Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Paper's Hidden Security Risk

By John Gilbert
June 02, 2014

It is almost impossible to open a newspaper today without reading about cybersecurity breaches. Target Corp., Neimann Marcus and many other companies have been targeted, and many experts think it is only a matter of time until law firms are targeted (if it's not too late already). All this “cyber risk” may have you pining for the days before computers, when almost all information was stored on paper.

In fact, based on the amount of paper law firms still keep ' both onsite and off ' it seems that lawyers literally want to go back in time. Part of the rationale is safety and security. Not only are lawyers often more comfortable in a paper environment, but there is a sense there is less to worry about, with no risk of cyber attacks. In fact, this is a false sense of security.

At the same time, law firms are facing higher expectations than ever on information security; in addition to legal and regulatory requirements including the HITECH (Health Information Technology for Economic and Clinical Health) Act, clients are expecting more protection of their information ' and often auditing their firms overall security. Paper files can be stolen during office break-ins, lost unrecoverable during disasters, and easily left in airports or taxis. Worse, files that end up in the wrong hands are easy to read, with no password or other protections.

Paper Losses

Stories of people accidentally leaving paper documents places are extremely common. It is very easy to leave a paper file in the seatback of a plane, in a commuter train station or in a taxi. Since paper files are not password protected, once left these papers are immediately exposed to whoever picks them up.

Furthermore, many organizations are not vigilant enough about how they destroy such records. For example, in 2011 some sensitive documents related its Chemical Ordnance, Biological, Radiological Awareness (COBRA) taskforce were found outside the team's Manhattan stationhouse in a garbage can. And for more than a decade until 2011, Dallas County, TX, used parolees and probationers for sorting and shredding sensitive records, including Social Security cards and medical records.

Inappropriate Access

While most of the stories in the news focus on electronic hacking from overseas, many firms do not pay enough attention to their physical plant; it's just not as hard to gain access as one would think. Access cards, ID checks and locks are, of course, generally effective, but not 100%. It is not at all uncommon to slip on these procedures and allow access to areas that should be secured. There is also the real risk of allowing guests, visitors, workers, etc., to find documents left on counters, near copy machines and on desktops. And by their nature, paper documents are easy to snatch and remove without detection.

One additional risk that manifests in paper documents ' but not electronic ones ' is tampering. Anyone who gains access can remove or add pages, or combine files in a way that could be misleading.

Natural (and Unnatural) Catastrophes

The list of catastrophes that have faced law firms over the past few years is staggering. The attacks on 9/11, Katrina, Sandy, earthquakes, countless fires and more. While offsite storage providers provide “highly protected” facilities, even these are not 100% foolproof. But a much greater risk is office paper. We've all seen images of paper literally filling up the streets in some of these instances. While the security risk here is akin to a needle in a haystack, the fact that these records could be lost forever is a giant consideration.

As an example, one smaller firm on the East Coast had been storing their documents in the basement (not uncommon for small firms) when Sandy hit. The basement was flooded forcing the firm to make a decision: destroy the documents or pay the high cost of drying the records out. Unable to quickly decide, the firm chose to instead freeze the documents until further evaluation could be done. The documents remain in a commercial freezer, resting snugly between steaks and lobster.

Misfiling and Misplacing

Paper documents must be manually labeled and stored. While many firms include search and track capabilities, those simply describe where the file should be ' not necessarily where it actually is. The manual processes around paper create an increased likelihood of misplacing files, not to mention a delay in accessing them.

Achieving Better Security

One way to avoid the risk from paper is to scan whatever you can and store electronically. (Follow best practices in electronic data security in order to make sure electronic documents are safe.) While it may be impossible to scan the troves of paper that remain, either onsite or off, a great way to start is to scan every possible new piece of paper that comes into the firm, and destroy the original pages with good document destruction protocols. We call this a “less paper” strategy.

The key to such a policy is making it easier for all staff to scan every day. This can be done by simplifying the experience for all users and developing workflows and technologies that build on the way firms' professionals are working already. For example, leverage technology to make scanning simple and use the same interface on all devices so it's easy for staff to scan.

Furthermore, use technology to automatically route electronic documents to where they will ultimately reside ' ideally a document management system. This allows the electronic documents to immediately become part of the firms' document retention and disaster recovery programs.

Once a decision is made to destroy the paper version, it must be properly managed. Understand who is responsible for handling, transporting and destroying paper is critical to avoiding the nightmares associated with lost documents. And don't underestimate the value of the QA process from the time the document is scanned until the paper version is destroyed.

For the Paper That Remains

While law firms have been talking about the “paperless office” for many years, paper is here to stay. Not only do most firms not have the will to review and scan boxes and boxes of paper that they have accumulated over decades, but some documents must be maintained in original format for regulatory or other purposes.

For these remaining paper documents, firms must do a better job securing documents during the entire span of their lifecycle. Consider the following strategies that will assist in the difficult process of document safety and compliance.

Limit Access. The area where critical paper documents are stored must be secure. Access should be limited only to appropriate personnel, and access should be monitored at all times. Installing fingerprint or facial recognition technologies, PIN-pads and/or swipe card-readers likely make sense as well.

Invest in Paper-Saving Technology. Investing in fire prevention systems and non-water fire suppressant alternatives will minimize risk. Making sure that offices are above the water plane can make a big difference in mitigating the damage from smaller floods.

Off-Site Storage. Off-site storage companies are in the business of protecting paper documents and are typically very good about it. However, they charge fees each time boxes are retrieved, so this is typically only a good option for archived paper. Additionally, there is some risk during the transportation process. While archiving with an outside provider is likely safer than keeping the documents on site, for the most part it is an inferior solution to scanning the documents and storing electronically.

Conclusion

While cyber risk seems to be getting all the press, it is important to remember that keeping paper has many of the same risks ' and even more. Especially due to the lack of password protection and encryption on paper documents, it probably makes sense to scan as many as possible and store electronically. And it is absolutely crucial to set up good protocols for documents that remain on paper.


John Gilbert is Senior Vice President at nQueue, a provider of cost recovery and document scanning and routing solutions worldwide. He can be reached at [email protected].

It is almost impossible to open a newspaper today without reading about cybersecurity breaches. Target Corp., Neimann Marcus and many other companies have been targeted, and many experts think it is only a matter of time until law firms are targeted (if it's not too late already). All this “cyber risk” may have you pining for the days before computers, when almost all information was stored on paper.

In fact, based on the amount of paper law firms still keep ' both onsite and off ' it seems that lawyers literally want to go back in time. Part of the rationale is safety and security. Not only are lawyers often more comfortable in a paper environment, but there is a sense there is less to worry about, with no risk of cyber attacks. In fact, this is a false sense of security.

At the same time, law firms are facing higher expectations than ever on information security; in addition to legal and regulatory requirements including the HITECH (Health Information Technology for Economic and Clinical Health) Act, clients are expecting more protection of their information ' and often auditing their firms overall security. Paper files can be stolen during office break-ins, lost unrecoverable during disasters, and easily left in airports or taxis. Worse, files that end up in the wrong hands are easy to read, with no password or other protections.

Paper Losses

Stories of people accidentally leaving paper documents places are extremely common. It is very easy to leave a paper file in the seatback of a plane, in a commuter train station or in a taxi. Since paper files are not password protected, once left these papers are immediately exposed to whoever picks them up.

Furthermore, many organizations are not vigilant enough about how they destroy such records. For example, in 2011 some sensitive documents related its Chemical Ordnance, Biological, Radiological Awareness (COBRA) taskforce were found outside the team's Manhattan stationhouse in a garbage can. And for more than a decade until 2011, Dallas County, TX, used parolees and probationers for sorting and shredding sensitive records, including Social Security cards and medical records.

Inappropriate Access

While most of the stories in the news focus on electronic hacking from overseas, many firms do not pay enough attention to their physical plant; it's just not as hard to gain access as one would think. Access cards, ID checks and locks are, of course, generally effective, but not 100%. It is not at all uncommon to slip on these procedures and allow access to areas that should be secured. There is also the real risk of allowing guests, visitors, workers, etc., to find documents left on counters, near copy machines and on desktops. And by their nature, paper documents are easy to snatch and remove without detection.

One additional risk that manifests in paper documents ' but not electronic ones ' is tampering. Anyone who gains access can remove or add pages, or combine files in a way that could be misleading.

Natural (and Unnatural) Catastrophes

The list of catastrophes that have faced law firms over the past few years is staggering. The attacks on 9/11, Katrina, Sandy, earthquakes, countless fires and more. While offsite storage providers provide “highly protected” facilities, even these are not 100% foolproof. But a much greater risk is office paper. We've all seen images of paper literally filling up the streets in some of these instances. While the security risk here is akin to a needle in a haystack, the fact that these records could be lost forever is a giant consideration.

As an example, one smaller firm on the East Coast had been storing their documents in the basement (not uncommon for small firms) when Sandy hit. The basement was flooded forcing the firm to make a decision: destroy the documents or pay the high cost of drying the records out. Unable to quickly decide, the firm chose to instead freeze the documents until further evaluation could be done. The documents remain in a commercial freezer, resting snugly between steaks and lobster.

Misfiling and Misplacing

Paper documents must be manually labeled and stored. While many firms include search and track capabilities, those simply describe where the file should be ' not necessarily where it actually is. The manual processes around paper create an increased likelihood of misplacing files, not to mention a delay in accessing them.

Achieving Better Security

One way to avoid the risk from paper is to scan whatever you can and store electronically. (Follow best practices in electronic data security in order to make sure electronic documents are safe.) While it may be impossible to scan the troves of paper that remain, either onsite or off, a great way to start is to scan every possible new piece of paper that comes into the firm, and destroy the original pages with good document destruction protocols. We call this a “less paper” strategy.

The key to such a policy is making it easier for all staff to scan every day. This can be done by simplifying the experience for all users and developing workflows and technologies that build on the way firms' professionals are working already. For example, leverage technology to make scanning simple and use the same interface on all devices so it's easy for staff to scan.

Furthermore, use technology to automatically route electronic documents to where they will ultimately reside ' ideally a document management system. This allows the electronic documents to immediately become part of the firms' document retention and disaster recovery programs.

Once a decision is made to destroy the paper version, it must be properly managed. Understand who is responsible for handling, transporting and destroying paper is critical to avoiding the nightmares associated with lost documents. And don't underestimate the value of the QA process from the time the document is scanned until the paper version is destroyed.

For the Paper That Remains

While law firms have been talking about the “paperless office” for many years, paper is here to stay. Not only do most firms not have the will to review and scan boxes and boxes of paper that they have accumulated over decades, but some documents must be maintained in original format for regulatory or other purposes.

For these remaining paper documents, firms must do a better job securing documents during the entire span of their lifecycle. Consider the following strategies that will assist in the difficult process of document safety and compliance.

Limit Access. The area where critical paper documents are stored must be secure. Access should be limited only to appropriate personnel, and access should be monitored at all times. Installing fingerprint or facial recognition technologies, PIN-pads and/or swipe card-readers likely make sense as well.

Invest in Paper-Saving Technology. Investing in fire prevention systems and non-water fire suppressant alternatives will minimize risk. Making sure that offices are above the water plane can make a big difference in mitigating the damage from smaller floods.

Off-Site Storage. Off-site storage companies are in the business of protecting paper documents and are typically very good about it. However, they charge fees each time boxes are retrieved, so this is typically only a good option for archived paper. Additionally, there is some risk during the transportation process. While archiving with an outside provider is likely safer than keeping the documents on site, for the most part it is an inferior solution to scanning the documents and storing electronically.

Conclusion

While cyber risk seems to be getting all the press, it is important to remember that keeping paper has many of the same risks ' and even more. Especially due to the lack of password protection and encryption on paper documents, it probably makes sense to scan as many as possible and store electronically. And it is absolutely crucial to set up good protocols for documents that remain on paper.


John Gilbert is Senior Vice President at nQueue, a provider of cost recovery and document scanning and routing solutions worldwide. He can be reached at [email protected].

Read These Next
Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

The Article 8 Opt In Image

The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.

Fresh Filings Image

Notable recent court filings in entertainment law.

Major Differences In UK, U.S. Copyright Laws Image

This article highlights how copyright law in the United Kingdom differs from U.S. copyright law, and points out differences that may be crucial to entertainment and media businesses familiar with U.S law that are interested in operating in the United Kingdom or under UK law. The article also briefly addresses contrasts in UK and U.S. trademark law.