It’s a Jungle Out There

Paralegals manage e-mail in a dark, new world of spam, malware, confidentiality
and information overload.

By Dennis Kennedy

September/October 2004 Table of Contents

In Joseph Conrad’s seminal novel, “Heart of Darkness,” Marlow entered the belly of the beast in the African jungle, facing the evil of humanity in this unknown territory. Unprepared for what he was to face, Marlow’s trip through darkness ends in shock and dismay at humans’ capacity for malevolence. Learning by his example, for all those about to face the dangers of the technology jungle, preparation is key.

In many law firms, paralegals often are the venturers of today’s e-mail jungle. They often communicate directly with clients, courts, witnesses and opposing counsel. Paralegals increasingly are delegated everyday matters of e-mail communication that can have far-reaching results.

For every e-mail action, there is a practical question that must be answered. For example:

• “E-mail a copy of this document to the other side.” In what format? Should metadata be cleaned? What rights to edit the document should be enabled? Who gets copies? To whom can the recipient further forward the documents?

• “This message is privileged and confidential.” Does that mean you should handle it in a different way? If so, how? Does putting the same disclaimer on every e-mail message help us or hurt us? What about encryption or password protection?

• “Why can’t I find all the documents in the file in one place?” How do you create a central document repository without having access to everyone’s e-mail accounts? Should there be record retention policies? If so, should the lawyer give you guidance?

• “How did I send the client a virus?” “Why am I getting so much spam?” “Why can you find e-mail messages and I can’t?” The list goes on and the answers get even more difficult each day.

In the meantime, the number of messages you get each day continues to grow. It gets harder to find important e-mail among the spam, forwarded jokes, intra-office e-mail and the many messages carbon copied to you simply by being part of a case. The wave of e-mail reaches higher and becomes more urgent. You want to run away from your Inbox, but now the firm is giving you a BlackBerry handheld so you can receive your e-mail anywhere, any time.

Welcome to today’s world of e-mail. Some have called heavy e-mail users the “leading edge of the coming information tsunami.” If you, on the other hand, think it’s not so bad now, hold onto your hat for what will be coming soon.

How Real is the E-mail Problem?

Internet usability expert Jakob Nielsen has said, “Whether people get 10,100 or 1,000 e-mails a day, they all say the number they get is overwhelming.”

Spam has become a major problem for law firms and businesses. In recent months, as much as 70 percent of all Internet e-mail might have been unsolicited commercial e-mail or spam.

Of the spam that is received, an estimated 50 percent of these messages contain viruses, spyware or other malware (software designed to disrupt computer systems). The Federal Trade Commission recently backed away from creating a “Do Not Spam” list because such a list might benefit spammers more than e-mail users.

Experts also are beginning to believe e-mail is being asked to do more than its original intended purpose. Remember the days when getting an e-mail meant you were getting a short, informal, usually helpful message?

As computer users increasingly ask e-mail and e-mail programs to operate as document managers, record retention policy tools, collaborative discussion and drafting tools, message thread managers, security, confidentiality and encryption tools and even more, the humble e-mail tool begins to break down.

Seven Basic Goals of E-mail Management

There are at least seven goals of e-mail management:

1. Control the overall volume of messages

2. Make the most important messages the most accessible

3. Turn actionable messages into to-do items

4. Make messages findable

5. Minimize security and other dangers

6. Enhance your communications with others

7. Protect your client’s interests and avoid malpractice.

How many of these goals are you currently achieving? How many can you realistically expect to achieve and what are the consequences if you don’t? Your answers to these questions will vary depending on your particular situation because the use of technology and each person’s individual organizational structure is very personal in nature.

While keeping your e-mail management goals in mind, you should consider the following 10 Rules of E-mail Management.

Ten Rules of E-mail Management

1. Protect Your Inbox.

If you forced me to boil down all of e-mail management into three words, the phrase “protect your Inbox” would be it. What do I mean? Your Inbox, ideally, should contain only recently actionable e-mails. In fact, most of the time your Inbox should be empty, nearly empty or in the process of becoming empty.

The key concept is: An Inbox should be an Inbox, not a message repository, not a to-do list substitute, not a research folder and not a junk drawer. I once heard a lawyer admit to having more than 29,000 messages in his Inbox.

The Inbox is something you want to protect. You want to limit the amount of unnecessary messages coming into it. You want to move categorizable messages out of it and into appropriate folders, either manually or automatically. You can protect your Inbox before e-mail is sent to you, as you receive e-mail, as you store e-mail and believe it or not, when you send e-mail yourself.

When you limit the amount of unnecessary messages you receive, you deal with spam, security and volume issues. You can do so before e-mail is sent to you by using “non-work” e-mail addresses, not publicizing your work address and avoiding unneeded mailing lists or carbon copy lists.

You can combat unwanted e-mail as you receive it by using spam filters, rules that move certain messages directly to folders and “safe practices” in handling suspect e-mail, and when storing it, using a variety of folders and having a firm finger on the “delete” key. You also can protect yourself when you send e-mail by not responding to every message, not opening spam and resisting the urge to forward or “cc” extra people.

When you set up folders and subfolders, you allow yourself to move messages out of the undifferentiated mass of your Inbox and into appropriately named and organized folders. Rules and filters are tools I discuss in more detail later. If you use them wisely, your Inbox will contain only uncategorized messages, allowing you to focus on them and deal with or dispose of them quickly.

Finally, the term “protect your Inbox” becomes especially meaningful when you consider that e-mail is the most likely entry point for viruses, spyware and other malware. Poor protection of your Inbox all but guarantees security problems.

2. Never Reply to Spam Messages.

Spammers make a lot of money, and none of the ways they make money is beneficial to you.

First, they make money by selling lists of active e-mail addresses to other spammers. By replying to a spam message (even to request you be taken off the list), you have confirmed you have an active e-mail address and you will receive even more spam.

Second, they might make money by using identity and other information you voluntarily supply for nefarious purposes. This process is now known as “phishing,” but you can think of it in terms of identity theft or looting your bank accounts and credit cards.

Third, a spammer might be able to make money by allowing a virus maker to attempt to spread a virus through spam.

Fourth, spammers might actually sell products or find people willing to send deposits or other funds to Nigeria as downpayment. This happens in a surprising number of cases.

All these reasons have two things in common: They don’t help you, and replying to an unsolicited e-mail greatly increases your chances that something bad will happen to you. Don’t take the risk.

3. Never Click on Anything in a Spam Message.

Clicking on any link in a spam (or any other message, for that matter) might take you to a place on the Internet other than where you expect, launch a file or script you don’t notice, or install viruses, spyware and other bad stuff.

Clicking on links can take you to fake Web sites that appear to be legitimate Web sites, to Web sites that pull information off your computer or install tracking or other software, or do other things limited only by the imaginations of the bad people and the current security holes in your operating system. At the very least, clicking on a link will show someone you have an active e-mail address, priming the pump for you to receive even more spam.

4. Never Open a Suspected Spam Message.

Do you see a trend here? You want spammers to believe your e-mail address is not active. You also want to reduce the opportunity for an e-mail to load a virus or gather information from you. In certain unpatched versions or older versions of Microsoft Outlook and Outlook Express, for example, the simple act of opening an e-mail actually can open the attachments to that e-mail. In fact, in some cases, even viewing an e-mail in the “preview pane” can have the same effect. New attacks are being devised every day.

Usually, you easily can identify spam from its subject line. Simply delete it and go on. I go even further. If I have any doubt an e-mail is legitimate or if there is a blank subject line, I delete the message without reading it. In addition, a message with a subject line suggesting it was sent to you because a message from you contained a virus can safely be disregarded and deleted. If you actually send a virus to someone you deal with, he or she will call you.

5. Only Open Anticipated E-mail Attachments in Expected Formats.

The common advice on e-mail attachments is never open an attachment from someone you don’t know. While that is good advice as far as it goes, it gives you the false impression you safely can open attachments from people you do know.

Many common viruses work by gathering names from the address book of an infected computer and sending copies of the virus to those addresses. Today’s most malicious viruses appear to be sent by someone who has your information in his or her “contacts” folder or address book. Your biggest danger is more likely to come from an attachment from someone you know than from someone you don’t know.

Sometimes a message that doesn’t make sense will alert you to a danger, but that isn’t always the case. Open an attachment from someone you know only when you are expecting to receive an e-mail with an attachment. The other piece to the puzzle is to realize techniques are available to create file names that hide the true nature of the underlying files. For example, we now know files that end in the extension “.exe” or “.pif” are bad, but many people don’t know the “.exe” or “.pif” can be disguised so the file appears to be a common “.doc” or Portable Document Format file. Therefore, if you are expecting a PDF file from someone you know and you get an e-mail with an attachment that isn’t a PDF file, call to verify what has been sent.

6. Use Windows Updates, Antivirus Programs, Firewalls and Spyware Detectors.

E-mail is the biggest source of an entry point for viruses, spyware and other malware. Running antivirus software is essential, but it’s not enough.

Most computer attacks today exploit known security holes in Microsoft Windows. Although the time lag from discovery of the hole to the release of a virus that exploits the hole has dropped to less than two weeks, every major, highly publicized virus in the past few years has successfully targeted Windows security holes for which patches already were available. You can and should set up Windows to automatically search for, download and install critical updates. Hackers actually have taken advantage of Windows holes to disable antivirus programs.

A personal software or hardware firewall protects your computer from outsiders trying to break in and prevents information from being sent out of your computer without your knowledge. A hardware firewall takes the form of a router or switch, but requires careful attention to the setup instructions. Windows XP has a free software firewall built into it, but it’s turned off by default. Software firewalls, such as ZoneAlarm by Zone Labs (www.zonelabs.com), are highly rated and available in free versions. If you are not convinced, try one and see how quickly attempts are made to break into your computer and how much information is going out to the Internet from your computer.

Finally, many bad e-mails carry a combined payload of viruses and spyware. Removing the virus doesn’t remove the danger. Spyware is software that collects and sends out information about you, your passwords, your use of your computer, and other information. Trojan horses are programs that allow an outsider easy access to your computer. Keystroke trackers record all your keystrokes and send them to third parties. Spyware is a growing problem. The good news is two of the recommended spyware programs, Ad-aware by Lavasoft (www.lavasoftusa.com) and Spybot Search & Destroy (www.safer-networking.org/en/index.html), are free.

7. Use Folders, Filters and Rules Aggressively.

A great Inbox protection technique is to use folders, filters and rules to bypass the Inbox completely. If you don’t know how to create folders, a quick visit to the Help menu in your e-mail program will bring you up to speed in a few seconds. Create some folders that reflect your other types of folder classification schemes. You might have a “Client” folder, with subfolders for individual clients. You might have “Firm,” “Department,” “Newletters,” “Court” or other descriptive matter folders. Some people prefer to create “action” or “priority” folders, such as “Reply,” “File,” “Urgent,” and the like. There is no “perfect” approach, although reading David Allen’s excellent book, “Getting Things Done” (Pengum Putnam, 2001), might suggest a very effective approach to use as a model.

If all you do with your folders is “drag and drop” e-mail from your Inbox to the appropriate folder, you will accomplish a great deal. After a few hundred drags and drops, you might find yourself longing for an easier way. This is where filters and rules come into play.

Filters and rules (they are the same things, but different programs use different terms) are relatively simple computer scripts that automatically perform specified e-mail tasks. As a practical matter, you create them painlessly by using “wizards” in your e-mail program that walk you through the process. If you would like any e-mail from a certain individual or with a certain word in the subject line to be grabbed when it arrives and moved to a specific folder without ever appearing in your Inbox, just check a few selections, give the rule a name and apply it. The next e-mail you receive will skip the Inbox and appear in the correct folder. In Outlook, the number of new messages in each folder are indicated in parentheses and the folder name becomes bolded when there are unread messages.

If you use recent versions of Outlook, look for a menu option called “Organize.” It’s a stripped-down wizard that creates some of the most common rules, including “move to a folder.” If you have a highlighted message in your Inbox, you can use the Organize tool and it will grab the information it needs to set up your rule (e.g., sender’s e-mail address) and streamline the rule creation process. Even better, it asks you if you also want to apply your new rule to the messages already in your mailbox. If you say “Yes,” the rule moves all the old messages that fit the rule out of your Inbox and into the folder. You don’t have to find each message and drag and drop it into the folder. This tool can cut an overstuffed Inbox down to size very quickly.

8. Use a Heavy-Duty E-mail Program and Make Better Use of Advanced Features.

People use a variety of e-mail programs. Some are free. Some are simple. All will get the basic job done. However, in the law firm environment, remaining at the “getting the basic job done” level is a classic example of being “penny wise and pound foolish.”

I recommend moving to the high-end e-mail packages and the newest versions. These include Microsoft Outlook/Exchange, Novell’s Group Wise, Eudora Pro, Netscape Mail, Mozilla Thunderbird, and, in certain cases, IBM’s Lotus Notes.

Why? Control, management, flexibility, power and built-in safety features. You want to become a high-level e-mail user. You can’t do that without the adequate tools. The professional programs allow you to create rules and filters that will sort and move your mail to folders on arrival, view mail in ways that work for you and create mailing groups. They also flag and set reminders on e-mails, convert them to to-do and calendar items, customize your spam filter rules and block dangerous attachments or hidden programs.

E-mail is a better and safer experience with the high-end tools. One caution: Be careful with older versions of these programs. They might not be supported, have known security holes or lack updated features.

9. Become an Artist With Your Subject Lines.

Make good use of the subject matter (or “re”) line of your e-mail messages. Give a good, concise summary of the content of your message to help people assess the priority of your message and locate your message when they need it later.

Compare an e-mail with the subject line of “Depo” with one that says: “List of Proposed Questions for John Smith April 15, 2004 Deposition (NEED COMMENTS BY FRIDAY).”

You might also find adding the phrase “No Response Needed” will help you by reducing the number of “OK” replies you receive.

Today’s spam filters also place a premium on well-chosen, well-crafted subject lines. Lack of a subject, capitalization or use of certain words can trigger many spam filters and keep your message from successfully making it to your intended recipient. In fact, this spam filtering problem has grown to the point where many people call to make sure important e-mails have been received.

Another benefit of great subject headings is you easily can track and collect all the messages on a certain topic. Never send e-mails with blank subject lines.

10. Use Your Delete Key With Gusto.

Unless there is a specific policy in place at your firm, there is no reason to keep every single e-mail you receive, legitimate and spam, forever. Delete what you don’t want and you will feel better. The first step in dealing with my Inbox each day is to go through and delete everything I can before I open the first message I want to read. It’s therapeutic and it lets you see what you have.

Other Key Issues to Consider

The Internet is now a different, more dangerous place than it used to be. If you don’t pay serious attention to the changes that have happened and continue to occur, it will be a miracle if you avoid serious problems as a result of your or your firm’s e-mail practices. Unfortunately, as frontline e-mailers, paralegals increasingly are being placed in shaky situations. However, there are several steps legal assistants can take to make sure they don’t inadvertently place their firm in danger.

Training. Firms historically have assumed everyone knows how to use e-mail. Serious e-mail training is relatively uncommon. It’s quite reasonable to ask for advanced training on your firm’s e-mail program.

Confidentiality disclaimers. Because of client confidentiality agreements, law firms must practice extremely safe computing and safe e-mailing, especially since so much of law firm work and client communication takes place via e-mail.

Many firms think confidentiality disclaimers at the bottom of e-mails cover client confidentiality agreements. Think again. These disclaimers automatically are placed at the bottom of every e-mail, even the ones you send to say at what restaurant you will meet someone for lunch. If your firm is faced with a question of confidentiality and privilege in court, a judge might notice you attach the same confidentiality label and disclaimer to the bottom of every e-mail and disregard their validity as a result.

A better option is to conspicuously label only selected messages with the words “CONFIDENTIAL/
ATTORNEY-CLIENT PRIVILEGE” at the top of the message and either encrypt or password-protect attachments to those messages.

Pornographic spam. Finding a mountain of image-laden, hardcore pornographic spam in your Inbox is embarrassing, distressing and demoralizing. It’s also likely to be a symptom of a bigger cultural problem your firm must address before it leads to major repercussions.

I guarantee the presence of pornographic spam in your Inbox means people in your office have either been using office computers to visit pornographic Web sites or indiscriminately opening pornographic spam and clicking on links. The common result is spammers send what is known as “domain-spam” (a salvo of spam) to every address at your firm.

Opening these messages and visiting these sites are ultra-high risk practices. It increases the volume of spam you receive and the likelihood your firm will suffer from viruses, spyware and other security risks, in addition to the possibility of public embarrassment (or worse if child porn is involved). You must insist management deal with this issue immediately and forcefully by instructing everyone at the firm of its dangers and consequences, emphasizing the applicable requirements in the firm’s acceptable Internet usage policy and following up with individuals as appropriate.

Again, I can’t emphasize enough that in today’s e-mail world, if you have frontline client contact, it’s likely this internal behavior will have external consequences for you rather than the individuals at fault.

Facing the Darkness

There probably are many more e-mail issues today than you ever imagined. The good news is you can significantly improve your handling and management of e-mail, use inexpensive tools to address many of the major problems, and drastically reduce spam problems and related security dangers by using the ideas and suggestions in this article. That statement comes with a money-back guarantee.

However, the bad news is, despite what you do individually, practices at your firm can put you in very difficult, embarrassing and career-threatening situations through no fault of your own.

If you work at a firm that tolerates risky e-mail practices, takes a cavalier attitude toward serious e-mail issues, ignores your concerns and fails to implement procedures and guidelines, your wisest move is to polish up your résumé and leave before the inevitable disaster occurs. Otherwise, roll up your sleeves and get to work on reclaiming e-mail from the spammers and other bad actors. You must be careful out there.

Beat Inbox Overload

• Become as well-informed as possible about current issues, trends and developments. You might have noticed I didn’t define the term “metadata” in this article. It was a little test. If you are not aware of what it is and what the problems are, you need to start your homework lessons immediately (see “Creative Computing” on Page 34 of this issue).

• Accept the burden of educating your employers and colleagues by constantly raising important e-mail issues and formally requesting policies and procedures. There are worse things than being known as the “security gadfly.” It should be obvious by now that your clients share in the risk of unsafe e-mail practices. There is no question law firms will respond quickly to “suggestions” made by clients. If you can enlist the aid of one or more of your client contacts, your concerns will receive a better hearing.

• Refuse to fly solo on the big issues. Request specific instructions and sign off on important e-mail issues such as metadata, encryption, passwords and the like. The best approach is to make the effort to keep everyone informed — circulate articles, give people information about available tools and share different options.

• Be a role model, especially for your children. Most people have good intentions to stay safe on the Internet, but they don’t know how to do it. Let people see your better ways of doing things. Show them the problems and the solutions. Most important, don’t pass risky e-mail behavior genes down to your children. We are all in this Internet thing together. Do what you can to help clean up the mess we are creating for our kids.

• Commit to three doable, concrete actions you can and will do today. Create some folders. Learn how to create a rule or two. Start deleting spam without reading it. Get a copy of Dan Appleman’s “Always Use Protection: A Teen’s Guide to Safe Computing” (Apress Publishing, 2004) and share it with the attorneys you work with. Make sure your computers are current on upgrades, virus definitions and other security tools. Learn the symptoms of virus or spyware infection, especially for the most common problems. If you are ambitious, try to clear your Inbox completely just to see what it feels like. Make a list of the four or five biggest e-mail concerns you have and ask how your firm is addressing them. Talk to your colleagues in other firms to find ideas that might be working or to share your concerns.

Rethink Your E-mail Practices

Many people and organizations continue to use e-mail in ways that are based on assumptions that no longer have any basis in reality, if they ever did.

Replace your current assumptions about e-mail with the following seven assumptions that more accurately reflect what is happening today.

1. There is no requirement to open, read or reply to every e-mail message you receive. In fact, you no longer need to see every message.

2. You no longer are obligated to reply instantly to every e-mail message and there is no longer an expectation that you will do so. Savvy e-mail users understand your e-mail management issues. They will expect that you reply in a timely fashion to high priority or time-sensitive e-mails. If they want an immediate response, they will call or use instant messaging. Many people explicitly discuss expectations about responses at the initiation of the relationship.

3. Spam is a security issue best addressed by managing behaviors. Combine an aggressive spam-filtering program with risky behaviors and you risk viruses, security problems and blockage of good e-mails.

4. Used properly, your Inbox will be empty or nearly empty most of the time.

5. E-mail and e-mail programs are increasingly used for purposes for which they were not originally designed and are proving to be inadequate to meet the demands now being placed on them. On the current path, things are likely to get worse.

6. The perfect solution is not even in the realm of possibility. Good, solid solutions that can be implemented quickly are far superior to extended efforts to find the “best” solutions.

7. Unless you become an aggressive agent for change, e-mail practices in your firm are unlikely to improve.

Dennis Kennedy ([email protected]) is a computer lawyer and legal technology consultant based in St. Louis, Missouri. His blog at www.denniskennedy.com/blog covers legal technology and technology law topics and is one of the earliest and most popular lawyer blogs.