Transitioning from an open environment to a closed environment task force report

Executive Summary

This task force report was created to help law firms make an informed decision when considering how best to transition their firms to a higher level of information security to both protect firm data as well as client-supplied information.

This report will detail potential factors motivating firms to contemplate moving to a closed environment as well as key issues to contemplate before undertaking such a transition. The report will then propose potential solutions to consider including practice guidance and emerging technologies that can automate some or all of the security regime. Finally, this report explores best practices for changing organizational culture to ensure a seamless adoption across the firm, including how to communicate these changes and how to audit for compliance going forward. The primary scope of this report focuses on data within the firm’s document management system (DMS), though it will address collaboration sites, file shares and externally hosted applications as well.

Information security within the legal industry has been subject to intense scrutiny for several years, arguably, more than it has ever been in the past. The message has come through various channels consistently (client audits, the HIPAA Omnibus rule, The New York Times, and the FBI to name a few): law firms must continue to improve client data security. Typically, how a firm elects to do this largely depends upon three factors: demographics (including the firm’s client base and practice scope), direct instruction by clients through outside counsel guidelines (OCGs) and the responses of others in the industry.

Historically, law firms have fostered an environment of knowledge sharing and collaboration to efficiently service their clients. To support this objective, many firms by default have configured their document management systems and other data repositories as open (further defined below) with ethical walls or other security measures applied on specific matters or documents as required. Over the past few years, more stringent regulatory and client security requirements have prompted many of these same firms to re-evaluate this open structure. These firms are now considering restricting data access to only those individuals within a given practice area or those working specifically on a given matter. In fact, some firms have already taken steps to modify their default security to a more secure limited access or closed capability (also defined below).

This closed approach is not without its own unique set of challenges. For example, will modifying the existing openstructure create knowledge management inefficiencies for attorneys who often need to respond urgently to client requests? How will firms, especially those subject to fee arrangements based upon similar work being performed across a set of matters, ensure the necessary individuals have access to the documents they need? What training and policies should a firm consider implementing to proactively curtail workarounds which circumvent the new security structure? Lastly, and a critical IG challenge, what options do firms have available when determining who will be responsible for monitoring/modifying the required security throughout the matter lifecycle?

Defining Open and Closed Systems

For purposes of this report, the Task Force utilized the following definitions for open and closed systems:

• An open system refers to the absence of access controls by default. Generally, any user of the system can search for and access a document by default.
• A closed system refers to a system whereby a solution restricting access to information exists, and by default subgroups of documents are restricted and can only be searched and accessed by restricted groups of users. Which groups can view which documents may depend upon the practice group, the client, the type of document, the content of the document or other metadata.

As is usually the case with many IG initiatives, the process of transitioning from an open environment to a closed environment will impact almost every individual within the law firm, from the administrative departments who implement the changes to the secretaries and timekeepers who need access to the information on a daily basis. For firms that assign the responsibility of security administration to the latter group of individuals, the impact may even be greater. The content of this report may be relevant to many parties within the law firm, but at a minimum will be essential for those individuals and departments responsible for:

• Information governance
• Information technology applications and infrastructure
• Information security
• Privacy
• Knowledge management
• Records management
• Risk management/compliance/general counsel
• Practice management

Opportunities And Business Drivers

Recent industry and regulatory forces affecting law firm clients are now requiring law firms to take a hard look at their internal information governance policies in order to remain competitive and in compliance with client demands. Names like Sony®, Target®, The Home Depot®, JPMorgan Chase & Co.® and Neiman Marcus® have made headlines as examples of large, sophisticated retail and financial services organizations that fell victim to information security breaches. These examples of large data breaches have transformed the consumer perceptions of those organizations’ brands and reputations and increased the pressure on law firms to tighten their approach to security.

Along with data breaches, major industries have also faced significant regulatory changes. In December of 2014, Benjamin Lawsky, superintendent of New York’s Department of Financial Services, announced increased regulatory efforts to assess the information security protocols across the financial industry with special focus on the security of third-party vendors like law firms. The previous year, the HIPAA Omnibus Rule rocked the legal industry by requiring compliance from (and holding liable) any third-party business associate (including law firms) that provides services to a HIPAA-regulated entity which involves the transfer of protected health information (PHI).

Law firms are not immune from the general societal phobia and concern regarding the safety of digital information, especially as they house their clients’ most sensitive company data (e.g., trade secrets, intellectual property and information about impending mergers and acquisitions), and personal information (e.g., medical records and the content of personal wills). Given that one unfortunate incident can completely transform a brand identity, it’s not surprising that senior management’s core motivation to devote time, money and energy to information security is to protect the firm’s reputation. The mere statistical likelihood of a breach, reinforced by the industry’s increased attention to the importance of security, is prompting firms to revisit their information security practices and invest heavily in tools designed to either prevent security breaches or to detect them when they occur.

Many of today’s security professionals have conceded that a breach will inevitably occur, particularly since hackers (like physical viruses) mutate and learn more quickly than their prey can adopt new defense mechanisms. The majority of law firm risk management and security professionals have therefore shifted their view of what constitutes a strong defense by developing and implementing practices that mitigate the impact of a breach should one occur. Fortunately, one age-old technique that goes a long way in containing the impact of a breach is that of using access controls, be they role-based (where access to information is restricted based upon job function), mandatory (where users need specific credentials to access classified information) or minimum necessary (where access to information is restricted to those who explicitly require access to do their work). The open versus closed debate is effectively a deliberation on which access control model is appropriate for law firms now that the risks of a breach potentially exceed the benefits traditionally accorded to the efficiency and productivity inherent in an open system.

In practice, it is often client or regulatory requirements that ultimately drive law firms to consider shifting from an open system to a closed system. The past few years have seen an increase in the responsibilities of regulated entities to manage information security and operational risk in both their own environments, and those of third-party business partners. The regulatory changes impacting law firm clients are transitively impacting law firms via the vehicle of outside counsel guidelines, requests for proposals (RFPs), information security questionnaires or contracts like business associate agreements (BAAs). Through these methods, clients often mandate that their information be only accessible to those attorneys and staff working on the matter in question. Some clients require this protection on all highly sensitive information; others require minimum necessary protection on personal sensitive information like medical records, social security numbers or other identifiers.

Some firms have clients and practices that expose them to national security scrutiny as part of the International Traffic in Arms Regulations (ITAR). These regulations dictate that information and material pertaining to defense and military-related technologies (items listed on the U.S. Munitions List) may only be shared with US persons unless authorization from the Department of State is received, or special exemption is used. In law firms with open by default systems, meeting these regulations may pose particular challenges; however the consequences of non-compliance are potentially severe.

Despite the growing pressure placed on law firms, old habits die hard. While implementing a minimum necessary information access model may theoretically be the best information governance technique to contain the impact of a breach, it often meets resistance in practice. Attorneys remain confident that their ingrained duty to protect client confidentiality, as required by the Model Rules for Professional Responsibility, will suffice to meet today’s risk and that restricted access controls would hamper their ability to work competently. Most auditors would not agree,in part because many of the users of these systems are not attorneys. This conflict is one of many issues to consider when examining whether, and how, to close a system.

Considerations When Closing A System

Many factors must be taken into account when a firm considers changing the overall security of its environment. How well the change manager can identify the appropriate interest areas and decision makers within the firm and to what extent they need to be involved in strategy, planning and execution will ultimately determine how effective such a change will be. In firms that are larger and more geographically spread out and/or more practice-diverse,this task can become increasingly challenging for the change manager to address.

Law firms are often resistant to change, however certain drivers may make the change easier for the firm to implement. When the need for security is driven by clients’ OCGs, the firm might better overcome the institutional inertia against change, assuming the firm is agreeable to the guidelines listed within. It may also be easier for the firm to implement such a change for a particular practice, such as a practice group that requests only members of their team have access to their client matters. Or perhaps certain clients, like banks, for instance, require that access to their information is restricted to a pre-defined working group. When the driver is a regulatory requirement,compliance with the law typically trumps any resistance to secure the impacted data. For example, there are an increasing number of firms concerned with the exposure of personally identifiable information (PII) and PHI within their environment, including where that information is and who needs to be restricted from accessing it.

The scope of locking down an entire environment can be broad as well. It can include locking down access to certain information for internal users and external long-term contractors. It can encompass the entire firm or only specific departments and practice groups. It can be limited to internal systems or be extended to the flow of information outside firm walls. In the following section, the assumed scope is anyone with access to internal systems, but the section will touch on other possibilities as well.

Managing Institutional Knowledge And Legal Prededents In A Locked-Down Environment

Many firms have historically fostered an open environment allowing most users almost unlimited search access to firm-proprietary knowledge and precedent material. In many situations, the environment is structured to align with the firm’s knowledge management (KM) initiatives. As such, attempts to limit open access need to account for anumber of factors in order to maintain acceptable, productive access to precedent and general knowledge, including:

• The challenge of creating scrubbed (in a closed system) versus non-scrubbed (in an open system) knowledge and precedent material.
• Effective information data mining beyond legal precedents, such as creating budget models from similar matters, and the ability to leverage work on prior matters as business development opportunities for the firm.
• Transitioning to a concerted KM effort3 (including engineering correlations, how to structure information redaction as part of the precedent process, how to build in a precedent generator in work product development and how to identify appropriate KM work product, such as winning briefs, groundbreaking legal work, successful deal documents and documents associated with managing a matter under budget).

The Logistics Of Applying Security

Another key consideration for a firm moving to a closed environment is how to best create an efficient mechanism to either add or remove access to information associated with clients, matters and/or groups of clients and matters.It is useful to think about this process using three approaches: centralized, distributed and mixed.

Centralized approach: In the centralized approach (during matter intake), the firm restricts access to the matter to need-to-know parties only. If additional users ultimately need to be added to the matter, a designated team can be contacted to add them accordingly. To be successful, those charged with making access control decisions should understand why a particular workspace is restricted, and who has the authority to grant (or deny) access. They should have a documented change management process to follow and be equipped with an understanding of how to escalate certain situations (e.g., if there is an ethical wall involved, consult the GC’s office).

While this approach allows robust control over matter security, it can be very difficult for attorneys to add people on the fly. If the process isn’t efficient, people may not follow it. For example, if the need arises for someone (currently not approved) to review a given document, if not quickly addressed, the attorneys are likely to simply check out and send the document to the individual, thus completely circumventing security. Therefore, ease of use should be taken into consideration when deciding on a given approach.

Distributed or user-dependent security approach: In this approach, the firm relies upon the attorneys and the matter team to decide when and how to secure the document. This approach involves both the training of staff and the deployment of tools that will help staff secure the information accordingly — both in the DMS and when transmitting it to other locations. Such tools might include secure email, encryption software, etc. Should a firm elect this approach, it is critical to include an audit trail of actions performed by individuals within the firm.

Mixed approach: In this approach, the matter is secured from its inception, as in the centralized approach. Attorneys on the team are given the ability to grant appropriate access to both internal and external parties when needed. For the best results, software tools to enable encryption and persistent security should be deployed as well. This approach should also include an audit trail of the ad-hoc users added by the attorney. It should allow for compliance monitoring, and ideally, it should be used beyond the DMS.

For all of the above approaches, the firm must also determine which documents are in scope for being secured.For example, a firm may choose to secure only documents containing PHI or PII, or documents containing a client’s confidential information. This approach reduces the number of documents impacted, since the majority of documents in the DMS are typically not sensitive beyond the normal expectation of client service standards.The feasibility of this approach will depend on the firm’s client base, and the effectiveness of the technology and/or process employed to implement such a targeted lock down.