COMPLEX TECH: If your firm doesn't understand technology, digital redaction disasters are inevitable

/

With electronic court filings becoming a thing of the present, not the future, adequate electronic redaction is now essential. For example, General Order 08-02, issued by the United States District Court, Central District of California, requires redaction to protect "sensitive and private information."  The Order provides, at Part IV.E:

The parties shall refrain from including, and/or shall redact where inclusion is necessary, the following personal data identifiers from all documents filed with the Clerk.

  1. Social Security Numbers: If an individual’s Social Security Number must be included in a document, only the last four digits of that number should be used.
  2. Taxpayer Identification Numbers: If a taxpayer identification number must be included in a document, only the last four digits of that number should be used.
  3. Names of Minor Children: If the involvement of a minor child must be mentioned, only the initials of that child should be used.
  4. Dates of Birth: If an individual’s date of birth must be included in a document, only the year should be used.
  5. Financial Account Numbers: If financial account numbers are relevant, identify the name or type of account and the financial institution where maintained, and only indicate the last four digits of the account number.
  6. Home Address: If a home address must be included, only the city and state should be used.
  7. Additional Information: For good cause, the assigned judge may require redaction of additional information.

Before the digital world was fully upon us, redactions were accomplished with a black marker.  Now, attorneys and support staff are preparing documents for filing electronically, and redactions are applied with electronic tools.  Unfortunately, some people believe that a redaction is sufficient if the private text is visibly obscured.  But with digital information, merely obscuring text may not (or will not) actually remove it from the electronic document.  The results of incomplete redaction can be devastating.

In a sex discrimination case against General Electric, Sanford, Wittels & Heisler (based in Washington, D.C.) electronically filed documents for the plaintiffs with large passages redacted.   (Douglas Malan, GE Suffers a Redaction Disaster (May 28, 2008) www.law.com.)   The redactions were insufficient:

But as of late last week, you could download several documents through PACER's federal court filing system, copy the black bars that cover the text on the screen and paste them into a Word document.

Voilà. Information about the inner-workings of GE's white, male-dominated management and their alleged discriminatory practices against women, which is supposed to be sealed by court order, appears with little technical savvy required.

(Ibid.)  The fallout is that a potential settlement may unravel because of the disclosure of information about General Electric that both sides agreed to keep secret.

A PACER account representative was unaware of the problem until she was guided through the process of downloading, copying and pasting the "redacted" information into new document, where, like magic, it appeared in an unredacted form.  It is important to note that PACER employees do not check filings for redaction adequacy.  That obligation rests on the lawyers.  As noted in Malan's law.om article, "Where once a black marker strike on a piece of paper was sufficient, redaction in the digital world requires special software and the know-how to delete the words behind the shield."  In the GE case, "Plaintiff's attorney Sanford couldn't say what process or software his law firm used to redact the information in the Schaefer case. 'Quite frankly, I'm not involved in the mechanics,' he said."  (Ibid.)  One would venture a guess that this unfortunate attorney knows now.

In a subsequent post I plan on reviewing Adobe Acrobat v.8, which provides secure redaction tools sufficient for all filings and at a price point that should be affordable to even the smallest firms.

Read More

COMPLEX TECH: Update on IronKey USB Security and Encryption Tool

/

Ironkey_logo_web225A couple of days ago, I posted information about the IronKey USB key, a great solution for data encryption.  At the end of my post, I also mentioned the fact that my request for law firm specific information had not received a response.  I first want to note that I have since learned that my inquiry (1) didn't go to the right person, and (2) wasn't sent through the expected channel.  As soon as IronKey's team learned about my request for information through my post on this blog, I received a courteous and prompt response to my inquiry (to the extent they could do so without violating client confidences, an issue they apparently take as seriously as do lawyers).

I can report that several "BigLaw" firms have already deployed the IronKey to their attorneys.  Without knowing the identities of the firms, it is still safe to say that large firms reside at the conservative end of the spectrum.  If the IronKey won over the IT departments of some big firms, it should be able to impress everyone.  The IronKey just strikes me as a solution that is almost customized for the needs of law firms.

I also need to mention the fact that IronKey offers an managed enterprise solution that is particularly useful for larger deployments of IronKey USB devices.  The managed enterprise service provides an Administrator IronKey that allows recovery of forgotten passwords.  When the Administrator IronKey and one of the deployed keys are both attached to a computer, the Administrator can access a secure site to "reset" the password on the otherwise useless IronKey.

I don't usually get too excited by new technology tools, because, from my perspective, there is always something more they can do.  It's easy to be an armchair critic.  But here, it's hard to see where IronKey missed the boat with this device.

I strongly suggest that you at least take a look at the Ironkey.  Considering everything under the hood, it is very reasonably priced, and IronKey offers some additional features that I didn't cover in my prior post.

Read More

COMPLEX TECH: The Ironkey USB key delivers unprecedented security for critical data

/

Ironkey_logo_web225Recently, The Complex Litigator discussed the topic of data encryption to protect confidential client data.  Now, as part of the ongoing COMPLEX TECH series, The Complex Litigator will cover various data encryption solutions.  In this post, I will profile what appears to be nothing more that a slightly-larger-than-normal USB key, the Ironkey.

"Ironkey" is appropriate for a number of reasons.  First, the IronKey is designed so that it cannot be physically tampered with or disassembled by a determined hacker.  The IronKey is encased in a rugged metal housing, not plastic. It is one of the strongest USB devices you can buy.  The interior of the IronKey is filled solid with an epoxy-based potting compound. This seals in all the components and prevents the IronKey from being crushed, even under extremely high pressure. The process of trying to remove encrypted data from the flash chips would be extremely difficult, time-consuming and almost certainly destroy the chips and connections inside. Such an attempt would cause permanent, noticeable damage.

The IronKey has tested, passed, and exceeded military waterproof standards (MIL-STD-810F).  The Ironkey can survive a swim in the pool or a trip through the washing machine.

Read More

COMPLEX TECH: Are you protecting your (and your client's) data with encryption?

/

Well?  If you aren't entirely clear on what is meant by "encryption," you need to be.  If you understand encryption and aren't using it, are you waiting for a data breach or loss before you actually implement any form of encryption security?  Depending upon your level of tech know-how, you should either be learning about encryption or using it.

Consider the recent Ninth Circuit decision in United States v. Arnold.  In that opinion, the Ninth Circuit held that border patrol agents can search your laptop or other digital device without limitation when you are entering the country.  The Electronic Frontier Foundation suggest encryption as one solution: "If you encrypt your hard drive with strong crypto, it will be prohibitively expensive for CBP to access your confidential information."  (Jennifer Granick, Protecting Yourself From Suspicionless Searches While Traveling (May 1, 2008) www.eff.org.)

But you don't travel outside the country with a laptop, so United States v. Arnold doesn't impress.  So consider this hypothetical that probably hits close to home for many attorneys.  You are at Big Firm's offices for endless days of deposition testimony in a massive toxic chemical spill case.  Big Firm graciously provides an open wireless network for you to access while in their offices.  You don't know anything about WiFi, other than your Windows laptop is set to look for open WiFi networks and connect automatically.  It seems to work every time you go to offices like Big Firm's, so you don't worry about it.  You surf the Internet during breaks, you log onto your office e-mail server, you check your bank account balance online, all with not a care in the world.  But did you know that all your wireless data is flying through the air in an unencrypted format that any junior high school hacker could capture and analyze.  You might luck out if some of the sites you visit use SSL encryption for password submission, but you are basically operating your computer out in the open.  Even Big Firm's IT staff could be reading and recording your transmissions...

Subsequent posts in the COMPLEX TECH series (i.e., those posts that follow after this very first post under the COMPLEX TECH moniker) will identify some specific encryption options.  But for now, a simplified explanation of what is meant by "encryption."  In grade school you likely discovered the substitution cypher.  A simple substitution cypher is created by writing down the alphabet and then writing a second copy of the alphabet under the first shifted over by an arbitrary number.  For example, if you shift two letters right, your second alphabet's "A" appears under the "C" of the first.  Your second alphabet's "B" appears under the "D" of the first, and so on.  When you get to the end of the first alphabet, you wrap back around to the beginning.  The second alphabet is used to encode a message.  First, you write out your message.  Next, you find each letter of your message in your first alphabet and record those letters.  The result is that the original message is replaced with a set of letters that have been shifted using your "key."  The problem with substitution cyphers is that they are incredibly easy to crack, even without computers.

In WWII, the Germans created the Enigma machine, which created encoded messages that were very hard to break.  Essentially, the machine used a substitution cypher that changed every time a key was typed on the keyboard.   In other words, every letter was encoded with a different substitution cypher.  But even that complex encoding system was cracked without the use of the computing power available today.

Encryption techniques used today take data and either divide it into blocks, scrambling and obscuring each block individually, or convert a block of text into a large number and perform mathematical operations on that number with other huge numbers.  The important piece of information that you should take from this discussion is that secure encryption methods, like PGP, are believed at present to be secure from all decryption techniques, or so secure that only governments with the highest level of technical know-how could every crack the encryption technique (it is generally believed that if PGP is breakable, perhaps only the NSA is capable of doing so).

Stay tuned for more encryption discussions in the COMPLEX TECH series.

Read More

Complex matter litigators have an ally in Judge Reiser

/

Ventura County Superior Court Judge Glen M. Reiser may be the best friend that you haven't met yet.  In its (corrected and reprinted) Judicial Spotlight column, the Daily Journal provides some insight into why complex matter litigators should be lining up to support Judge Reiser's efforts.  (Iafolla, Passion for Change, Daily Journal (April 16, 2008) p. 3 (by subscription only).)

Judge Reiser is "involved in the development of the software" that is the California Case Management System ("CCMS").  CCMS, version 3, is operative in several counties, including San Diego and Ventura.  Sacramento is also part of the test project.  CCMS, version 4, should be under development at this time, based upon at least one news report about CCMS, version 4, from December 2007.  The California Case Management System, when operative, will allow online document access and e-filing in California's Court system of roughly 450 courthouses.  (Carreon, Online Civil Filings Will Replace Court Paper, Sacramento Bee (October 12, 2007).)

The present goal is to connect every Superior Court in California by 2012.  When completed, it is believed that CCMS will constitute the world's largest single online court system.  For the complex matter litigator this is the holy grail.  It is easier than ever to create high quality, text searchable pdfs.  The ability to file electronically, obtain electronic copies of filings, and search the entire court system for information about cases should provide a definite boost in efficiency.

That is, of course, if the Court system stays out of its own way.  Consider the recent change in the United States District Court for the Central District of California.  E-filing is now mandatory in all civil matters.  Great news, right?  Not if you've tried to navigate through its painful set of menu choices to find the "right" category for your document.  Oh, and those courtesy copies you used to have delivered to the Judge's drop box (per Orders of each Judge)?  You still have to do that, but now you have to attach your proof of e-filing to the back of the paper copy.  And you thought e-filing would save on all those messenger fees.  The CCMS project should learn from these types of implementation failures and make navigating the judicial system easier for everyone in California.  Support the efforts of Judges like Judge Reiser, but if you run into him, ask him to make sure that CCMS is an efficiency booster, not an extra step.

Read More