Old Computer Security Lessons from New Electronic Discovery Stories

Bob Ambrogi does a nice job of summarizing the recent story about issues arising out of Microsoft Outlook, security patches, LexisNexis’s Applied Discovery tools, and the ability to see or not see certain data in certain instances. It’s an important story from a number of angles.
First of all, the response letter of Scott Nagel of Applied Discovery is required reading to provide a context for the story and deserves to be as publicized as the original article. There is a big difference between email that is erased and email that is unseen, but still exists and is easily recoverable. The devil is always in the details.
It’s important to get the full story and all the facts out. Too often, I hear stories about flaws in software programs and it turns out that the real issue is “operator error.” In other cases, there may be problems in the software. In other cases, problems arise because of odd configurations, outdated programs and computers infected with viruses and malware.
I have no basis to form any opinion on this story involving Appllied Discovery and will wait until the investigation concludes before making any judgments. My point in this post lies in a completely different direction than the substance of the Applied Discovery issue.
I do, however, want to make one very important point. As both Nagel and Craig Ball point out, Microsoft released patches for what seems to have caused the glitch or problem perhaps as long ago as in 2004.
With zero day exploits becoming more common, it is just plain crazy for law firms (or anyone else) to be running versions of Windows and Offices that are not current on security patches. As a quick example, read this article I found today called “Hackers hunting for unpatched Microsoft computers.”
In the last week alone, there have been a good number of critical security patches for both Windows and the Mac OS.
If you or your firm is not installing critical security updates, you are not only inviting and begging for attacks, you have also highly increased the odds that your computer has been compromised with malware. Having some apparently readily-resolvable e-discovery problems may be the least of your concerns.
The cavalier approach to security updates referred to in these stories causes me much more concern than the e-discovery angle of the story.
I wrote the concluding chapter to a book on information security from the ABA called “Information Security for Lawyers and Law Firms.” I closed the chapter and the book with this quote from computer expert Fred Langa:

Just as drivers who share the road must also share responsibility for safety, we all now share the same global network, and thus must regard computer security as a necessary social responsibility. To me, anyone unwilling to take simple security precautions is a major, active part of the problem.

I’m not sure how much longer we can tolerate having share the Internet with law firms who are years behind in installing security patches. I’m also finding it difficult to muster much sympathy for them when they run into problems that appear to stem from these lax practices.
Rather than over-focusing on the Applied Discovery story, you might better spend your time with a trip here, after a stop here.
[Originally posted on DennisKennedy.Blog (http://www.denniskennedy.com/blog/)]
Learn more about electronic discovery at Dennis Kennedy’s Electronic Discovery Resources page.
Technorati tags: