Information Governance - includes Industry Participants

 View Only

Considerations when securing your document management system

By Gillian Glass posted 12-09-2015 14:22


ILTA's recent technology survey shows that firms are taking an increasingly granular approach to security.  Believing that it is no longer sufficient to simply secure the network perimeter, these firms are locking down access to documents at the matter level.  While this kind of effort is one step toward meeting the increased levels of security required by a firm’s clients, completing it can be a real challenge.  We designed the list below to be a starting point for firms considering this project. If you have additional items you think should be added, please post them in the comments.

Determine what is being secured:

Are you securing to practice groups, client groups, matters?

Are you securing every matter, most matters, only selected matters? Are you securing types of documents by their classification or content?

Do you have cross-border or regional issues to address?

What is the workflow for notice that a client or matter requires security?

Will you prohibit workarounds such as local save as or export, or monitor them?

What is the escalation process?


Decide which systems will be secured:

Determine all systems in your firm that may contain client data requiring security, and whether those systems are mapped to client/matter numbers:



Time Entry

Network file shares


Records system



Intranets/portals/online repositories

Knowledge management / enterprise search

Litigation support data

Paper folders


 Can you use existing software (test its limits, you may end up securing a lot more than your ethical wall software can handle)

Do you need to purchase new software? If so, draft software requirements.

Test system

Determine what kind of reporting you need and who reviews the reports

Determine workflow and what happens when security can be removed.


Decide who is being granted access or locked out and how that is maintained:

How will you get a comprehensive list of who’s in that group/client/matter team?

How will you update your list of who’s in that group/client/matter team?

If you are securing to practice groups, how are you defining those groups? Primary members only, secondary members, additional attorneys, administrative support?

Who is authorized to add new members to the team?

What is the workflow for users requesting access?

What is the workflow for removing access to users no longer assigned to matter?


Do you want to default to granting access to certain administrative roles?

Document Processing

Copy / Printing/ Faxing center

IT (all IT? just help desk?)


Floating secretaries

Conflicts/New Business



Litigation Support

 Are you allowing workarounds (for overnight / weekend projects, for example)?

Do you need 24/7 support? Can support be outsourced overseas?

If you use outsourced support or administrative resources, are they allowed to provide workarounds for end users?

Will you be providing temporary access to the files? If so, is there a default duration of access?

How do you prevent workarounds if you don’t want them?

Who reviews exceptions, workarounds and audit trail?

What about access for external users: deal rooms, expert witnesses, contractors


Documentation you need to draft / change management:

Workflow for escalation if there are conflicting requests/ethical walls/etc.

Procedures for adding new parties and reviewing additions, if required

Announcement to firm about matters being locked down

Notices to individual case teams about adding/removing users

Central list of secured matters on portal (may want to limit access to this but useful for tech support, at least)

Communications for addressing temporary access or exceptions

Procedures and notices when confidentiality is removed

Notices that display when a user tries to access files that are prohibited

Training for folks maintaining the system

Update firm confidentiality policies to include consequences for going around system

Schedule periodic review of logs / audit trail

Schedule audits

Sample language attorneys can use to communicate security procedures to clients or to potential clients in pitches

Modifications to legal hold or matter transfer policies


KM / enterprise search considerations:

Identifying and explaining your set:

How do you let researchers know that they’re not seeing everything?

How does this change firm expectations and priorities for KM?

How do you counteract drift to public matters?


If you are sanitizing confidential documents

How do you decide what to sanitize? How much sanitizing is enough?

Will you require additional staffing to sanitize documents? Do you need incentives to encourage timekeepers to assist in KM efforts?

Are there rules in your outside counsel guidelines that would prohibit reuse of work product even after sanitization?


Gillian Glass

Joe Davis

ILTA Information Management Content Coordinating Team