The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/938151
23 WWW.ILTANET.ORG BEST PRACTICES Managing Maer Mobility: Reducing the Burden of Departing Client Files impending departure. Not only do firms have an interest in protecting these records but they have an ethical duty to protect client information from unauthorized removal. A departing aorney might email information on a client's selement thresholds to the aorney's unsecured personal account; that information would then be compromised. The results could be disastrous for client, departing aorney and firm. Even when client information is unintentionally purloined, the proliferation of mobile devices and BYOD (bring your own device) policies can increase risks that client information will wind up in the wrong place. These policies permit aorneys, employees and others to use their personally owned smartphones, laptops and other devices to access company information or applications. Even when no BYOD policies are in place, the practice may still be widespread, as employees simply take it upon themselves to transfer documents to their personal devices and accounts. The benefits are increased productivity and mobility, with obvious drawbacks when it comes to controlling company information. To protect against this, our case study firm uses an industry-standard data loss prevention platform that allows the firm to monitor what data is exiting its systems. With a data loss prevention agent running on every laptop, desktop and virtual machine, the firm can set "sensitive data" policies around clients and maers, profiling those files and building similarity and keyword thresholds. This allows the firm to "watch our perimeter like a hawk," the forensics manager explains. "If anything goes out coming even close to matching the criteria, it's going to be blocked and we're going to be notified immediately." Additionally, the firm's forensics and response team coordinates closely with its human resources department. When a departure is expected, the team can snap into action, making sure that important information is not taken out of the firm without authorization. A high percentage of data leakage issues occurs around employees who have shown intent to depart the firm and chosen not to follow established protocol for geing their data out. The risks are even greater when the aorney's departure is sudden or not amicable. Repeatable, Defensible, and Not That Hard to Start For those looking to improve their own maer mobility process, it is necessary to recognize that this is not an area where you can shoot from the hip and tidy up later. Applying repeatability and defensibility to your process is key. Those implementing a maer mobility system need to study, analyze and establish the process and workflow before executing it. While maer mobility is serious, the transition to a simple, streamlined, automated maer mobility system need not be difficult. Once our case study firm decided to improve its systems, it was able to institute a 90-percent-automated process in under 45 days. P2P Law firm intellectual property is not the only data that needs to be carefully considered when a matter leaves a firm. A pre release review must also focus on other types of potentially protected data, such as data that is subject to litigation holds or destruction orders. Federal and state laws can also create heightened responsibilities around certain types of information. One of the most sensitive classes of information is "protected health information" or PHI. Under the Health Insurance Portability and Accountability Act (HIPAA), "covered entities" and their business associates dealing with PHI must meet a host of requirements, including administrative, technical and physical safeguards for protecting the confidentiality of PHI. PHI is a subset of "personally identifiable information," or PII. PII encompasses information that can be used to identify an individual, such as name, birth dates, place of birth, Social Security numbers and the like. The federal Privacy Act places restrictions on the collection, maintenance, use and dissemination of PII by federal agencies and their contractors. State laws may also implicate PII in private hands. Every state but Alabama and South Dakota, for example, has a data breach notification statute that may be triggered when PII is compromised. Firms operating internationally must also take international laws and regulations into account. When it comes to data privacy, one of the strongest such regulations is the European Union's General Data Protection Regulation (GDPR). Set to come into effect in May 2018, the GDPR limits the removal of personal data outside of the EU. "Personal data" is defined broadly, to include any information relating to an identified or identifiable natural person. Cross-border transfer of such data is generally prohibited unless the data exporter has appropriate safeguards in place and the recipient jurisdiction has adequate privacy protections. Violations can cost 20 million euros or 4 percent of global gross revenues, whichever is greater.