ILTA's recent technology survey shows that firms are taking an increasingly granular approach to security. Believing that it is no longer sufficient to simply secure the network perimeter, these firms are locking down access to documents at the matter level. While this kind of effort is one step toward meeting the increased levels of security required by a firm’s clients, completing it can be a real challenge. We designed the list below to be a starting point for firms considering this project. If you have additional items you think should be added, please post them in the comments.
Determine what is
being secured:
Are you securing to practice groups, client groups, matters?
Are you securing every matter, most matters, only selected
matters? Are you securing types of documents by their classification or
content?
Do you have cross-border or regional issues to address?
What is the workflow for notice that a client or matter
requires security?
Will you prohibit workarounds such as local save as or
export, or monitor them?
What is the escalation process?
Decide which systems
will be secured:
Determine all systems in your firm that may contain client
data requiring security, and whether those systems are mapped to client/matter
numbers:
DMS
Finance
Time Entry
Network file shares
Email
Records system
CRM
SharePoint
Intranets/portals/online
repositories
Knowledge management / enterprise
search
Litigation support data
Paper folders
Calendar/Docketing
Can you use existing software (test its limits, you may end
up securing a lot more than your ethical wall software can handle)
Do you need to purchase new software? If so, draft software
requirements.
Test system
Determine what kind of reporting you need and who reviews
the reports
Determine workflow and what happens when security can be removed.
Decide who is being
granted access or locked out and how that is maintained:
How will you get a comprehensive list of who’s in that
group/client/matter team?
How will you update your list of who’s in that
group/client/matter team?
If you are securing to practice groups, how are you defining
those groups? Primary members only, secondary members, additional attorneys,
administrative support?
Who is authorized to add new members to the team?
What is the workflow for users requesting access?
What is the workflow for removing access to users no longer
assigned to matter?
Do you want to default to granting access to certain
administrative roles?
Document Processing
Copy / Printing/ Faxing center
IT (all IT? just help desk?)
Records
Floating secretaries
Conflicts/New Business
Library/researchers
Finance/Accounting
Litigation Support
Are you allowing workarounds (for overnight / weekend
projects, for example)?
Do you need 24/7 support? Can support be outsourced
overseas?
If you use outsourced support or administrative resources,
are they allowed to provide workarounds for end users?
Will you be providing temporary access to the files? If so,
is there a default duration of access?
How do you prevent workarounds if you don’t want them?
Who reviews exceptions, workarounds and audit trail?
What about access for external users: deal rooms, expert
witnesses, contractors
Documentation you
need to draft / change management:
Workflow for escalation if there are conflicting
requests/ethical walls/etc.
Procedures for adding new parties and reviewing additions,
if required
Announcement to firm about matters being locked down
Notices to individual case teams about adding/removing users
Central list of secured matters on portal (may want to limit
access to this but useful for tech support, at least)
Communications for addressing temporary access or exceptions
Procedures and notices when confidentiality is removed
Notices that display when a user tries to access files that
are prohibited
Training for folks maintaining the system
Update firm confidentiality policies to include consequences
for going around system
Schedule periodic review of logs / audit trail
Schedule audits
Sample language attorneys can use to communicate security
procedures to clients or to potential clients in pitches
Modifications to legal hold or matter transfer policies
KM / enterprise
search considerations:
Identifying and explaining your set:
How do you let researchers know
that they’re not seeing everything?
How does this change firm expectations
and priorities for KM?
How do you counteract drift to
public matters?
If you are sanitizing confidential documents
How do you decide what to sanitize?
How much sanitizing is enough?
Will you require additional
staffing to sanitize documents? Do you need incentives to encourage timekeepers to assist in KM efforts?
Are there rules in your outside
counsel guidelines that would prohibit reuse of work product even after
sanitization?
-----------------------------------------------------------------------
Gillian Glass
Joe Davis
ILTA Information Management Content Coordinating Team
#Security