Managing Mobile Risk for Lawyers
Law Technology News
Of the top themes presented at this summer's International Legal Technology Association conference, collaboration and content delivery stood out in the crowd. But what happens when data collaboration and delivery travels to the mobile devices we all carry? Most CIOs see the introduction of unnecessary risk, observed many experts.
While nearly every law firm urges clients to manage their data properly as in having a formal information lifecycle management program in place a large number of firms don't practice what they preach. A variety of new technologies have facilitated the breakneck growth of data volumes and they are shared and stored in locations outside the physical (presumably secure) firm walls. But this model no longer works firms are beginning to recognize that the risk is too high to ignore.
Controlling information is not a new concept for law firms and their personnel. But today's unmanaged mobility in the form of BYOD (bring your own device) to work programs and equally unmanaged use of popular Web services such as Dropbox and Evernote represent a seemingly unstoppable phenomenon. This creates a set of issues that must be addressed before an information governance firestorm hits.
In short, centralized document management, formal information management lifecycles, and proof of governance policy enforcement have all become non-negotiable elements in many firms' policy management and enforcement protocols. And they influence firms' choices of technology.
During the ILTA session, "Information Governance: The New Records Management," Rudy Moliere, director of information governance and records management at White & Case, and Terrence Coan, senior director of information management practice at HBR Consulting LLC, presented the core principles of information governance.
They described information governance as "an enterprisewide approach to the management and protection of client and business information assets." A properly defined program, they said, would enable employees to understand, and adhere to their professional responsibility with respect to private or sensitive information they access. They then provided a set of information governance principles to guide organizations that need to create an ethics-based, privacy-driven information management program.
Moliere suggested that firms define and provide guidance and procedures for acceptable use and security of devices, both firm-based and BYOD. Said Coan: "It's important to develop and leverage your firm's existing technology policies. Consider offering firm-approved apps, such as email with Good Technology Inc., and document storage apps. These provide secure remote connectivity and improved control for your data."
Here are some recommendations for use of mobile devices gleaned from their presentation, as well as other sessions and conversations with speakers and vendors at the show. Today, faced with the consumerization of IT, it's important to step back and analyze how our information is managed.
Recognize that official records are now primarily electronic.
- Mobile challenge: Information can be generated by, accessed from, shared by, and stored on pretty much any device with a network connection. Mobile devices are an extension of the corporate network and the same protections to client data still apply.
- Mobile tip: Define your mobile information management processes and policies to match your firm's needs as they relate to electronic data and then take a proactive approach to selecting the appropriate technologies and controls.
- Vendor tip: "The trend toward paperless document access enables attorneys to take advantage of the benefits of mobile computing," says Cheryl Tang, senior product marketing manager at Good Technology. "The use of mobile devices also introduces unique challenges related to protecting sensitive client data, particularly on personally owned devices," she says. "Rather than completely blocking access to electronic files, firms should look for technology that will control and protect firm data while allowing attorneys to access the data that they need on any device."
Confirm that all business systems and applications are up to the defined information governance standards (email, storage, billing, litigation, dockets, etc.). Identify administrative processes and establish business "owners." Provide guidance on functional requirements, system selection, and design implementation.
- Mobile challenge: Each of these systems has (or will have) mobile access to back-office systems. Formally or informally, controlled or uncontrolled access control is required.
- Mobile tip: Define the access control rules for mobile devices and mobile information collaboration is becoming a big thing (as noted above), so collaboration rules and controls are critical.
- Vendor tip: We recommend the use of technologies such as encryption, strong two-factor authentication, and endpoint control to enforce the identification of the user and the mobile device, said Matthew Dieckman, Dell SonicWall Inc. product line manager for secure remote access. This helps administrators ensure that only those users coming in from an approved device (company-issued or not) can access the systems and sensitive resources.
Correctly classify information, and securely store it in a firm-approved record-keeping system. Firms are seeing an increase in client requests for ethical walls around their legal matter.
- Mobile challenge: Mobility, the cloud, and integration with document management systems have challenged IT departments. They are tasked to deliver what users want: ease of use, and access to corporate and firm data from a mobile device while conforming with information governance, and providing security and protection of information.
- Mobile tip: Mobile apps must support technologies that can encrypt and control the data on the device and in transit. These capabilities should be offered in native apps. Firms must control the proper use of the device as well, "containerizing" the apps and data keeping personal use separate from business use.
- Vendor tip: "It is important to allow the user to download documents to the tablet for offline access when Wi-Fi is not available or difficult to get," says Leonard Johnson, vice president of marketing at NetDocuments. "A cloud-based document management system, with extensions to common document management services, offers anytime, anywhere access giving the users the ability to have their documents on hand when they need them," added Johnson. "Giving lawyers the ability to select the documents they need as they visit a client or are in court is vital but the locally stored documents must be encrypted and there must be a way for the firm to remove them when applicable."
Control unnecessary proliferation of information, establish formal legal hold policy and protocol, coordinate efforts with the general counsel office to ensure protection of relevant information and coordinate with both records management and IT for disposition.
- Mobile challenge: Social networking runs rampant on mobile devices; consumer-oriented cloud-based services are available via uncontrolled app downloads.
- Mobile tip: Define which apps personnel may download and use, and define how they may interact with the confidential information.
- Vendor tip: "Because data can be so easily shared with other mobile apps and cloud-based storage, Good Technology recommends securing data and applications," says Tang. "This approach enables firms to embrace BYOD, while protecting confidential client data and respecting personal device usage." Good Technology partners with mobile app developers who have developed products such as Branchfire's iAnnotate, Picsel SmartOffice, and a suite from Advanced Productivity Software Inc., she said. Look to create an "ecosystem of secure, trusted mobile collaboration applications that enable attorney productivity while ensuring client data remains within the purview of IT," Tang suggests.
Confirm the authenticity and integrity of information. Certify custodial legal hold compliance during the discovery phase of litigation, investigations, or audits.
- Mobile challenge: Information can come from pretty much anywhere, and be shared by nearly anyone. It can be manipulated by almost all devices and apps. Users can create integrity issues (purposefully, unintentionally, or accidentally). Inappropriate access (malicious or accidental) can introduce integrity and authenticity issues.
- Mobile tip: As data is being created, shared, and stored, it should be digitally signed. That protects the data as it travels the mobile space, and signatures can be verified independently of the data owners' own claims.
- Vendor tip: "Mobile devices represent another nail in the coffin of perimeter security," says Turks and Caicos Islands-based Mike Gault, CEO of Guardtime. The company offers Keyless Signatures, binary tags for electronic data that help organizations protect their electronic data. The product offers a combination of hash functions based on server-side signatures and hash-linking based on the time stamps delivered using a distributed and hierarchical infrastructure, according to the website. "Simple self-made claims and the antiquated use of MD5 hashes will no longer suffice, as these methods of proof rely on trust not science. At some point, firms will be required to actually take the steps to prove that they have properly secured and protected their clients' data," he says.
Properly handle the disposition of information when it reaches the end of legal and operational usefulness. Establish retention disposition policy and supporting protocol.
- Mobile challenge: Data may be stored on the device unbeknownst to the firm (internal, removable, and cache). The employee may refuse access to the device to clean it up. Lost devices are a challenge as it is outside the control of an anticipated cooperative party who would have helped with the disposal of expired information.
- Mobile tip: Apps must support technologies that can encrypt and control the data on the device and during transit. Consider using applications that offer IT control of the mobile devices and data.
- Vendor tip: NetDocuments integrates with Good Technology, and offers a dedicated document management app as well as offering its own repository administrative controls, says NetDocuments' Johnson. The technologies can prevent data leakage and can control emailing out, copying and pasting, and unencrypted downloading. Both selective, and full-device remote wipes are available."
Educate all relevant citizens (lawyers, support staff, and clients) of their information duties. Train the lawyers to rely on support from local office administrators.
- Mobile challenge: Just about everyone has become comfortable with (and dependent upon) smartphones and tablets, expecting immediate, unfettered access to information.
- Mobile tip: Firms must set user expectations about mobile device policies, especially for BYOD and BYOA (bring your own apps).
- Vendor tip: The first question that human resources must be asked is "Can BYOD be used for work?" says Lance Spitzner, training director at SANS Securing the Human Program. "If so, what requirements does an organization have before any organizational data can be stored on it? Once the device is updated and meets organizational requirements, what organizational data can be stored on it and how? Additionally, individuals should also be taught the best practices in using the device."
Training elements should include:
- keeping the device updated;
- only installing required apps from trusted locations;
- protecting the device with a strong password;
- awareness of social engineering attacks against mobile devices, usually over messaging or voice; and
- immediately report a lost or stolen device to the IT security team.
Paul Wittekind, IT director at Porzio, Bromberg & Newman, sums it up: "Always counsel your firm's staff on how best to manage documents and other content." Even with a mobile device management product like AirWatch, which is designed to prevent the use of Apple Inc.'s iCloud, lawyers can still put documents and content on other unmanaged personal devices, such as a home system, he says. "Sometimes the content may be sitting in an encrypted iPad, which will force the firm to take a good hard look at their existing policies to make sure they cover the mobile world."
Clearly, mobile is here to stay and firms will encourage collaboration via these devices. It just makes plain business sense to do so. However it is critical that firms take a formal stance on data lifecycle management, and the larger information governance. If defined and controlled well, data collaboration and content delivery on mobile devices will not introduce any more risk than the data residing on the firm's servers, desktops, and laptops.
Sean Martin is the principal of imsmartin consulting, based in Redondo Beach, CA. Email: firstname.lastname@example.org.
This article originally appeared in Law Technology News.