Need-to-Know Security and Ethical Walls
Hacking happens. Thousands of breaches happen every year, exposing millions of records. Client expectations have changed. Cybersecurity and privacy regulations are increasing. Firms can no longer operate ‘open access’ security inside the firm. They must lockdown content and limit everyone’s access as appropriate. Without the right technology, it can prove painful.
Firms are nervous about changing to need-to-know security. Lawyers rely heavily on past work product for completing new work. Partners worry that the extra hurdle will delay their work and impact client service. Records, InfoGov, and KM professionals worry end-users will circumvent document management and other systems to avoid the hassle, choosing to rather save and email documents outside the protection of the DMS.
Good technology creates efficient workflow. End-users should have the ability to help determine who can access a matter while Risk delegates decision-making authority as appropriate: limited to the Risk team, the client/matter partner, client/matter team, or simply self-determined (closer to an ‘open access and audited, once requested’ model).
The system needs ‘push’ access, where one person authorizes and delivers access to another, or ‘pull’, whereby a user seeking access can request it and an automated alert is sent to the appropriate authority to either grant or deny access. Automation makes this kind of solution work at scale.
Some matters require a specialist to review or complete individual sections or documents. But, clients today expect access to be limited to ‘as needed,’ and regulations mandate ‘least privilege’ access. This means folder and document-level security is necessary to avoid running afoul of expectations.
Firms have professionals who work across teams, fostering their expertise, and contributing towards a flexible, cost-effective work environment. Firms need temporary or ‘timed’ access that revokes automatically ensures compliance without becoming cumbersome to accommodate them.
Firms need to track activity in their DMS, including history and audit tables. The reporting needs to be secured, to enable Risk Managers or General Counsel to ensure policy compliance – without alerting the individuals involved. Investigators need access to regular, automatic reporting through email and the ability to run ad hoc reports. The document contents should be viewable without leaving a telltale footprint in the DMS history tables.
Though firms can never be too secure, it doesn’t make sense to secure public data or data that’s become public. This could include pleadings, court rulings, public filings, agreements filed with the SEC, etc. Because this information is initially private, a fluid approach to confidentiality management will improve KM and end-user adoption.