Would you know if your firm had a data leak?  Ten or fifteen years ago, before the pervasive use of technology to create, communicate and manage client information, a leak would have been hard to miss.  In that world, large-scale, unauthorized removal of data was easier to spot.  That's because paper was the dominant medium.  With paper, a massive checkout and relocation of materials was much less likely to go unnoticed.  Physical files had to be retrieved, copied and moved, often with the help of records or other support staff.  Lateral attorney movement was also far less widespread, so there were fewer instances where individuals might be tempted to run off with internal files.

Today, circumstances are very different, and the risks of data leakage are much higher.  Large quantities of client and internal firm information can be copied quickly and removed covertly.  This is due, in part, to industry trends such as increased attorney mobility and the growing use of contract attorneys which lead to more opportunities for misconduct or mistake.  But the biggest reason for worry is the wholesale shift from paper to electronic data management.

Tools like e-mail, document management and records management applications provide firms with tremendous benefits in terms of productivity and knowledge sharing.  Yet these benefits also carry a cost; with easy access and limited oversight, individuals can fit the equivalent of a library on a thumb drive (or even an innocent-looking iPod) and walk out the door.  The reality is that unless you're watching for potential leaks, you might not catch them when they happen.

Information loss can occur for many reasons, not just those tied to overt actions.  It could be as simple as an attorney or staff member keeping backup copies of client files on a home computer for convenient access.  Laterally departing partners may remove files because they believe a client will be moving with them to a new firm.  But, considering records retention and other potential pitfalls, even innocent mismanagement or movement of information can create serious risks and repercussions for clients and firms alike.

The good news is that while technology created these new challenges, it can also provide new levels of management visibility and control to address them.  Firms can tip the balance in favor of compliance by instituting practices that provide warnings of potential leaks and even identify opportunities for early intervention to prevent lateral
attorney departures.

Understanding the Risks
It's vitally important that law firms keep close tabs on how attorneys and staff treat client information.  By default, most firms make their data storage and management applications open and internally accessible to attorneys and support staff.  The downside of open access is that when individuals move firm and client information inappropriately, they create multiple risks for the firm.

At an organizational level, firms must comply with several professional duties, including confidentiality and records management obligations.  Competitive and even malpractice dangers are possible when client information is transported by a lateral mover prior to official consent, or when attorneys relocate work product from nonmigrating clients or the firm's knowledge management library.  Firms that accept this information (even unknowingly, such as when new attorneys upload legacy files into a document management library) open themselves up to potential liability.

For example, if the movement of information circumvents the firm's records management and retention processes, documents that should be destroyed might not be.  Increasingly, clients are mandating confidentiality and other information management standards for their legal service providers.  Unintended movement can put a firm in violation of outside counsel guidelines that prescribe records retention and destruction practices.  It also creates the very real risk that a client may become involved in litigation should discoverable information, or records that were thought destroyed, resurface.  Similarly, firms investing heavily in knowledge management and the creation of a "best and blessed" work product and precedent repositories might not know that material was making its way to their competitors.

The Costs of Lateral Movement and Leakage
Unusually high document checkout volume by individual attorneys is often a warning sign of an impending lateral departure.  In many instances, firms have existing policies that explicitly forbid attorneys from unilaterally taking information with them when they leave, but sometimes attorneys aren't aware of them or they think these policies don't apply to their situations because they expect (or hope) to take their clients with them.  It's important to remember that clients own their own files, and that unauthorized movement creates potential repercussions for clients, firms, departing attorneys and even the organizations they join.

There are exceptions to every rule, but usually when a partner chooses to leave, it's not good for the firm.  Attorney departures create not only data leakage risks but also significant expense for a law firm.  According to a PricewaterhouseCoopers study, attorney turnover costs the average law firm $35 million annually in direct costs and lost opportunities.  And, considering that lateral defectors are often higher performing partners, the stakes can be even greater.  Departures can also have nonfinancial impacts beyond the loss of clients, including hits to internal morale and potentially damaging public relations fallout that impacts the firm's reputation and perceived stability.

Preventing Data Leakage
Given the costs and risks associated with data leakage, firms should think carefully about the steps they currently take to protect themselves and how they might make improvements.  There are some relatively straightforward prevention options organizations can put into practice:

• Assess current practices - A good place to start is by examining current rules and practices.  Are policies on information management and movement understood and acknowledged by all attorneys and staff?  Do current practices align with stated policies?  If you conducted a pop quiz across your organization, would everyone pass?  An examination doesn't have to be a complex affair; it could be as simple as asking stakeholders from key departments (IT, records, HR, risk) what they've observed and noting any inconsistencies or issues they identify.
  
• Educate attorneys and staff - In many instances data leakage happens due to simple mistakes or misunderstandings.  To prevent these, firms can use existing policy management mechanisms to make sure attorneys and staff understand the rules and aren't moving information in ways they shouldn't be.  
  
• Train "unwitting accomplices" - It sounds nefarious, but it is possible for staff to unknowingly abet a data heist.  Firms can put an important check in place by working with IT, help desk, records and other stakeholders who might inadvertently aid unauthorized data movement.  Key to this tactic is training people to understand what type of unusual activity should raise eyebrows and providing them with a clear escalation process so they're not in a position of having to act as judge and jury on their own.  For example, an attorney request to the helpdesk to collect and package that attorney's entire e-mail history might be something that warrants external review.
  
• Develop monitoring and alert tools - Technology can play an important role in helping firms fight fire with fire.  A good place to start is with the document management system.  By using monitoring tools that watch key activities like checkout, e-mail, copy and export, firm management can receive e-mail notifications when a user's activities exceed defined thresholds.  With abnormal activity alerts, firms have the opportunity for early response.  This approach is relatively painless as it is transparent to attorneys and end users, and therefore doesn't raise any internal concerns.  It's also a quick way for firms to protect themselves and achieve immediate benefit without having to expend significant resources. (See "Monitoring and Prevention in Action" sidebar.)
  
• Implement data protection tools - For firms looking for more stringent controls, data lockdown applications add the ability to restrict data movement.  For example, there are tools that will limit an attorney's ability to copy files onto a USB thumb drive or to send e-mail attachments outside the firm.  While it may be tempting from an IT perspective to impose strict controls, firms should take care to avoid dramatically changing the ways in which attorneys are accustomed to working.  For example, blocking access to document or knowledge management libraries may cause more harm through productivity and efficiency loss than reduce the firms risk seek to prevent.  As with many new technologies, a measured, phased approach to implementation is most productive.

Information policies and practices must play a central role at firms seeking to build a risk-aware culture.  By preventing data leakage, IT can contribute significantly to that effort.  There's still greater uncertainty today than there was in the paper world, but by combining transparent monitoring with education and training, firms can reduce risk, provide management with earlier visibility into potential problems and achieve greater peace of mind.

SIDEBAR
Monitoring and Prevention in Action
We've seen several organizations implement DMS monitoring as a quick and cost-effective way to identify potential data leaks and watch for lateral departures.  For example, an IT director at one firm set up a custom monitoring rule that produced and e-mailed a daily report summarizing activity across the firm's document management infrastructure.  Her goal was to "take a temperature reading" of what was going on within the firm by watching this aggregate data flow.  With a raw set of aggregate information, she used her "Spidey sense" to identify irregularities outside the bounds of the normal pulse of activity that might point to larger problems.

Right off the bat, she found a user who wasn't aware of some features in the firm's DMS software that could improve productivity.  Some quick intervention by a trainer led to a happy (and surprised) customer.  More important, she noticed that an attorney was checking out just about everything in sight (or, in this case, WorkSite).  She escalated the report to firm management, who approached the attorney and confirmed that he was joining another firm.  With that early warning, management was not only able to prevent a data leak, it was also able to address the underlying issues driving the attorney's perceived need to separate, and they prevented the move.  This was a major win for IT as it helped the firm retain an important partner and his book of business.

About our author :: :: ::

Thad Jampol is IntApp's chief technology officer, responsible for overseeing the company's overall product and technology strategy.  He is the architect of IntApp's risk management, application integration and time capture solutions.  Thad is an expert in legal software applications and IT environments and has worked with many large law firms in the United States and the United Kingdom to address business process optimization, confidentiality management and regulatory compliance challenges. He can be reached at thad.jampol@intapp.com.