The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/7599
www.iltanet.org 40 Peer to Peer policies, or they think the policies don't apply to their situations because they expect (or hope) to bring their clients with them. But it's important to remember that clients own their own files, and that unauthorized movement creates potential repercussions for clients, firms, departing attorneys and even the organizations they join. Therefore, it is vitally important for firms to keep close tabs on how departing attorneys and staff treat sensitive information to ensure that they honor professional and ethical obligations. Data Leakage risks created by technology A decade or two ago, before the pervasive use of technology to create, disseminate and manage work product and client information, inappropriate data movement was hard to miss. In that world, paper was the dominant medium, and large-scale, unauthorized removal of data was easier to catch. A massive checkout of hard-copy materials was much less likely to go unnoticed. Files had to be retrieved, copied and moved using dollies and handcarts, often with the help of records or other support staff. Today, large quantities of client and internal firm information can be copied quickly and moved covertly. Tools like e-mail, document management, search and KM applications provide firms with tremendous benefits in terms of productivity and knowledge-sharing. But these benefits also come at a cost; with easy access and limited oversight, individuals can fit the equivalent of a library on a thumb drive and walk out the door. That innocent-looking iPod may be transporting a great deal of intellectual property. combating Data Leakage risks Given the risks associated with inappropriate removal of client and firm information, firms should think carefully about the steps they're taking to protect themselves and start by assessing existing rules and procedures. A survey of stakeholders from key departments (IT, records, HR, risk), noting any inconsistencies or disconnects between policy and practice that they identify, is a good way to begin. This analysis provides the basis for internal education and training efforts. Individuals often inappropriately move information due to a mistake or misunderstanding, not malfeasance. By using policy management and notification mechanisms, firms can ensure lawyers and staff better understand the rules and expectations. Any education effort requires controls to ensure policies have been read and acknowledged. Similarly, organizations should train "unwitting accomplices," such as helpdesk staff and records stakeholders, to look for warning signs of unusual activity. Training them to follow a clear escalation process frees them from having to police lawyers without proper support. For example, a lawyer request to the helpdesk to collect and package their entire e-mail history might warrant external review. Technology can also play an important role. By using tools that flag abnormal activity in document management libraries, firms can receive notification when user behavior strays outside the ordinary. Unusually high document check-out volume is often a warning sign of an impending lateral departure. These alerts can be set based on general thresholds, or to watch a specific office when departures are suspected or pending. Abnormal activity alerts provide firms with opportunities for early response. With these early warnings, several firms have successfully intervened and prevented imminent lateral departures. This approach is relatively painless, as it is transparent to attorneys and end users and, therefore, doesn't raise any internal concerns. conclusion on managing risk tied to Lawyer movement Any time a lawyer joins or leaves the firm, the organization must take care to address risk management requirements tied to information access and movement. Today, the explosion of electronic information technology has increased the opportunity for error and oversight. However, software also provides firms with new resources. In recent years, many firms have adopted confidentiality tools to mitigate these risks. As firms embrace more thorough approaches to compliance, they've created stricter de facto industry standards. At the same time, court, client and insurance expectations have also risen. Now more than ever, it is critically important that IT and risk staff take sufficient measures to enhance their firms' response strategies. The only thing worse than facing a situation where a violation has occurred, is having to explain to the court or a client why the firm failed to implement known and widely used measures that could have prevented the breach. ILTA Pat archbold manages intapp's risk practice group and focuses on helping law firms address issues including client confidentiality, regulatory compliance and risk management. Prior to joining intapp, Pat served as Regional vice President of sales for open text corporation's legal business solutions division. he has more than 15 years of legal industry experience, including leadership positions with a legal consulting organization and West Publishing. he can be reached at pat.archbold@intapp.com.