“The stuff of nightmares,” is how Lee Pacchia at Bloomberg Law described it. Data stolen. The problem isn’t that we lawyers don’t realize it can happen. Of course it can. But so too can Timmy, the drug-addled offspring of your second cousin Ned, who you gave the summer job in your office, steal a file, even if he’s unfamiliar with the standard alphabet.
The solution is that we don’t believe it’s going to happen. We don’t believe that someone with the extraordinary technical prowess to hack us doesn’t have better things to hack. We refuse to believe it.
The reason we refuse to believe it is that we want to use the internet, as if there is really any option anymore, and there isn’t a damn thing we can do about it. So we block it from our minds, deny it as a real possibility and plow on.
It must have come as a shock to Neal Puckett, then, when he found out that Anonymous made the announcement.
Just a few minutes ago, Anonymous announced they had stolen 2.6 gigabytes of email belonging to the law firm Puckett Faraj. Neal Puckett represents Staff Sergeant Frank Wuterich, who was accused of leading the group of Marines who killed 24 unarmed Iraqi civilians in the town of Haditha in November, 2005—what later became known as the Haditha Massacre. Last month, Wuterich struck a plea deal where he’ll be demoted from Staff Sergeant to Private, but will serve no prison time.
A good deal for Sgt. Wuterich took a turn south for everyone involved. While the data has yet to hit the streets, chances are awfully good that it’s not going to make anyone look like a hero. Did Puckett fail to protect his client’s confidential communications? Well, sure. That they are now in the hands of some people he doesn’t know, but he knows aren’t covered by his malpractice carrier, clearly something went very wrong.
But can anyone blame Puckett? While the details are unknown, chances are that there was absolutely nothing he could have done to protect the data. If the FBI and Scotland Yard can’t keep their chats private, what exactly do you think you can do better?
Whether it’s a disgruntled employee at a cloud computing company, or within your own shop, or the Chinese or Anonymous, or the federal government, or someone as yet unknown, we add this to the list of things that can go very wrong with our new and wondrous digital world. There are precautions that we normally take, extreme and expensive precautions that, should anything to wrong, others will inform us we should take. But are there any precautions that will provide perfect security?
The flip side is that we never had perfect security with physical files either. The same unhappy folks in offices today were in offices before, capable of accessing files and destroying them, or perhaps handing them off to someone else like Pentagon Papers. Whether it’s Timmy the Addict or that nice gal who empties the wastebaskets, we didn’t stay awake at night thinking about whether we left a file on the desk or a drawer unlocked.
In Lee Pacchia’s interview of Michael Riley, who might consider investing in an iron, the trade-off is couched in terms of money, the cost of “bullet-proof” security versus the potential for liability. As yet, there isn’t a clear standard of liability, how much security is needed to provide reasonable care. Is it a decent password or do we need armed digital guards? And no matter what security a lawyer uses, you can bet your career that it will be second-guessed should there be a breach, as with Neal Pluckett, that spills your clients dirty laundry all over the internet.
Despite my exceptional knowledge of digital security protocols, which stops just short of passwords longer than 3 characters, I take comfort in acknowledging that it’s enough to keep a luddite out but ridiculously inadequate should Anonymous or the FBI decide that they want to know my highest score on Angry Birds. In other words, I’ve come to grips with the fact that there are some out there who can hack the crap out of me should that be there intention, and there isn’t a thing I can do about it.
Instead, I’ve developed a trick that defeats the problem. I don’t put anything to substance into an email. I don’t allow my clients to put anything of substance into an email. I realize this is heresy, since this is the way all communications are required to happen in this digital age, and that we live in a time when all information is spread from computer to computer, but I never quite trusted it.
For those of you who have been inside a courtroom, you may see codgers use something that’s flat and yellow, with bluish lines going east to west. This is called a “yellow pad,” and used to be an accepted tool of the trade. I now call it a yPad to make it sound more modern. I use it to write on. With a pen, which is (I’m told) a device that should never touch the shiny front of an iPad, not to be confused with a yPad. When I get up from the table in the courtroom, I take my yPad with me. Always, unless I’m using it to play an amusing trick on a young prosecutor, but that’s the subject of another post.
When I’m done using a page on my yPad, it is never thrown into a garbage can. It’s taken with me back to my office, where it is ceremoniously destroyed. It is not reduced to a computer file, to be held in perpetuity just in case someone, someday, demands to know whether I wrote something down. Things that must be remembered are reduced to another writing, in my personal hand using a script that would make a nun faint, and placed within a manilla folder, within a locked cabinet. Even if someone breaks in, they would have to be able to decipher my handwriting to know what was on the page. No one has ever broken that code.
This may not work for everyone.
While the means by which our privileged communications, work product, and client confidences can be obtained by others are multiplying, and from long distances and by people we don’t know and might never imagine would be interested, there likely isn’t a whole lot we can do about it. For every security guru who tells us it’s a problem, someone will ask the important question, so what’s the solution? They have tons of answers, but nothing that solves the problem. There is no “bullet-proof” answer.
It’s foolish to delude yourself into thinking it can’t happen. Of course it can. It’s similarly foolish to throw a ton of money into putting up brick walls that some nefarious computer culprit can go over, under or around if they’re so inclined, and expect that more people will have the ability to do so every day. It’s a whole lot easier, and more effective, to avoid creating content that reveals confidences or can be used to harm a client. It may not be entirely avoidable, but we can certainly keep it to the barest minimum. And really awful handwriting is something to which every lawyer should aspire. It has its virtue.