The legal profession, arguably more than others, faces very specific risks when it comes to spam.  For the firm, bottom line dollars are lost in hours of unproductive time, tracking down lost e-mail messages and deleting unwanted e-mail.  But even more important than productivity issues, even in a business where billable hours are the bread and butter, are the liabilities inherent in spam and the ramifications of how to handle or not handle e-mail traffic.

Spam, by definition, is unwanted e-mail solicitations, and they are ubiquitous.  As employees begin looking to their organizations to protect them from offensive material, firms need to be certain to have policies in place and mechanisms to support them to safeguard them from provocative and offensive material.  Allowing your employees to see or to send this kind of material opens the firm up to potential suits.  This type of risk is avoidable if handled proactively with a well thought- out and communicated e-mail policy.

Spam is more than a cost or productivity issue — it has legal ramifications that mean it cannot simply be ignored — and it can come to you anytime from anywhere.

Consider This
Spambots crawl around websites “stealing” e-mail addresses.  If you expose a client’s e-mail address, and that client subsequently suffers consequent loss, are you liable for that loss?  And apart from any financial loss, what about the cost to your reputation?
The use of spam zombies delivered by trojans has proliferated.  If such malware were successfully installed on your system, you could be sending out spam to strangers and customers and clients without knowing it.  And you are immediately liable under tort.

The most obvious is that you can be held liable for any offensive material that could be viewed on your systems, and it is no longer uncommon for staff to sue their employers.  A law firm being sued by its own staff — who could include some of its own lawyers — could be very damaging.

But there is potentially an even greater problem.  Tort is rearing its head.  The general consensus is that this is a time bomb waiting to explode:  you could find yourself liable for any action or inaction that causes loss to a third party.

It is clear that spam is a problem that is ignored at your own peril and that law firms have more to lose than money.  You might be inclined to believe that the installation of anti-spam systems to protect yourself or the delegation of the responsibility to a third-party managed spam service provider (MSP) will be sufficient to mitigate your liaiblity.  But for the law firm it’s just not that simple, and it is vital that the correct anti-spam methodology is chosen.

The Problem with Blacklists
Most anti-spam systems rely on a list of banned domains used by known spammers.  Mail from these sources is blocked and discarded.  If you use some form of managed spam service, this list, known as a blacklist, is maintained by a third party, and e-mail from listed sources is simply discarded.  The problem here is that you probably don’t know who is on that list, how they got there or how they get off.  In fact, the blacklist may not even be maintained by your spam filtering company, but may be some other list simply “used” by them.  And you should question your trust of a third party over whom you have no control.

This is not an academic problem.  In June 2003, BT Openworld (now BT Yahoo), one of the UK’s largest ISPs, was placed on the widely used Distributed Server Boycott List (DSBL).  During the blacklist period, anyone using BT Openworld as an ISP was unable to have e-mail successfully delivered to any company via a managed filtering system incorporating the DSBL.

Liability and Blacklists
Now apply this situation to your organization.  What would happen if a case were to be lost or thrown out of court based on instructions sent to you that you (via your spam filtering company) discarded without reading?  Who would be liable for any consequent loss?

Some filtering companies are seeking to make liability very clear.  In a statement to the Federal Trade Commission (May 2003), John W. Thompson, Chairman and CEO of Symantec stated: “We believe that any legislation to reduce spam should include some relief from liability for filter providers.”  In other words, some filter providers are trying to enshrine in legislation that any liability for their actions should fall on you rather than them.

At the same Federal Trade Commission hearing, Alan Murphy of Spamhaus declined to say which ISPs were using its blacklist and, citing current litigation, would not reveal what procedure is used to add addresses to it. 

In other words, you are allowed to know nothing about some of these blacklists; but it’s your liability if anything goes wrong.

Protecting the Integrity of Evidence and Attorney-Client Confidentiality
In most cases, an MSP will alter your
e-mail exchange (MX) records, diverting incoming e-mail to their servers where they are examined for spam content or sources and forwarded to you, quarantined for further inspection, or discarded.  The moment those records are changed, you have lost control — and while this may be fine for some organizations, it is not acceptable for a law firm dealing with paper trails on which the success of entire cases may rest.

Additionally, it is highly likely that outsourcing spam filtering will violate attorney-client confidentiality agreements.

And how can you guarantee the integrity of documents stored outside your firewall, particularly if that storage space is randomly selected by a hacker for his playground of the day?  It becomes far easier for an adversary to query the validity of any electronic evidence your firm may be relying on.  Law firms are caught in a modern day “Morton’s Fork” wherein their their tactics to outwit the spammers may cause them harm.  They cannot ignore the problem posed by spam; and yet the action they take could cause even greater problems.

It’s All About Control
The problem is really one of control — who has control over the definition of spam?  If you use a managed service provider, then you lose that control.  You lose control over the domains that are blocked and the keywords that are used to determine spam.  One person’s spam is another person’s valuable evidence with information on how to handle spam, hackers and pornography (all terms that often lead to immediate blocking by some filtering systems).  If the end user is the person who defines spam, then you neither lose valuable e-mail nor control over your own systems.

The answer is not that you have to do it yourself if you want it done right — rather, you have to find a vendor who offers all the advantages and none of the disadvantages of the blacklist and/or MSP dependent approach:

• Total support without any loss of control
  
• Quarantine of suspect e-mail inside rather than outside of your firewall
  
• No alterations to your MX records
  
• Empowering the user to be responsible for what he or she actually does receive
  
• The risks your firm or company faces are too great for you to ignore the problem.

This article has been published previously and has been edited from the original copyrighted material provided by Commtouch Software Ltd. with their knowledge and approval.

About our author . . .

Kevin Townsend is a journalist with more than 20 years’ experience in the security arena.  He operates the infosecurity portal www.ITsecurity.com.  Kevin wrote this article for Commtouch Software Ltd., a provider of enterprise anti-spam solutions at www.commtouch.com.