44 PEER TO PEER: THE QUARTERLY MAGAZINE OF ILTA | SPRING 2018

by Ben Weinberger

Will Need-to-Know Security Destroy KM?

45WWW.ILTANET.ORG

Data Security is No Longer OptionalIn the past three years, data breaches have become commonplace, and firms have had to up their games to protect client data. It all started to come to light with the Panama Papers (the breach of Mossack Fonseca) in May of 2016. That year saw records breaches increase by 556% over the previous year as more than four billion records were leaked . 2017 was even uglier as the number of data breaches in the first 6 months alone exceeded the total for all of 2016. Equifax, the RNC, Uber, and Yahoo all were significant headline stories. Now, in 2018, the Facebook / Cambridge Analytica story shows there’s no slowdown. More so, news that Mossack Fonseca will close proves that it’s nigh on impossible to survive the reputational damage caused by such an incident.

Regulatory response has been growing. The SEC and FCC were already on the prowl and enforcing to their extent of their power. Then, in 2017, the New York State Department of Financial Services (NYS DFS) cybersecurity regulation came into effect with a phasing-in of numerous, stringent security requirements that apply to all financial entities conducting business or with presence in the State of New York; many of its provisions explicitly apply to those institutions’ law firms. Meanwhile, May of this brings into effect the European Union’s long anticipated General Data Protection Regulation (GDPR) with its mandatory security requirements and global reach.

Meanwhile, clients have been slowly pushing their own requirements onto their firms. Regular security audits have become a common occurrence and outside counsel guidelines regularly include specific provisions dictating where and how data can be stored, used, and protected. Simultaneously, the industry saw the emergence of the Corporate Legal Operations Consortium (CLOC) and its collaboration with the Association of Corporate Counsel (ACC) who last year released their Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information.

These regulations and provisions in conjunction with client pressures and the various enforcement

Will Need-to-Know Security Destroy KM?FEATURES

mechanisms being used essentially have established a standard of care for handling and protecting client data. One of the key common denominators and requirements of those is the expectation that law firms will limit access to client data. The most sensible and defensible approach being to lockdown access to client matter files to only those in the firm working on the matter – or who may reasonably require access to that data. This means that only those in the firm who a client authorizes should have access to that client’s data; this is commonly referred to as ‘need to know’ access.

Major Shift in Thinking Needed?Knowledge Management in a law firm environment exists to leverage and share the collective expertise and experience of a firm’s professionals to more efficiently deliver services to clients. Historically, this has been accomplished via open access environments where everyone had access to everything content related. Firms invested heavily in document management systems, SharePoint sites, enterprise search – and encouraged people to share. This concept, at its very heart, is the antithesis of security in a time when one compromised credential can bring down an entire organization. Firms must now fundamentally change this entrenched practice that has heretofore enabled everyone inside the firm to access every clients’ sensitive documents – not an easy change when lawyers are accustomed to relying upon prior work product as the basis for new work product.

Many firms appear loathe to comply with these new mandates, choosing to ignore them or make excuses for why they needn’t follow suit. Their concern? They worry that locking down and limiting access to content repositories will kill knowledge sharing. They express concern that taking away the ability to search for and access others’ prior work product will harm operational efficiency. They have always had access, and many have built knowledge management departments, systems, or processes dedicated to helping locate and share that content. To try and create new workflows or re-learn process cannot possibly be the intended consequence.

BEN WEINBERGER

Ben Weinberger is Lawyer-in-

Residence for Prosperoware, an

enterprise software company

providing solutions for law firms,

corporate legal departments, and

professional services firms, and

speaks on such topics as Data

Privacy and Security, Information

Governance and Emerging

Technologies, and Transformational

Trends in Professional Services.

Ben has previously served as

Chief Strategy Officer for a global

consultancy, in senior executive

roles for a top UK law firm and two

AmLaw 200 law firms.

46 PEER TO PEER: THE QUARTERLY MAGAZINE OF ILTA | SPRING 2018

FEATURES Will Need-to-Know Security Destroy KM?

Tighter Security Could Make Prior Work-product Worthless?Firms have made a noble effort to move toward becoming paperless operations. After years of moving away from paper files and implementing systems that enable better content filing and electronic records management, firms have now found themselves in a quandary. Electronic information is booming and the amount of data firms manage continues to grow exponentially. Unfortunately, few have truly capitalized on the opportunity presented by this volume of data. They simply file-away their content and perhaps expect that search will provide them the answers they need. To enable their professionals to benefit from the wealth of experience learned from prior matters, firms allow lawyers to search for prior work product. It makes little sense to reinvent the wheel for every new, yet similar matter when lawyers can rather improve service delivery in terms of time and quality by re-using others’ prior work.

In theory, implementing need to know access will immediately create a problem for them by virtue of limiting the pool of prior work product any individual lawyer can search or access. Imagine – it will instantly limit that lawyer to re-using only the work product from matters he previously worked on or from certain clients from other lawyers who provide services as a team. However, consider this: many firms today hold document repositories that exceed tens of millions of documents; contrary to what some might assume, limiting how many can be searched could rather improve efficiency. The more limited dataset being searched could lead to more relevant search results, making it easier to locate specific documents, especially when those searches are being conducted on such a regular basis. That being said, this alone is not the answer.

Targeted Searching via Better Profiles – Focus on ExperienceSearching works because it enables people to find content that they may not have known exists simply by using keywords and concepts. Many lawyers search for content they know exists but which they don’t recall specifically where; if it’s their work, it’s not impacted by

In theory, implementing need to know access will immediately create a problem for them by virtue of limiting the pool of prior work product any individual lawyer can search or access.

tighter security controls. However, when systems are locked-down so that people no longer are able to search across all others’ work, they lose the ability to find and reuse that work. Does this mean the end of sharing? Not necessarily.

First off, this requirement to apply need to know security is not applicable to public data. That data is easier to handle from a knowledge management standpoint. A significant portion of the data that law firms work with is or eventually becomes public. Examples of this type of data include pleadings filed in court (except for matters under seal, which are rare) and documents filed with most government agencies such as the SEC or UK Companies House. This data is still important to and plays and integral part in the broader firm knowledge management initiative. Most firms already are automating the creation of indexes to track this type of data; this includes pleading indexes, closing indexes, bundles, and other various indexes.

Meanwhile, some firms have invested heavily in knowledge management teams and people – typically ‘practice support lawyers’ or other knowledge professionals. These people could process all key documents and make them available for sharing. They could anonymize documents and add them to brief banks; create curated systems of exemplar materials and templates. This already occurs at some well-structured (and well-staffed) firms. However, it is a labor-intensive process and comes at a cost – of both human capital and time. Isn’t this what technology is meant to address? Well, thankfully, yes.

Firms file content into their document management systems. Most today have adopted matter centric filing and therefore hold basic metadata around each document in the system. However, that metadata as it exists today, while sufficient for ensuring appropriate content security, is likely insufficient to address this more current need. This is where the broader concept of matter profiling can prove invaluable for K and sharing of content. If firms properly tracked and organized the correct metadata around their engagements and used it to create matter profiles, this challenge of searching and sharing others’ content in a locked-down world would be solved. This concept of matter profiles already should

47WWW.ILTANET.ORG

be familiar to business development and marketing teams who rely on experience and expertise information for purposes of winning new business. Having such robust matter profiles would certainly make content searching far more powerful and vastly improve knowledge management.

Rather than training on document management search systems, once firms have implemented the requisite need to know security they would be best served looking at how matter profile search would work in their environment. It can readily drive key knowledge sharing needs. While still maintaining the clients’ needs for limiting access, profiles can deliver a more holistic method for readily identifying the most appropriate work product, regardless of whether a lawyer already has access to the documents in question. Matter profiles provide better context as to the purpose of each document.

Examples of the data that would need to be tracked in such profiles include: matter type, sub-type; area of law; qualifiers or tags; deal / demand / settlement amount; court / location; and industry. Once this information is being collected and attributed, lawyers can track and easily find an appropriate matter and then request access to the data, without the conflict of need to know security. This enables need to know security while still offering a method to provide awareness of the wealth of experience and prior work that exists within a firm.

Other BenefitsThese same matter profiles could empower business development and resourcing decisions. Firms can make more intelligent decisions about where to invest and focus resources and marketing programs to improve pitch success rates. To this end, that same metadata can drive: Opportunity Management for firms to track and forecast pipelines; Proposal Generation to streamline and reduce costs and improve results; Matter, Client, Lawyer, Staff, Vendor, and Other Profiles for better search capability; and, Experience Scoring to more quickly locate and identify appropriate personnel.

As firms typically already create pleading and closing indexes, they have an opportunity already to capture and leverage better metadata. Almost all the

valuable matter profile information is contained in these documents. Information such as closing dates or key court dates and transaction amounts are typically included in the closing index. A trained person can easily extract and capture such valuable metadata during preparation of that index.

In today’s competitive market for legal services, firms must be able to demonstrate expertise, understand cost structure, price competitively, manage a pipeline of work, and recognize opportunitites for cross-selling. Core to all of these processes is leveraging the firm’s data, and it goes well beyond knowledge sharing, which already is at the heart of what lawyers have been doing for years.

As we enter this next stage of knowledge management and this mandate for need to know security, the argument asserting the inherent value of sharing prior work product without any limitations can no longer eclipse the security needs and demands of clients. Rather, firm leaders should take the opportunity to invest appropriately in technology to enable more current processes. This includes better data collection and management as well as automation. This is an opportunity to improve data practices overall. Everything firms do today is related and can be tied-together with the same core data—and the mandates of need to know security just provide another opportunity for improvement. P2P

Will Need-to-Know Security Destroy KM?FEATURES

Firm leaders should take the opportunity to invest appropriately in technology to enable more current processes.