Risk Update

Law Firm DMS and Information Risk — Document Security, Ethical Walls, Encryption, DLP and More

Extending the Value of Document Management Systems in the Legal Profession, Part II” —

  • “Law firms typically have one DMS configured to serve a wide variety of clients. Even if you want them to be, many security issues can’t be ‘die on the hill’ types of concerns, since most legal providers are working to meet the audit and security considerations of many, not one.”
  • “Limiting access to the documents legal professionals need to do their job is the most basic of controls. Generally speaking, working groups should be granted access to the documents supporting the clients whom they support… a concept also known as ‘The Principle of Least Privilege.'”
  • “It probably won’t shock many to hear the not-so-bold statement that certain complexities tend to arise. For example, how should a DMS handle documents which relate not to a single matter, but to multiple clients or matters? How easy is it to associate a document with two matters, or with twenty, one-hundred or one thousand? Under-the-cover capabilities such as workspaces—and the ability to create and administer them (for example, reacting as matters move in and out of trial clusters or substitutions in settlement groups are made)—are vital to enforcing business rules of this nature.”
  • “Another security complexity surrounds legal reference materials or client-related topical groups of documents sets relating to areas like a particular company product line (competitors, facilities, litigation areas, expert witnesses, etc.). Designing control groups for these sets can be challenging, administratively time-consuming functions.”
  • “Finally, the extension of access controls beyond the DMS, meaning maintaining controls prohibiting actions like opening or printing a document after the document is shared outside a DMS, is another emerging trend (not unlike the concept of honoring access controls for documents even when accessed within a DMS from an enterprise search emanating from outside the DMS).”
  • “Of course, law firms routinely construct ethical walls and other controls to protect against representation conflicts… Again, without drilling down too much, simply asking if controls such as ethical walls/conflicts are at least partially governed within a law firm’s DMS is a good inquiry to make.”
  • “Corporate counsel should both confirm their law firms have data loss protection and attempt to ensure the controls are appropriately tuned. I’m not going to lie, it’s not easy, the rules and algorithms are complex. But it’s better to broach the subject with those law firms acting as stewards of your corporate data than to blindly trust that your service providers are doing exactly as you might hope they are doing.”
  • “Today, leading DMS providers offer CMEK, which is essentially a decision point as to who controls the encryption keys for a document set (the customer, or the software provider). The main point here for corporate counsel is ‘who should hold the keys to one’s data’ in the event of circumstances such as a legal order or subpoena. Do law departments want their outside firms to control this? Or, alternatively, are they comfortable with a cloud provider maintaining these keys and potentially directly responding to a court order. Or, for a corporate law department perhaps the requirement might be to administer the keys themselves.”