ILTA's recent technology survey shows that firms are taking an increasingly granular approach to security. Believing that it is no longer sufficient to simply secure the network perimeter, these firms are locking down access to documents at the matter level. While this kind of effort is one step toward meeting the increased levels of security required by a firm’s clients, completing it can be a real challenge. We designed the list below to be a starting point for firms considering this project. If you have additional items you think should be added, please post them in the comments.
Determine what is
Are you securing to practice groups, client groups, matters?
Are you securing every matter, most matters, only selected
matters? Are you securing types of documents by their classification or
Do you have cross-border or regional issues to address?
What is the workflow for notice that a client or matter
Will you prohibit workarounds such as local save as or
export, or monitor them?
What is the escalation process?
Decide which systems
will be secured:
Determine all systems in your firm that may contain client
data requiring security, and whether those systems are mapped to client/matter
Network file shares
Knowledge management / enterprise
Litigation support data
Can you use existing software (test its limits, you may end
up securing a lot more than your ethical wall software can handle)
Do you need to purchase new software? If so, draft software
Determine what kind of reporting you need and who reviews
Determine workflow and what happens when security can be removed.
Decide who is being
granted access or locked out and how that is maintained:
How will you get a comprehensive list of who’s in that
How will you update your list of who’s in that
If you are securing to practice groups, how are you defining
those groups? Primary members only, secondary members, additional attorneys,
Who is authorized to add new members to the team?
What is the workflow for users requesting access?
What is the workflow for removing access to users no longer
assigned to matter?
Do you want to default to granting access to certain
Copy / Printing/ Faxing center
IT (all IT? just help desk?)
Are you allowing workarounds (for overnight / weekend
projects, for example)?
Do you need 24/7 support? Can support be outsourced
If you use outsourced support or administrative resources,
are they allowed to provide workarounds for end users?
Will you be providing temporary access to the files? If so,
is there a default duration of access?
How do you prevent workarounds if you don’t want them?
Who reviews exceptions, workarounds and audit trail?
What about access for external users: deal rooms, expert
need to draft / change management:
Workflow for escalation if there are conflicting
Procedures for adding new parties and reviewing additions,
Announcement to firm about matters being locked down
Notices to individual case teams about adding/removing users
Central list of secured matters on portal (may want to limit
access to this but useful for tech support, at least)
Communications for addressing temporary access or exceptions
Procedures and notices when confidentiality is removed
Notices that display when a user tries to access files that
Training for folks maintaining the system
Update firm confidentiality policies to include consequences
for going around system
Schedule periodic review of logs / audit trail
Sample language attorneys can use to communicate security
procedures to clients or to potential clients in pitches
Modifications to legal hold or matter transfer policies
KM / enterprise
Identifying and explaining your set:
How do you let researchers know
that they’re not seeing everything?
How does this change firm expectations
and priorities for KM?
How do you counteract drift to
If you are sanitizing confidential documents
How do you decide what to sanitize?
How much sanitizing is enough?
Will you require additional
staffing to sanitize documents? Do you need incentives to encourage timekeepers to assist in KM efforts?
Are there rules in your outside
counsel guidelines that would prohibit reuse of work product even after
ILTA Information Management Content Coordinating Team#Security