Information Governance - includes Industry Participants

 View Only

Life Cycle of a Matter – Matter Management Issues Grab-Bag

By Jon Washburn posted 09-06-2017 15:57


This piece – the final entry in this series – is a grab-bag of tips for dealing a variety of matter management issues raised by ILTA members. Reach in and pick one out (or two, or three) and hopefully you’ll find useful ideas that will help you address some issues that are common across our firms.

During the life of the matter: how are you making sure all of the matter information is managed, that the right people have access to it, and users can find what they need?

Avoid “private” storage of data wherever possible (local hard drives, private mapped drives, USB drives, email, any other location only accessible by the user/owner.) Limiting these locations on your network will help drive users toward the Document Management System (DMS.) If your custodians don’t have access to it, they can’t manage it. Ensure everyone is aware of the risks of storing information outside of your managed systems, especially for matters subject to litigation hold.

Avoid “open file shares” – any network location that allows for public modification (write, delete) of files. These quickly become data dumps, and if you still use these you’ll likely find a bunch of broken SIDs as the “owners” of files put there by people who have long ago departed and have had their Active Directory accounts deleted. Not to mention ever trying to sift through data if you get a destruction request (or order from the court.)

Ensure you make the most out of your search tools through comprehensive training, as common of a taxonomy as you can enforce (consistent file and folder naming), and Artificial Intelligence (AI) search engines as they become available for your document stores. A DMS with AI-based search features must be on your radar: AI is the minimum baseline of the future.

How are you managing security as the matter progresses?

Enforce “need to know” access using Role-Based Access Controls (RBAC) as much as possible. Leaving matters “public” – which has been one of the fundamental griping points between attorneys and clients as long as I’ve been in legal – is becoming indefensible. The argument has always been that access needs to be open to ‘avoid creating higher costs for the client’ by having to start from scratch on each matter. Managing your knowledge however is not the client’s problem, and their security concerns, and increased oversight from regulations like HIPAA and 23 NYCRR 500, is making this a problem your firm needs to solve. Look to other solutions, like document creation software that uses a system account to scour secured workspaces for the best clauses and language, then anonymizes it into new templates. That’s what lawyers are really after anyway, and if you can give them great templates they won’t need to look at their peers’ matters.

If you’re using a tool like IntApp’s Wall Builder to enforce need-to-know access, you can create a “tickler script” to notify you when a Legal Secretary/Practice Assistant assignment changes, which will help ensure your PAs have appropriate access to the ‘private’ workspaces of the lawyers they’re currently managing.

For matters with a long lifespan, do you need to set up periodic reminders to reassess security?

Yes. On your schedule or the client’s. Particularly for health care clients subject to HIPAA (§164.308(a)(3)(ii)(B)) and “need to know” (23 NYCRR 500.07) financial client matters, where this is mandated by regulation.

What is your system for resolving orphaned matters?

When an attorney leaves your firm, they’ve left behind a significant amount of closed matters that will not get reassigned to other lawyers, but will someday need to be disposed of. Ensure you have a plan to deal with these matters, either by simply following your Records Retention and Destruction Policy, or by reassigning the pre-disposition review to the appropriate Client Lead or Practice Group Leader for a final “gut check” that they’re ok to destroy. To make this process most efficient, I recommend consolidating an annual list of “orphaned” matters that are eligible for destruction into a single spreadsheet, and having the CL/PGL just check off what shouldn’t be destroyed. In most cases they should confirm that policy just needs to be followed. Don’t let these matters fall off your radar because the attorney is gone!

How do you escalate/resolve questions/complaints?

Ensure you have documented and well-communicated policies, especially Records Retention and Destruction and Data Classification Policies that are signed off on by Firm Counsel. Ensure the buck stops there for the exception process, as ultimately any deviation from policy/procedure is a business risk decision.

Your Records and Information Security teams must be empowered to enforce your policies, only escalating exception requests in extreme circumstances (ones that might necessitate a change in policy, like a type of representation or regulatory compliance that hasn’t been accounted for in the policy.) Do not make exceptions the rule.

How do you manage data that isn’t properly filed?

Matter management is ultimately a risk mitigation exercise - minimizing the risk of a loss of data confidentiality, integrity or availability. Make sure you have a default disposition for data that isn’t classified (public, client confidential, firm confidential, personal) and categorized (client or administrative matter number n.)

There are 4 things each information owner must do so that custodianship of any data can be maintained by the Records Department (per ISO 27002:2013 Section 8.1.2):

- Inventory the information they’ve obtained according to its value to the firm
- Properly classify/categorize it so it can be adequately protected
- Determine who needs access to it while it’s being retained
- Know when it no longer has value, and confirm disposal procedures are appropriate

Our default for ‘unclassified’ data is “personal confidential” – which means the data owner has not shown it has value to the firm, and while the firm is of course liable for what happens to that data, the data owner is still responsible for custodianship of that data until they communicate otherwise.

Specific to litigation holds and unfiled data: ensure your hold process documents that you have asked all parties involved about any data that may be stored outside the firm’s managed systems, and that you document a response from each timekeeper.  Don’t let your timekeepers avoid responding, and don’t accept “no response” as an affirmation that they don’t have any data outside of your managed systems. Inventory is critical to e-Discovery; see the Federal Rules of Civil Procedure Rule 26 for more information.