The Internal Risks of Managing Client Matter Information

If there is no clear direction from a law firm's executive management for maintaining client files and information, attorneys and assistants will develop their own methods for managing files. If there is no single location where the firm as a whole is instructed to secure matter information, a variety of options will be relied upon, including shared network drives, workstation hard drives, document management systems, cloud-based applications and physical files.

Storing client matter information on a secured network drive is not necessarily a bad thing, as long as the client information is structured and stored under the appropriate matter number. Access to client matter information should be restricted to only individuals authorized to work on that matter.

Traditionally, there has been no governance of how shared network drives are used by attorneys and staff. Some individuals prefer saving information to a shared network drive because they have the ability to establish a folder structure according to their own preferences. Law firms need to be mindful of data protection laws, as well as any data protection requirements imposed by their clients. Restricting access on a shared network drive is easily accomplished if there is a policy and process to do so. Shared network drives are often not reviewed for client matter content when a matter is transferred to another firm or when the matter disposition changes.

With more attorneys working while out of the office ' in court, at home or even on vacation ' they often turn to applications such as Dropbox as a place to store documents, many of which include confidential client matter information. Without direction to the contrary, attorneys who work remotely may use software as a service (SaaS) applications not supported by their law firm.

As law firms realize the benefits of SaaS applications (cloud-based applications are convenient and allow for real-time collaboration with internal and external legal teams as well as clients), they should acknowledge the usage of Dropbox and other systems outside the control of the law firm's IT department and establish protocols on the usage of those applications to prevent the risk of confidential information being accessed by unauthorized parties. For example, Dropbox recommends users utilize two-factor authentication. An article in Bank Info Security published on June 9, 2016 indicated, “[l]ess than 1% of Dropbox users have two-factor authentication enabled.” See, “Dropbox Confident Amidst Breaches.”'

Law firms need to ensure that attorneys understand firm-approved methods for managing client matter content. If there is a document management system designated for storing client matter content and it is not being used by attorneys, firms need to know why. It is not uncommon for attorneys to skip out on training for applications used by their firm. An attorney's perception may be that systems not sanctioned by the firm are easier to access and use. Firms cannot protect sensitive client matter information if it exists in multiple silos outside of their control, so it is imperative that the firm's executive management communicate to attorneys the risks associated with managing client matter content in systems outside of internal controls.

Information technology resources should be responsible for vetting SaaS applications to understand the security mechanisms in place.

Use of Outsourced Providers

Law firms may have policies to inform internal support staff of confidentiality requirements; however, many law firms employ outside companies to perform document support functions such as copying, scanning, physical records and messenger services.

Outsourced employees may not receive the same training on internal policies and therefore may unknowingly be violating a firm's confidentiality policies and clients' data security and access requirements. A firm's risk officer or general counsel should develop processes with input from information technology to vet outside vendors' security infrastructures and employee confidentiality training. Outsourced personnel with access to client information must be trained on a firm's confidentiality policies.

Another area that may be overlooked is how law firms use off-site document storage providers. Often, physical documents (loose filing) are the type of files located in a warehouse operated by an outside vendor. Records departments will often send loose filing to the outside vendor with instructions to place documents into the carton containing the appropriate client matter file. Allowing an outside vendor to access clients' confidential information to place documents into files is an unnecessary risk. Client files may contain documents with highly sensitive and confidential materials, such as in estate planning documents for high wealth clients. Or they may be subject to International Traffic in Arms Regulations (ITAR) (if dealing with the military or the U.S. government as a client). Or employees of outsourced vendors may or may not be authorized to work in the United States.

Physical Files Still Pose Risks

Many law firms continue to create a physical file that contains paper documents relevant to the matter representation. Security requirements for physical documents constitute an area that may be discounted when developing procedures to comply with confidentiality policies. Depending upon the type of legal representation, a physical file could hold documents that contain protected health information (PHI).

Many firms have implemented security requirements to restrict access to electronic PHI to only those individuals involved in the matter representation. However, those same firms may still be retaining hard copy documents containing PHI in physical files.

Reliance on Home Computers, Portable Storage and More

Although many law firms rely on network files and workstation hard drives, other forms of storage still proliferate in legal environments, including removable portable storage devices, home computers, mobile devices or even personal e-mail accounts. Each of these could open the law firm and its clients to security risks. Many firms are restricting access to USB ports to thwart attempts to download client confidential information onto unprotected external media.

Assuming USB ports are open, firms should provide portable storage devices that are encrypted. Firms also need to have policies regarding the use of home computers. Again, client confidentiality could easily be jeopardized if client matter information is saved to a home computer.

Takeaways

Establish an Official File Policy

Designate approved repositories for storing client matter information. If a physical file is created, someone should have custodial responsibility for managing that file. All instances of client matter content should be identified according to appropriate client matter number and name. All approved repositories should be monitored to ensure compliance with ethical walls, confidentiality screens, litigation holds and outside counsel guidelines.

Develop a Culture of Compliance

Do not assume that attorneys and staff understand the risks associated with managing client matter information. Ongoing training is essential for all employees. Information governance needs to be part of the culture of the firm. Communicate with attorneys and staff to understand their proficiency and comfort with applications provided by the firm to manage client matter content.

Be Aware of Outside Counsel Guidelines (OCG)

OCGs frequently have provisions to limit access to their confidential information. If the terms of the OCG related to access and management of client matter data and documents surpass normal protocols, all staff with access to matter information must be informed of OCG requirements. Firms must establish protocols for complying with OCGs before work on a matter begins.

Nancy Beauchemin, CRM, president of InOutsource, founded the company in 2002 in direct response to law firms' need for in-depth records management and information governance consulting.