This page contains a Flash digital edition of a book.
by Sharon D. Nelson, Esq. and John W. Simek Essential Law Firm Technology Policies and Plans Technology users run amok. They are


rogues, far more apt to do what they please than to do what their employers dictate. Sometimes law firms try to control their em- ployees with technology. Our favorite ex- ample is using technology to ban visits to social media sites. Employees, after com- plaining bitterly about their bosses, will simply use their smartphones and go wher- ever they want on the Web.


Policies that have a dose of common sense can often accomplish more than tech- nology.


Law firms also need plans—what if your firm is sued and you find yourself under a litigation hold? Do you know what needs doing and who will do it? What if a major earthquake or flood hits and you are sud- denly without an office? In a modern day nightmare, what happens if you find out that someone has hacked into your law firm servers? What’s the plan Stan? We could write an article on each of the policies we’ve listed below, but space de- manded a condensed version to get you thinking about whether you should be de- veloping policies you don’t have or review- ing those you do have to see if they need updating. Remember, there are a lot more policies and plans that law firms should have – these are specifically related to tech- nology.


And for heaven’s sake, TRAIN, TRAIN,


TRAIN at least once a year. No one remem- bers the fine points of plans and policies without annual memory refreshers and the technology updates will necessitate minor changes at a minimum.


Electronic Communications and Internet Use Policy


Don’t blame the employees if you


haven’t been clear about what they can and can’t do. Most employers allow incidental use of e-mail and Web surfing for personal purposes and that seems fair enough to us. But if an employee is engaged in personal Web cruising or electronic communications for the bulk of their day, they are outside the policy. You may want to forbid streaming at work (audio and video), which hogs band- width and can really slow down your net- work. Forbid downloading executable files without checking with IT—who knows what malware may ride in on those files? Typically, users are forbidden to visit sex- ual sites, “hate” sites, or sites involving il-


36


legal activity, such as gambling sites. When visiting interactive sites, they are generally encouraged to think twice before using the firm name in any manner. Privacy and confi- dentiality are always addressed. A toothless policy won’t work. If you are going to make rules, you need to be able to monitor conduct, at least periodically, and to punish infractions. This is true for all poli- cies, so be prepared to police your policies once they are implemented.1


Social Media Policy


You might think this would fall under the policy above, but most businesses have a separate social media policy—in part, be- cause social media has been a world in which the Indians run the reservation while the chiefs are helplessly wringing their hands.


Forbidding the use of social media


doesn’t work. It not only irks the employees but they ignore the prohibition. If you have technology enforcing the prohibition, they will use their smartphones or other person- al communication device. By way of contract, large businesses are generally embracing social media—at one general counsels meeting in New York, we heard the general counsels of Sprint and Coca-Cola happily laud their employees as “social media ninjas.” They go out and spread the gospel on behalf of the com- panies. Of course, in law firms, we have to be mindful of our ethical rules—but within those rules, one can do a lot of good for the firm.


So … follow the KISS principle and keep the policy simple. No obscenities, no dis- criminatory postings, no angry postings, proof before you post, don’t give legal ad- vice, remember that social media lives for- ever, speak politely to everyone you inter- act with, and report “problems” to a super- visor.2


Document Retention Policy


If only law firms would learn to take out the digital trash. Instead, they tend to move all their data when they do a technology upgrade because storage is so cheap. What is NOT cheap is searching through all sorts of useless data either when looking for cli- ent documents or searching the data in re- sponse to a discovery request in a lawsuit. You really don’t need the twenty-five e- mails it took to schedule one meeting. But


THE VERMONT BAR JOURNAL • SUMMER 2012


lawyers tend to keep it all. The first rule of creating a document retention policy (DRP) is simple: If you are governed by federal/ state law or regulations, follow them! If fed- eral and state requirements conflict, obvi- ously follow the more stringent require- ments. The second rule is equally simple: If you are governed by internal by-laws, oth- er mandatory procedures, or industry stan- dards, abide by them. Now comes the dicey part. Rule #3: If you are on your own after following rules 1 and 2, assume all the doc- uments in your possession, paper and elec- tronic, will be the subject of a lawsuit some- where down the line. What is best kept and what is best thrown away? Drafting these policies is no walk in the park. It requires more intensive thought than might appear at first blush. Will it help or hurt you to keep successive drafts of documents? The deep- er you delve into policy formation, the more niggling issues tend to pop up. Don’t ex- pect to formulate a sound DRP overnight.3


Secure Password Policy Only the largest law firms tend to have a


secure password policy and this is a shame. This is an easy one to compose now that the Georgia Institute of Technology has proven that any eight character password can be cracked in about two hours. It also proved that it takes approximately seven- teen years to crack a strong twelve-charac- ter password. So the key rules here are sim- ply: 1. Employees must have alphanumeric passwords of twelve or more charac- ters


2. They must change their password at least every thirty days and cannot re- peat them


3. Suggest the use of passphrases


(IclimbedEverestin2000!) and prohib- it storing passwords on computers or on sticky notes—though storing them on an encrypted flash drive is permis- sible.


4. Don’t reuse the password elsewhere. 5. Have both a log-in and screen saver password.


Most of the above steps can be en-


forced through technology. A typical Win- dows Group Policy can make sure that the passwords are a certain length, change fre- quently, are not repeated at a certain inter- val and are properly applied.


www.vtbar.org


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48