The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/984836
32 PEER TO PEER: THE QUARTERLY MAGAZINE OF ILTA | SPRING 2018 Information Rights Management: The Missing Piece of the Puzzle? FEATURES IRM and Safety Fighting the bale at the endpoints as they continue to proliferate is a losing bale. Hackers have proven that it is simply a maer of when you get hacked, not if. Take the increasing proliferation of smart connected devices, add to it the multitude of consumer cloud services to which they connect and it is like the wild wild west. Too many devices and too many egress points means something is bound to slip out. With IRM in place, protection, rights and restrictions travel with the data. As someone recently said to me, it is the difference between liberating data and keeping it safe versus locking up data in a safe. Let's look at the infamous Panama Papers through the lens of IRM. Would IRM have prevented that disaster? Almost assuredly not. Theoretically the hackers would still have walked away with 11.5 million documents. But the promise of IRM is that each of those documents would have been an unreadable brick to the hackers. So technically prevented it? No. Prevented the PR disaster? Absolutely yes. We would probably not have heard anything about the hack if Mossack Fonseca used IRM. Types of IRM Two major types of IRM have developed: application level and system level. Let's take Adobe as an example of application level IRM. If you have ever done more then simply create or view a PDF file, you know that you can control what is done to the document - printing, modifications, content copying or extraction and more - but not who accesses it. Adobe's LiveCycle Rights Management ES adds the ability to control the individuals accessing it. On the plus side you have some fine, granular control with cross platform support. Depending on your scenario it could work well. But the cons start to add up. There is limited file type support; it cannot be easily extended to other vendors for collaboration purposes. Not everyone wants to build on another vendors' tool set, so you can end up with multiple IRM solutions. If one of those tools happens to be your DMS, you lose critical functionality like indexing, searching and versioning. Sharing documents outside your organization requires the added complexity of federated user accounts, a high level of coordination overhead and cumbersome setup and management. At the system level you overcome many of the application level issues. They are a bit more efficient and all file formats are supported. As they are independent of the applications, no special integration is required but a client agent of some sort is usually involved. System level IRM can be easier to setup and manage than those at application level. IRM Problems The current crop of tools has issues. They can beak co- authoring abilities, create problems for other security products like anti-virus and potentially create new pathways for phishing in the prompts to gain access to the restricted information. Depending on your approach, you may have different products, different solutions, federated accounts and more. You may not be able to convince collaborators outside your firm to install the client agents. IRM can also be seen as a knowledge management obstacle, as you are restricting what lawyers can access. Conclusion The idea and promise of IRM are great. Many of us use the rights management of PDF files today, proving IRM's use for a limited functional deployment. But there are still unresolved technical and inter- operational issues with this system. For law firms IRM needs to be baked into the DMS, or barring that into the operating system (OS). While some IRM products are great, not all of them out there are fully baked yet. Ultimately there are too many compromises, too many holes or too many products required for a law firm to find a simple end-to-end solution. Today IRM is limited to just a portion of the puzzle. Personally I'm puing my lobbying efforts into the DMS vendors. If they adopt an IRM standard, obtaining the holy grail will become feasible. P2P You may not be able to convince collaborators outside your firm to install the client agents. IRM can also be seen as a knowledge management obstacle, as you are restricting what lawyers can access.