Q: Give us a little background about yourself starting from when you entered law school.
A: I went to law school at Vermont Law School and received a general practice education at Vermont. I interned at the attorney general's office and the city counselor's office, where I was involved in a wide variety of criminal work and some AmTrak research back in the early 1990's. After law school I worked for The Foreside Company, an import company, importing products from China, Indonesia, and India. And, at that point, I started getting interested in technology because myself and two techies at The Foreside Company started to collaborate on a development of what was called a calculator to evaluate the cost of something moving from India to the United States. I started to appreciate the value of technology in making processes more efficient and understandable.
Q: Where is the company located?
A: The corporate office is located in Westbrook. I was at the corporate office for about a year and received a good grounding in international affairs and international trade. I then went to work with my father for three years and did a general practice, located in Portland and Buxton. Most of our clients came from the rural areas.
I spent more and more time evaluating software programs. Again it's a theme to see how technology can create more efficient methods of operation. And I enjoyed that process as well as some of the business development.
Q: Did you introduce computer technology to the practice?
A: I did.
Q: What specifically did you introduce to the practice?
A: We took a look at Time Matters and Amicus Attorney, two programs that do a lot to eliminate the input of data more than once. You enter information into a computer program and then it can automatically generate documents, remind you of appointments, and schedule your depositions. The program may know statutory deadlines and schedule services to be within so many days of deadline. So, you have an automatic reminder system. From a malpractice perspective it's a good check on human frailties.
Q: After you worked with your father, where did you go?
A: I went to the law firm of Bernstein Shur Sawyer and Nelson, a large firm in Maine. I went there because I wanted to get the feel for a large firm. I had the ability to focus in on certain areas of the law that is hard to do in a small firm because in a small firm you are focusing on managing the systems, marketing, meetings, and management compensation, spreading your time very thin. I went to Bernstein and very much liked the attorneys I worked with. I was involved in commercial real estate and estate planning. I had a fairly broad exposure to large transactions there.
But I continued to watch the progress of, not just computer technology, but the internet and how that was going to play a role in the future. I was invited to serve on a panel midway through that first year at Bernstein for the Maine State Bar Association on the future of law. And that was the pin that really kicked off my interest because I started doing a lot of investigation into where the law would be going.
In my research I discovered that law firms were developing compliant software, software that took institutional knowledge in the lawyer's head and put it into a checklist that was captured on a piece of software. Law firms in Australia were creating software compliant with a particular law or regulation and installing it into a company's hard drive or systems so the company had that information. The company didn't have to keep calling the attorney. They now had something that would prompt them automatically what to watch out for, more or less. It was called proactive lawyering.
Q: Do you mean that a company would contract out from a law firm for this software?
A: They would have the law firm come in and act as a software developer/lawyer developing compliant software or systems software which tracked certain regulations. If it were telecommunications, for instance, it would be software that made sure that everyone in that company complied with the different telecommunications regulations that were out there. You can understand, that this was as opposed to having a lawyer spending an hour or two hours every month or two explaining what the complexities were. Now you had the software that could guide you through "have you done this, have you done that." It took this whole concept, which intrigued me, of helping the client before there is a problem. And there's a real push toward proactive lawyering for the vast group of people who may not be able to afford a lawyer consistently through the life cycle of a business.
Q: You left Bernstein Shur recently. Why was that?
A: I left Bernstein at the end of December 2000. I've discovered that I really want to have some control over my future and my ability to make decisions about how my business may be run, much as the way my father has practiced as a sole practitioner all his life. So, I think I certainly have the entrepreneurial bug that's not letting go. I left Bernstein because I saw some opportunities to forge ahead on my own with a few other partners and because several laws are going to have a profound impact on the way business is done in the future.
Q: What are those laws?
A: The e-sign law (Electronic Signatures in Global and National Commerce Act), dealing with electronic signatures, is one; and the other one is called UETA (Uniform Electronic Transactions Act). Those two and a few other ones now essentially say a contract is valid, even if it is signed electronically, and that it can't be prohibited from being valid solely because it has been electronically signed and stored. So not only can you now have transactions that are electronically signed but you don't even need to print out a transaction, so long as it is in an electronic format and it can be accurately reproduced electronically.
There are four main elements with which the legal industry and the technology industry are going to evaluate this e-commerce. The first element is authentication. Who signed? Are they who they say they are? Second, data integrity. Has the document changed since it was first signed? How can you best save a document without it being manipulated? And there are ways to evaluate whether information has been changed online. Third, confidentiality. Can you trust that the document has been disseminated only to those who should receive it? Fourth, interoperability. Are the standards consistent? If we don't have common methods of transferring data, for signing documents, and for storage, then our ability to use that electronic ecosystem is diminished. The use of different methods doesn't encourage people to gravitate into that world.
And, so now we have something pushing the economy. It's taking paper-based transactions into an electronic world, which can create all sorts of efficiency for processes where you can do things by the simple click of the button on the computer. And, all of a sudden, you have shaved off a week, two weeks, three weeks, in getting information/documents out.
You have these laws driving business transactions onto the internet. The problem now is that you have a lot of information out there in the internet that usually is private information. It hasn't been information that you can easily access. We're going to have two pressures: pressure to take advantage of the tools of technology and pressure to protect and make private all that information.
Q: Are you referring to privacy as it relates to information about an individual?
A: Yes. To make it as simple as possible, when you go to your doctor you want to make sure that any information you give your doctor is kept private; however, doctors are going to start sending information over the internet, because that is the way economy is pushing. How do we keep that information private?
And there are a couple different laws concerned about privacy. One is called HIPAA (Health Insurance Portability and Accountability Act), which is concerned with how we make appropriate information available to our doctors, how the doctors take information from us, the patient, how the information is put in to their computers, and then how that information is transferred to insurance people or other service providers electronically while still securely preserving that data. So, now we have a law that has just been passed, and no standards have been set. The U.S. Department of Health and Human Services has now instituted rules that give the healthcare providers two years to put into place privacy protections regarding personally identifiable information sent over the internet. Anyone who is a healthcare provider has to ensure the privacy of any information that relates to past, present, and future physical or mental health care of an individual.
Q: Are two years enough time to implement the privacy protection?
A: You hope so. The technology exists. It's there. It's just a question of whether people are aware of the two-year window. The larger providers know, but the smaller provider doesn't know this. Our personal information is out there floating around the electronic world. And, how many of us understand what that means?
Q: Someone could steal your identity?
A: Exactly. That's very scary. I see the opportunities, such as reduction of paper; but, you can also see the dangers. And, clearly, there could be disasters.
How do we keep that information private? We do that through the use of written policies saying that only this person or that person has access to a certain type of information; but, we also start to introduce technological tools. A healthcare provider will have to ensure that the computer data is stored and protected by firewalls, most likely what they call hardware firewalls, as opposed to software firewalls. And that information, when sent electronically to someone else, say, a large insurance company, will have to be encrypted.
Q: When I hear the word encryption, I think code.
A: Exactly. What one needs to do is to figure out some way to transfer data over the internet that people can trust and know that the information is secure, is protected. No one can access it and find out what it is, because we all know that if people can access it, they can put it over the internet. And, who wants to have their personal information put on the internet. And, so we have the healthcare field that is really driving this, because over the next two years you're going to have mandated criminal penalties and civil monetary penalties imposed on people who inadvertently or purposefully release personally-identifiable information on the internet.
So, now we have e-sign and we have electronic laws that allow us to transfer data on the internet. We now have privacy laws coming in and saying, but if you do that, you've got to have everything protected. This means that we have a huge demand for people who understand the laws, on one hand, and the technology, on the other hand. Who can understand the laws? Who can understand the technology enough so that we can make sure that the laws and the technology somehow work together? We marry those two disciplines.
Q: Don't you think there will always be a way for hackers to break in, if they really want to? So, privacy is what, 98% risk-free?
A: Anyone can break into a building, and they may have very little time to get information before the alarm starts going off. Nothing is risk-free.
Q: So what is the remedy for somebody whose privacy is exposed or violated?
A: Most likely, criminal penalties will be introduced for the disclosure of privacy information. They're starting to do this in Malaysia. If you hack into someone's machine, or if you inadvertently or purposefully release information that's not supposed to be released, then you're going to face criminal penalties and monetary penalties. There's nothing you can do once the information has been released. Hackers are out there.
Q: How do you find hackers?
A: There are all these backend audit logs where you go into computers and you start to follow the IP (internet protocol) addresses. So, there's a way to do it. But people can camouflage their presence. It's not a foul-proof method. What the laws are saying is that you've got to introduce commercially reasonable methods of protecting people's information.
And the challenge of the next two to five to ten years is what's commercially reasonable because every six months or every year the standard is going to change a little bit. The standard will rise because what was appropriate technology twenty years ago is going to change. So, you've got a bit of a moving target
Q: What do you see as your role in all this?
A: I see myself and Jon Stanley, an attorney from Cape Elizabeth, Maine, as well as some other security people, in a role explained by an analogy I'm using these days. You've got the turbulent waters in the middle of a river. There are danger points. You've got the techies on the one side; they understand what the technology is. You've got the lawyers on the other side of the bank, and they understand the laws. Very few techies understand the law and very few lawyers understand the technology. And, so where I see us positioning ourselves, again, with a lot of education and continual monitoring of the laws and technology, is in a place where we are able to serve as the translator. They're very different languages. Somebody has to be able to translate those two languages back and forth, so you can somehow get over those rapids, over those danger spots. What's going to be happening over the next five years, the security people, able to understand technology, will create the standards for protecting information. And, so we say that this is the standard. And what happens after that? The lawyers are going to come along and they're going to have to validate that standard and say that standard is appropriate to use in protecting information.
Q: That becomes the commercially reasonable standard?
A: Yes. And it keeps rising as it needs to because our computers become stronger and people become more sophisticated. It's a very interesting paradox, because you're interjecting technology into a process that never has had it. For example, where you used to have a storage of documents in a safe with signatures signed, you now are going to have contracts that are digitally signed with some type of technology and with some type of verification of who that person is. There is something called public key infrastructure. Each person has his or her own private key, which is a way to identify oneself to other users on the internet, essentially one's own little private password used to sign documents. The people out in the world of the internet will have a certain tool or key to verify that someone signed the document. People somehow need to verify who sent the document and ensure that it wasn't changed en route.
So, if a lawyer is presented with a digital document, signed and stored someplace, how will the lawyer be able to take a look at that document and figure out who signed it, whether it's stored correctly, whether the terms are authenticated, whether the document changed in any way, and whether the document complies with the various standards that have been promulgated in the last couple of years? It's going to be a task beyond the ability of a lawyer to answer because it is not his or her discipline. So, lawyers are going to have to add something to their repertoire in the future, the ability to understand a certain amount of technology so that they can evaluate a digital document.
What we're hoping to do is pull together people with techie experience and the legal experience so that they can work together in harmony, because without that harmonization there is no way we can do this alone.
Q: You talked about the documents being stored somewhere?
A: There is a company called ENC in Boston, one of the largest, if not the largest, digital storage company in the world. When you have a lot of information on your hard drive, companies like ENC will store the data on its service, basically electronic cabinets. The company has a lot of redundant backups. If one server goes down, there is something to support it. So we have a continual source of backup to keep things going so that you don't lose any data. Companies like ENC have taken the role of the large storage houses.
Q: Do you put an order through to them to send out certain documents to someone?
A: Right. Ultimately what you need to do is to take a document that has been signed on the internet and you need to take that document off the internet so that it is more protected, because anything available on the internet is receptive to being manipulated. You take it off the internet and put it on a server off line, and those servers are the new storage places of the world.
Q: How is this technology going to change the everyday law practice, such as the interaction of the courts with the attorneys? What's your vision?
A: My vision is already taking place in different parts of the country, and it will take place here. The vision is e-filing. What it means is that any document that you need to send to the court, you won't need to print out if it is already in your hard drive. A brief, a deposition, or just a letter you can send electronically, like you would send an email with an attachment. You'll send that to the court, and the court will receive the electronic document.
Q: What about signatures on those?
A: With respect to the lawyers, what they have done in other parts of the country is give each lawyer a password. It may be related to your bar number. That's your signature. And so you send it to the court. By and large that's O.Mk. These are public documents, and lawyers have a chance to evaluate the documents. They have close control over what's happening.
Q: What states?
A: Colorado, California, Utah, New York, Florida, Georgia. There are a good fifteen or twenty states and probably more.
Q: What about the federal court system?
A: The federal court system is going very much in this direction.
There are some challenges. What do you do about signatures? How do you submit documents that were signed on paper? And, those are going to have to be submitted the normal way. What my hope is, is these systems will allow computers to talk to each other, so when a computer sees an electronic document coming in, the computer will know where the document is what they call "tagged" appropriately. The document will automatically be routed to the appropriate party and information will be saved from that document and go into the system.
One other interesting facet of e-filing is something called practical obscurity. Many of the legal documents are public. People come to the courthouse and ask to see those documents. Now with the internet and all this e-filing, these documents will be available to anyone who wants to see them with just the click of a button. So, there is some concern by the federal courts, and I'm sure the state courts and lawyers, as to the efficiency part of this whole thing. You may need a password to get into the system; and there are different vendors selling different solutions, which is not the best scenario.
There's a discussion going on now that maybe some of this information shouldn't be all public. Let's cross out social security numbers. There's a lot of information out there we don't want to make public. There are a lot of dynamics going on in this area. My concern is that the best thing we can do in terms of all these different areas, but particularly the e-filing part, is develop standards that are consistent across the country. And there are standards being developed.
Q: Is there a committee developing consistent standards?
A: There are committees, XML committees and e-filing committees; and they're looking at different ways to make sure that we're all interoperable, which means that we can all communicate with each other. And digital signatures will change and become biometric (e.g., a thumbprint or a scan of your retina). So, when we start drafting laws we need to make the laws flexible enough to encompass changes in technologies but make the laws specific enough to provide some measure of dependability. It's a challenge because we've got to figure out what's a common method of signing documents in this world now but allow some flexibility for what it's going to be five years from now, because it certainly with be different.
Q: What you are talking about now is state of the art technology. When is it going to be the way things are?
A: I don't know when that will be. The techies don't know what it's going to be like, because we can't envision that.
Q: So, we're learning as we go?
A: We're very much learning as we go. There is very little case law on this. The challenge for us is as the standards change, as the technical people see those standards change, the lawyers will react to those standards. There is going to be case law regarding the new rules and new regulations that develop nationwide and worldwide; and all these standards are going to be tested by the courts. It's a whole new discipline. There is a vacuum in this area for people who are willing to understand the technology and take the time to learn it, both lawyers and technologists.
Q: If someone in law school wants to get involved with this, what do you recommend the person do?
A: The more a person knows about technology, the better. A lawyer these days just can't know about copyright, trademark, and patent law. He or she has got to understand the mechanisms for transferring data. How do you transfer information from one computer to another? What are the different methods to ensure privacy? There is a lot out there and I have no idea how it's going to be resolved; but, the lawyer of the future needs to have a real good grasp of systems, much more than I certainly did when I went to law school.
Q: How else will a lawyer be affected by this new technology?
A: We haven't even talked about discovery. Discovery is a HUGE issue these days, digital discovery, because in the olden days we had all this paper that was around. In the future, as information is stored in one's computer, it can be organized and searchable. One can put out a search that says, for instance, such and such a party or issue on the Smith case. One can ask to do discovery and a search of emails. When those systems were set up, were they set up in contemplation for discovery? Probably not, because email systems were set up by technicians. There may be a role for attorneys to help security people set up their systems to either provide for discovery or protect information that someone would want protected.
That whole area of discovery is a new area that the judges will have to understand. And you, as a practitioner, don't want to ask a technical question during the deposition or during the discovery period that may preclude you from getting certain information. A lawyer may not feel very comfortable asking how data was stored and how it was transferred and where it was saved without having some security person with him or her to coach through the process.
Q: You need an expert?
A: Security people will be the expert witnesses of the future.
Q: How do you prioritize and decide where you want to go?
A: For me personally, it is enormous. The one thing I think my colleagues and I have going for us is that this is an area that has to have specialization. You have to say, "I'm going to study the technology behind digital storage and digital signatures." I'm not going to know it the way the security guys know it, but I need to know what they're talking about when they say encryption, when they say algorithms, when they say firewalls. I need to understand that. The other side of this area is that there are certain laws out there that need to be studied for anyone who is evaluating online commerce. E-sign, UETA, HIPAA, GLB (Gramm Leach Bliley Act), which has some of the same privacy protections as healthcare within the financial industry. There is some consistency with all these laws at this point because there are only a certain number of methods of signing documents and only a certain number of methods for encryption that are well-recognized.
Q: What else should a lawyer be aware of?
A: We don't realize that anything that is sent from our computer can be read by the ISP (internet service provider). That information can be seen. And anyone who has any capabilities at all can read your email, if it's not encrypted, if it's not protected. We've got privacy rules with respect to healthcare and financial services. Law firms? Sometime in the future, I think so. If you start to see the discovery and you see the emails between the lawyer and the client and maybe somebody they are negotiating with, you can go back and see the revisions, the comments that were made. It's fairly hard to delete things from your computer. What you can now do more than you could ever do before is to see what was behind those documents, the thought processes behind them. Those things stay in your computer. As opposed to throwing out all those paper documents, you have a huge audit trail in that computer that can be tracked.
Q: Any advice to attorneys who email clients?
A: They're going to want to be very careful. They're going to want to introduce some method of encryption when they send things. And that is not considerably difficult. There are programs out there. PGP (Pretty Good Privacy). There is a program you can download from the internet.
What does it mean to encrypt a message? You have the statement, for example, "This message is from Joel." You hit the crypt key and you get gobbledygook; but, when you hit the encrypt key, the message comes back in front of you. When you send something over the internet, it could go to someone else. I think the clients have a right to expect that the communication is going to be private. And I think that the legal industry is certainly lagging in recognizing that this is an important and serious issue. I would advise people if they have the systems people in house to investigate encrypting their emails and making sure that they have the appropriate firewalls.
Q: Are the insurance companies going to become involved?
A: Yes. The insurance companies are going to be a major player in this. Malpractice insurance for lawyers? The insurance companies are going to ask what kind of firewalls and what encryption technology you have.
Q: Do you have a favorite book on the topic of electronic technology?
A: The Future of Law, by Richard Susskind. He is a real leader in envisioning the future of law and is in London. Secrets and Lies, by Bruce Schneier, is dumbed down for nonsecurity people and is still a challenge. Schneier is a leader in e-commerce economy.
Q: People, like you, are going to have to teach the rest of us.
A: It's such a sea change. There's no common method. And, the judges will have to know.