis.
Your desktop or laptop computer can act like a server
in some cases, and content on your hard drive could
be accessed by someone across a network, or from the
Internet. To prevent this from happening you need to
make sure that File and Printer Sharing is turned off
on your computer.
Encryption of sensitive files
Many software products, including Word and WordPerfect,
contain a feature that will let you password protect
documents. Although this feature may prevent casual
users from accessing password-protected documents, this
type of password protection is easily circumvented.
For files that contain extremely sensitive information,
you may consider encryption. Encryption tools act as
ciphers, converting information into secret code that
can only be accessed with a password.
Windows 2000, NT, and XP have built-in functionality
for encrypting files, but only on NTFS formatted hard
drives. This offers some protection, although some software
tools can decode NTFS-encrypted hard drives. Other file
encryption products that are more effective than NTFS
are listed in the next section.
Data on laptops and other portable devices
Laptops and personal data assistants (PDAs) contain
large amounts of confidential client and personal information:
They are also easily lost or stolen. As a first line
of defense you can enable the built-in password protection
on these devices. Although this should protect the data
on them from the average thief, someone with specialized
knowledge can bypass these built-in password-protection
For an extra level of security for laptops, consider
using: PGP Personal 8.0 (www.pgp.com),
PointSec for PC (www.pointsec.com);
SafeGuard Easy (www.safeguardeasy.com);
or SecureDoc (www.winmagic.com).
To encrypt the data on PDAs, the most widely used products
include: PDADefense (www.pdadefense.com);
PointSec for Palm (www.pointsec.com);
SafeGuard PDA (www.safe
guardeasy.com); or TealLock Corporate (www.tealpoint.com).
Never leave your laptop unattended in a public place.
To be less of a target for theft, use a briefcase or
bag that does not look like a standard laptop bag. Inexpensive
cable locks from Targus (www.targus.com) and others
may deter the casual thief, but are no obstacle for
a determined thief with cable cutters.
E-mail messages carry confidential information outside
your office and can, at least in theory, be intercepted.
Encryption can prevent intercepted e-mail messages from
being read, and is reviewed in more detail on page 20.
Deleted doesn’t mean deleted
It’s a misconception that deleted files are gone
for good. In fact, deleted files are easy to recover
using widely available forensic recovery tools. Even
reformatting or repartitioning a hard drive will not
completely destroy all the data on it.
This is an issue if you are sending your computer equipment
outside the office for repair, or donating your computers
to charity or a local school where a classroom of technology
savvy students will be itching to recover your data.
To address this issue, you can use specialized software
that will “scrub” all data from a hard drive
so that it is not recoverable. WipeDrive (www.accessdata.com)
is a widely used scrubber. Eraser 5.7 (www.heidi.ie),
is a free download and is also a good scrubber. Physically
destroying a hard drive with a hammer is the free and
Because the same forensic technology can also restore
deleted files on floppy disks, you should always use
new floppies when sending data outside your firm.
Although a bonus for lawyers who want to work and access
data when not in the office, remote access creates opportunities
for breaches of confidentiality.
Virtual private networks or VPNs can make remote access
more secure. A VPN is a network connection constructed
by connecting computers together over the Internet and
encrypting their communications so that intercepted
data is incomprehensible. VPN’s are secure and
fast, but are expensive and hard to configure. Windows
Terminal Server, which is free with Windows, will allow
remote connections, is easy to set up, but is slower
and less secure than a VPN.
Accessing your e-mail or network from a public computer
If you rely on Internet cafés, library terminals,
or other public computers, be aware that you are likely
leaving behind passwords, your surfing history, data
in temporary files, cookies and other personal information
at each machine you use. Products such as P.I. Protector
Mobility Suite 2.0 (www.imaginelan.com)
protect against this. The program, which you install
on a USB flashdrive or other portable device, creates
a portable identity on that device, including your e-mail
data. The Protector program then accesses the Internet
through the flashdrive or other device, and stores all
sensitive information on it. As a result, you can use
public computers without leaving a trace.
Be aware of data theft with thumbdrives
Tiny, high-capacity USB drives or thumbdrives have
become the new floppies. A combination of three things
makes them a security concern: (1) they are very easy
to use, (2) they are compact, lightweight and ultra-portable,
and (3) they can store huge amounts of information.
They are, in other words, the perfect tool for a disgruntled
or soon-to-be ex-employee who plans to easily and quickly
steal firm data.
How do you protect yourself? Make sure you have appropriate
security and access rights to the confidential client
and firm information on your firm’s computers
and servers. Auditing file access may help you spot
someone who is accessing information they should not.
Consider disabling USB ports on all firm computers.
Lastly, take extra care with employees who may be leaving
the firm. (See page 48)
Off site storage
Storing electronic data with a third party raises a
number of obligations to safeguard client property and
confidentiality. These concerns also apply to data that
is being backed up over the Web, or to matter documents
that are being stored on a Web site for collaboration
Contracts with any third party who is in possession
of confidential client information should deal with
the various relevant securities issues, including having
specific provisions that require all information is
properly stored and secured to prevent inappropriate
access. This can and should include password-controlled
access and encryption of the information. In addition,
antivirus software should be used. The third party should
also indicate how the facility is prepared for a disaster,
that adequate backup systems are in place, and what
their contingency plans are if emergencies or disasters
make the vendor’s primary facility unavailable.
These measures ensure that your clients’ information
is protected, and that you will have access to it when
List serves and chat rooms
Through list serves, chat rooms and other virtual electronic
communities, the Internet has created new ways to meet
and mingle with others, including potential clients.
List serves, sometimes called e-mail lists, let you
interact with dozens, hundreds or even thousands of
other people. List serves are really nothing more than
a group of people with the same address. You reach everyone
on a list by sending an e-mail message to a specific
e-mail address. List serve software operates by receiving
this message, and then automatically sending it to everyone
on the list. All replies are automatically sent to the
entire list. In effect, this allows a large group conversation
Chat rooms are also called “online forums.”
Chat rooms are simply a page on a Web site or online
service where people can “chat” with each
other by typing messages on their computer. These messages
are displayed almost instantly on the screens of others
who are in that same “chat room.” When you’re
in a chat room you can view all of the conversations
taking place at once on your screen.
Saying something in a message posted to a list serve
or in a chat room conversation is the same as blurting
something in an elevator or at a meeting. All obligations
of confidentiality still apply. Be aware of this and
don’t disclose confidential information on a list
serve or in a chat room.
LAWPRO encourages you to proactively protect the security
and privacy of the electronic information in your offices
– not only to comply with the Rules of Professional
Conduct and privacy legislation, but also to safeguard
the viability and integrity of your practice.
A failure to protect the electronic data in your office
could have disastrous consequences. This could include
an embarrassing release of sensitive information, a
malpractice claim, a complaint to the Law Society, or
the theft of your personal or firm identity. At the
very least, the theft, loss, or destruction of client-
or practice-related data will be disruptive to both
you and your practice. In the extreme case, it could
cause your practice to fail.
Take time to understand where the risks are. Implement
office management practices and appropriate technology
to ensure all your data remains confidential and secure.
Carefully review and implement the suggestions and
steps outlined in this booklet. Seek outside, knowledgeable
help if necessary. It is relatively easy and inexpensive
to protect yourself from the common threats. Acting
now to protect yourself from the most common threats
could help you avoid having to spend time and money
dealing with security compromises.
In next month's article we will cover the final five
steps that you must take to protect the security and
privacy of your data, including:
Step #9 Harden your wireless connections:
Step #10 Learn how to safely surf the Web:
Step #11 Change key default settings:
Step #12 Implement a technology use policy:
Step #13 A backup can save your practice
Appendix 1 lists other resources that can help you
secure the electronic data in your office.
PC Magazine Security Watch page – www.pcmag.com/security
Various articles on security issues, and reviews of
security related technology products.
Urban Legends Site Computer page – www.snopes.com/computer
An easy to use listing of current virus threats and
Symantec Home Page – www.symantec.com
Current information on the latest threats, list of known
viruses, and information on how to repair and clean
Consumer Web Watch – www.consumerwebwatch.org
A good page from Consumer Reports people for current
news and information about Web-related security issues.
eBay Security and Resolution Centre – http://pages.ebay.ca/securitycentre/
Helpful information on avoiding online auction fraud
and identity theft.
Senseient Publications Page – www.senseient.com
See the Publications Page for detailed articles on variety
of law firm related security and forensics issues.
Test your password strength – www.securitystats.com/tools/password.php
Test the strength of your passwords, and get suggestions
on how to make them stronger.
Tips For Troubleshooting Computer Problems
practicePRO article on steps to take to troubleshoot
LSUC Practice Management Guidelines – www.lsuc.on.ca/services/
Guidelines to assist lawyers in conducting various aspects
of legal work, including management of files and client
ABA’s Law Practice Management Webzine –
General articles on legal technology and other LPM issues.
Office of Privacy Commissioner of Canada – www.privcom.gc.ca
Information on complying with PIPEDA.
Smart Computing Magazine – www.smartcomputing.com
Great magazine for basic information on all types of
Law Office Computing Magazine – www.lawofficecomputing.com
Great magazine for legal technology articles and product
Computer Security for the Home and Small Office
by Thomas C. Greene.
Covers many of the topics covered in this booklet in
more detail. 405 p. Apress, 2004.
Information Security: A Legal, Business, and Technical
Handbook by Kimberly Kiefer, Stephen Wu, Ben Wilson
and Randy Sabett; 82p. American Bar Association, 2003;
www.ababooks.org. This book reviews security threats,
includes information on security best practices and
how to respond to security incidents. It also has standards,
guidelines and best practices precedents.
This booklet was prepared for the Lawyers’
Professional Indemnity Company (LAWPRO®) by Daniel
E. Pinnington, Director, practicePRO, LAWPRO (firstname.lastname@example.org).