ALM Properties, Inc.
Page printed from: Corporate Counsel
Select 'Print' in your browser menu to print this document.
Managing Mobile Risk
Law Technology News
Of the top themes presented at this summer's International Legal Technology Association conference, collaboration and content delivery stood out in the crowd. But what happens when data collaboration and delivery travels to the mobile devices we all carry? Most CIOs see the introduction of unnecessary risk, observed many experts.
While nearly every law firm urges clients to manage their data properly as in having a formal information lifecycle management program in place a large number of firms don't practice what they preach. A variety of new technologies have facilitated the breakneck growth of data volumes and they are shared and stored in locations outside the physical (presumably secure) firm walls. But this model no longer works firms are beginning to recognize that the risk is too high to ignore.
Controlling information is not a new concept for law firms and their personnel. But today's unmanaged mobility in the form of BYOD (bring your own device) to work programs and equally unmanaged use of popular Web services such as Dropbox and Evernote represent a seemingly unstoppable phenomenon. This creates a set of issues that must be addressed before an information governance firestorm hits.
In short, centralized document management, formal information management lifecycles, and proof of governance policy enforcement have all become non-negotiable elements in many firms' policy management and enforcement protocols. And they influence firms' choices of technology.
During the ILTA session, "Information Governance: The New Records Management," Rudy Moliere, director of information governance and records management at White & Case, and Terrence Coan, senior director of information management practice at HBR Consulting LLC, presented the core principles of information governance.
They described information governance as "an enterprisewide approach to the management and protection of client and business information assets." A properly defined program, they said, would enable employees to understand, and adhere to their professional responsibility with respect to private or sensitive information they access. They then provided a set of information governance principles to guide organizations that need to create an ethics-based, privacy-driven information management program.
Moliere suggested that firms define and provide guidance and procedures for acceptable use and security of devices, both firm-based and BYOD. Said Coan: "It's important to develop and leverage your firm's existing technology policies. Consider offering firm-approved apps, such as email with Good Technology Inc., and document storage apps. These provide secure remote connectivity and improved control for your data."
Here are some recommendations for use of mobile devices gleaned from their presentation, as well as other sessions and conversations with speakers and vendors at the show. Today, faced with the consumerization of IT, it's important to step back and analyze how our information is managed.
Recognize that official records are now primarily electronic.
Mobile challenge: Information can be generated by, accessed from, shared by, and stored on pretty much any device with a network connection. Mobile devices are an extension of the corporate network and the same protections to client data still apply.
Confirm that all business systems and applications are up to the defined information governance standards (email, storage, billing, litigation, dockets, etc.). Identify administrative processes and establish business "owners." Provide guidance on functional requirements, system selection, and design implementation.
Mobile challenge: Each of these systems has (or will have) mobile access to back-office systems. Formally or informally, controlled or uncontrolled access control is required.
Correctly classify information, and securely store it in a firm-approved record-keeping system. Firms are seeing an increase in client requests for ethical walls around their legal matter.
Mobile challenge: Mobility, the cloud, and integration with document management systems have challenged IT departments. They are tasked to deliver what users want: ease of use, and access to corporate and firm data from a mobile device while conforming with information governance, and providing security and protection of information.
Control unnecessary proliferation of information, establish formal legal hold policy and protocol, coordinate efforts with the general counsel office to ensure protection of relevant information and coordinate with both records management and IT for disposition.
Mobile challenge: Social networking runs rampant on mobile devices; consumer-oriented cloud-based services are available via uncontrolled app downloads.
Confirm the authenticity and integrity of information. Certify custodial legal hold compliance during the discovery phase of litigation, investigations, or audits.
Mobile challenge: Information can come from pretty much anywhere, and be shared by nearly anyone. It can be manipulated by almost all devices and apps. Users can create integrity issues (purposefully, unintentionally, or accidentally). Inappropriate access (malicious or accidental) can introduce integrity and authenticity issues.
Properly handle the disposition of information when it reaches the end of legal and operational usefulness. Establish retention disposition policy and supporting protocol.
Mobile challenge: Data may be stored on the device unbeknownst to the firm (internal, removable, and cache). The employee may refuse access to the device to clean it up. Lost devices are a challenge as it is outside the control of an anticipated cooperative party who would have helped with the disposal of expired information.
Educate all relevant citizens (lawyers, support staff, and clients) of their information duties. Train the lawyers to rely on support from local office administrators.
Mobile challenge: Just about everyone has become comfortable with (and dependent upon) smartphones and tablets, expecting immediate, unfettered access to information.
Training elements should include:
keeping the device updated;
Paul Wittekind, IT director at Porzio, Bromberg & Newman, sums it up: "Always counsel your firm's staff on how best to manage documents and other content." Even with a mobile device management product like AirWatch, which is designed to prevent the use of Apple Inc.'s iCloud, lawyers can still put documents and content on other unmanaged personal devices, such as a home system, he says. "Sometimes the content may be sitting in an encrypted iPad, which will force the firm to take a good hard look at their existing policies to make sure they cover the mobile world."
Clearly, mobile is here to stay and firms will encourage collaboration via these devices. It just makes plain business sense to do so. However it is critical that firms take a formal stance on data lifecycle management, and the larger information governance. If defined and controlled well, data collaboration and content delivery on mobile devices will not introduce any more risk than the data residing on the firm's servers, desktops, and laptops.
Sean Martin is the principal of imsmartin consulting, based in Redondo Beach, Calif. Email: email@example.com.