If you are reading this blog, you likely understand the importance of providing users only those access rights necessary to perform their job. However, most firms grant all users full access to nearly the entire collection of documents on their DMS. As you also likely know, your firm must comply with privacy regulations, outside counsel guidelines, and client audits that demand this not be the case.
Some firms have started looking at changing their default security so that documents are secured to only the author by default, and any other party must be explicitly granted access. This approach is not only very cumbersome for attorneys that have legitimate need to access documents, but also defeats one of the original purposes of the DMS – to allow people to find and reuse historical documents. Ideally, the DMS would remain open, except for those sensitive documents that require more stringent security. This problem may be the same or worse on other systems such as your firm’s litigation support system, matter management system, or SharePoint platform. To correctly protect sensitive data, your firm must know what data needs to be protected.
The concept of appropriately tagging data certainly isn’t new, but it can be a huge challenge in many law firms. Some of the hurdles include, controlling the sources of data intake, correctly identifying potentially sensitive data, tagging the data in multiple systems in a usable way, and appropriately protecting tagged data.
Here are some ideas to move your firm down the path of tagging and appropriately protecting sensitive data.
- · Create a process to insure that the person responsible for Information Security (or even better, Information Governance) at your firm reviews all outside counsel guidelines for special security requirements. They may also find requirements around data retention, transport, and mobile device access as well. They can then educate the legal teams about what the client expects, and how to accomplish it using methods such as password protecting matters, securing documents, folders, or entire workspaces in the DMS, or restricting SharePoint sites.
- Identify during new business intake those matters likely to require sensitive data by asking specific questions about the type of data likely to be involved, such as Protected Health Information, Personally Identifiable Information, trade secrets, or similar. Ask if the matter itself should be treated as sensitive, for example, certain M&A transactions.
- Work with practice groups where over collection of data is a common problem to create checklists to help guide the client on what type of data to provide on a given matter type.
- · On the DMS, consider applying security by default to certain client and matter types that have both a predictable legal team involved, and commonly involve sensitive documents. There are tools available to help automate this process if the matter is coded correctly during new business intake.
- On the DMS, set up standard, secured folders for sensitive information, and educate your attorneys that any sensitive information should be moved to those folders.
- · Don’t forget your Litigation Support team. Make sure they are informed when a client or matter has special information governance requirements. They will often receive data dumps from clients, and have no visibility into the vast amount of data the client just dumped upon them. For cases that contain sensitive data, they may need to tag the entire case as sensitive.
What ideas have worked well at your firm? What challenges have you encountered?