As law firms increasingly look to transition from an open access document management system to a need-to-know or pessimistic security model, Am Law 200 law firm Thompson Hine has selected Confidentiality Manager from Prosperoware, we can reveal. Here Prosperoware outlines the drivers, the process, and how the new system will be integrated going forward.
Headquartered in Cleveland, Thompson Hine LLP is an Am Law 200 firm with approximately 400 lawyers in seven offices. The firm was ranked number 1 by The Financial Times in the category “Most innovative North American law firms: New working models” and is among the top five firms recognized in the BTI Brand Elite for “making changes to improve the client experience.”
Alan Lufkin has been with Thompson Hine for six years and currently serves as the associate director of Business Intake. His group consists of over 30 people throughout the firm’s seven offices. Lufkin’s responsibilities include aspects of the risk management function as it pertains to the firm’s records; specifically, he is responsible for implementing clients’ security requirements and limiting access to clients’ content in electronic repositories, including the firm’s document management system.
In September 2017, the firm migrated from the OpenText eDocs document management system to NetDocuments. The decision to move to NetDocuments triggered an ancillary need to select a new tool to manage matter- and document-level security for implementing ethical walls and enabling need-to-know access.
Business Drivers: A New Era of ‘Security First’ Information Governance
According to the Association of Corporate Counsel’s Chief Legal Officers 2018 Survey, data breaches and information privacy were among the top three concerns of chief legal officers (CLOs) heading into 2018. Data breaches and protection of corporate data (70 percent) and information privacy (68 percent) ranked second and third in importance for two-thirds of CLOs, with seven in 10 rating them extremely or very important for the coming year. These concerns are driving mandates to their outside counsel firms to change from open access to need-to-know security models – and, more and more, these mandates are coming in the form of contractual obligations known as outside counsel guidelines (OCGs).
The need for systems to better control and limit access to content, therefore, is growing. Firms now receive OCGs on a routine basis, and no longer just from large, institutional clients. Rather, the practice is blossoming to include even smaller corporate clients. Thompson Hine, as an example, has hundreds of OCGs with which the firm must comply. Clients are particularly interested in establishing security and compliance protocols for all repositories where their data may reside, as well as establishing audit processes. As a result, firms are finding it challenging to respond to the myriad security audits where clients ask very detailed questions about security and compliance efforts.
“From an information governance perspective, the historical model of dozens of supported repositories of data managed independently and secured on an ad hoc basis does not work,” states Lufkin. “It doesn’t work for client security audits and it doesn’t work in the era of OCGs. Thompson Hine, therefore, made the decision to move to a model where we think of security first and then apply that security across repositories. We wanted a central method for controlling access, a single tool that could do that and provide an audit trail that satisfies us as well as our clients; it’s important and we knew our approach would be a differentiator for our firm. We were pleased to find that Prosperoware’s Confidentiality Manager (CM) platform could meet our needs.”
Ed Carroll, director of Information Services at the time, went through the process of due diligence to investigate competing products on the market. He led the decision to select Prosperoware CM to complement the firm’s NetDocuments environment.
Today, the firm is managing approximately six million active documents and implementing scores of confidentiality screens a year using CM. When asked about the impact to the firm of using the Prosperoware software, Lufkin comments, “Our attorneys didn’t notice the implementation – and we take that as a good thing. Security just needs to work, period. The lawyer’s access control list includes an entry that is secured by a group policy that otherwise limits who has access. That is the extent of the attorneys’ current visibility.”
Meanwhile, clients are showing an ever-greater concern for who has access to their data – whether it’s being walled-off for ethical considerations or because they have tighter requirements around who can be allowed access to their files.
Lufkin adds, “Prosperoware enables us to more readily demonstrate compliance with those obligations as it allows us to generate audit reports for clients. We’re able to show who has access to – and who actually has accessed – any of that client’s content. Being able to respond substantively and efficiently in terms of demonstrating confidentiality is now a vital component of our client relationships.”
Moving forward, the firm will integrate CM with a new records management system, FileTrail, to continue its “security first” strategy. The Prosperoware software also will be used firm-wide for acknowledgement email that attorneys will need to affirm when new screens are implemented.
“We are responding to RFPs and security audits all the time, and in each of these, clients and prospects are asking questions regarding how we are meeting or will meet their security expectations. We consider Prosperoware Confidentiality Manager a core component of our firm’s capabilities to service clients’ needs, both now and as we adopt new systems that clients expect us to secure. It’s inherent in our security first strategy, and it’s part of our differentiation that Prosperoware is helping our firm future-proof.”