Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Lawyers deal, on a daily basis, with paper-based information that is confidential and commercially (and sometimes politically) sensitive. While attorneys readily accept security restrictions when handling paper, they may not be as confidentiality-conscious in their electronic dealings. Mention the words “electronic security” to lawyers and techies and eyes begin to roll. Everyone knows that security is important, but the practicalities tend to be difficult and jargon-laden. But as browser-accessed databases become a global reality, lawyers must become more security savvy. FREE ACCESS Today, Internet-based information can be accessed freely, including from nonlegal environments such as Internet caf�s. The move from databases stored on a stand-alone PC to databases accessed via the Internet has been characterized by an increase in the number of potential access points to our systems — especially as our legal teams have become larger. Additionally, external users (such as clients, counsel and experts) have arrived on the scene. More importantly, the legal teams have become global, and they want their databases to be accessible anywhere at any time. This has raised all sorts of security issues relating to access. Lovells’ response has been to look for ways to prevent people from accessing inappropriate information. This might appear to be at odds with the technology department’s role within the firm — which has been to increase and improve access to our litigation support databases for teams working within our buildings. The reality is that we are dealing with different sides of the same coin. The range of products that we use at my firm shows that there is no single correct way of implementing database security, and indeed different products emphasise different aspects of security. We have a series of organizational infrastructure security controls that are common to both of our database programs. These include intruder protection, firewalls, direct connections (dial-up modems, frame relay links, and virtual private networks) and audit trails. INFRASTRUCTURE First, a bit of history. Lovells was created in 2000, with the merger of Lovell White Durrant and Boesebeck Droste. We are the fourth-largest law firm in Europe, and the eighth-biggest in the world. We operate in 26 cities, and have about 315 partners, 858 lawyers and 1,920 nonlawyer staff worldwide. We are a PC-based law firm and are near the end of a firmwide rollout of Microsoft Corp.’s Windows 2000 and Office XP. Our time recording is via Carpe Diem (from Best U.S. Holdings Inc.), and our document management system is DOCS Open Version 3.9, from Hummingbird Ltd. TWO PRODUCTS Back to security. Let’s look at two products in use at Lovells, which deal with the problem of security in different ways. First, we have been using a litigation support system called JFS Litigators Notebook (from Bowne & Co. Inc.) for some years at Lovells. A U.S.-derived product, its key attraction to us was that it allowed users access to our databases anywhere in the world. The system allows our many legal teams to collaborate in a shared forum and work on a combined work product. For example, we received a request for access to a database of evidentiary documents from teams of lawyers working in our New York, Chicago and London offices. By detailing our security architecture to our clients, we assured them that we had addressed their security concerns and that we could proceed. We opted to have individual replicas of the database loaded on the hard disk of the lawyers’ computers and we established “computer to server” links between the various PCs and the London JFS server. A central copy of the database was stored on a JFS server in our London office. We were able to advise the clients that as JFS was designed to be used both by users connected to a network and by users either temporarily or permanently unconnected to a network, it had several integrated security features. Unlike many litigation support systems, it is not overly reliant on network operating system security features such as password-protected network logins. JFS uses a unique password-protected ID file, and users must prove their identity each time they attempt to access a JFS database or server. It offers strong access control features. Only explicitly named users have access to JFS servers and databases. We only use direct, private-line connections — for example, frame relay links or dial-up modem connections — for replication. Replication is the process that synchronizes copies of databases and ensures that everyone is looking at the most current data. For additional security, all data transmission is encrypted. This means that the data is scrambled and is unintelligible to would-be eavesdroppers. We were conscious that each time we created a replica of a database we also increased the threat of data misuse. We were therefore careful to limit the number of replica databases that we created, and we protected those that we created by encrypting them with the authorized user’s I.D. file, thereby limiting access to the authorized user only. FIREWALL Several security concerns must be addressed to keep our internal JFS infrastructure secure. You may be familiar with the concept of a firewall. A firewall can consist of software, hardware or a combination of both and is a system that provides some form of access control between two networks, generally a company’s private network and the Internet. Every packet of data that leaves or enters a private network is examined and, based on a set of predefined rules, it determines whether or not that particular packet of data is allowed into or out of the network. We have used the same principle in designing our JFS infrastructure. Our firewall JFS server is used to store databases used for replication by our external users. Only Lovells users are given access to our central JFS server however, and this server is inside our private network. Often applying security to a system adds a layer of complexity making the system difficult for users to operate. Our goal has been to work towards a security architecture that is as transparent as possible to the end user, yet is effective in its denial of all unauthorized access. RINGTAIL Recently, we have been looking at another litigation support system called Ringtail, from Australia-based Ringtail Solutions Inc., which has similar functionality to JFS, but is designed specifically to work over the Internet via an Internet browser. The architecture of the product is also different to JFS, based as it is on Microsoft databases and standards rather than JFS’ use of Lotus-based standards. The Ringtail servers are located in a physically secure environment within a dedicated server room. Access to this room is limited to members of the Lovells group running the software, and to selected individuals within the Lovells technology department. Every time a user logs into Ringtail, a Unique Session Identification (UID) is issued both to the Web server and to the user’s PC. This identifies the user. Without a UID you cannot access information on the system. After logout, the UID is discarded. This means users have to re-identify themselves each time they access the system. SIX DEFAULT There are six default categories of user logins, from “administrator” with the most privileges, to “read-only,” which allows users read-only access to document lists. Users cannot see a case unless they are a member of that case’s group of users, or look at a folder if the folder is categorized as private and they are not an owner or member of a group with access rights to it. This form of blocking removes the temptation from users to try and access something to which they have no rights. Once access has been granted to the database, an auditing system takes over which details the user’s document history, case audit trail, log of most visited documents and log of database changes. This is similar to the audit trail of server activity found in JFS. At the operating system level, Ringtail will run on either Windows 2000 or Windows NT, each with their own systems of login and encryption. Windows allows groups of users to be set up, with rights of access to information tightly controlled. This is similar to access control in Ringtail and JFS. SYNERGY An effective security policy does not rely just on the security afforded by a single product. An efficient security umbrella is the result of security produced by individual products, such as databases combined with the security produced by products that are actually designed to protect the firm such as a firewall. The consequence of a correctly implemented security policy is that it acquires a resilience and synergy of its own, because the degree of protection provided by such a policy is far greater than the sum of its parts. Finally, we arrive at the age-old question, “How much security is enough?” One simple answer is, “Security is acceptable when lawyers and clients are satisfied that their data is safe.” Some clients are more easily satisfied than others, depending on the sensitivity of the information in question. Ultimately, the systems that we use and the security policies that we implement need to be robust and flexible enough to deal with all contingencies. Bill Onwusah is litigation support department manager for Lovells, based in London. E-mail: [email protected]. Web: www.lovells.com.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.