Bird & Bird says ‘yes’ to pessimistic security
Last year many UK CIOs told us that ‘need to know’ document access would never take off in law firms, but we can reveal that Bird & Bird has just got sign off to become one of the early adopters of the restrictive security model as the trend towards locking down data gains pace.
The UK top 20 law firm led by IT director Karen Jacks has just achieved management approval to restrict document access to client teams, with Jacks commenting: “We’re seeing increasing expectation around data only being available to those that are working on the matter.”
Bird & Bird is working with Intapp, taking its Intapp Walls product a step further. Jacks said: “The Intapp product only does that to a matter level and we want to do it to a client level so it’s a bit of a fudge until we have that in their product.” She adds: “Going to a matter level where every time you open a matter you have to delegate a team we thought was a massive overhead for people.”
According to Intapp, once the team is built it can be used to secure a client or multiple matters, but that is a two-step process. The Palo Alto-headquartered company previously considered allowing teams to be created for a specific client but there hasn’t been a demand. Bird & Bird has asked Intapp to put that functionality on its roadmap and Intapp told us: “We’re now addressing this and this feature will be available in the near future.”
We revealed in September 2016 that Dentons, led by global chief information officer Marcel Henri, was moving to a need to know security model – also commonly referred to as pessimistic security – with many UK CIOs extremely sceptical of the move at the time. Henri told Legal IT Insider at the time: “In light of the many recent security breaches that have made the headlines, I simply don’t think firms will have a choice.”
However, one IT director at a UK top 20 law firm cited knowledge management as just one reason that the model was unlikely to take off commenting: “We could just extract the knowledge but the real knowledge isn’t just about the precedent, it’s ‘how did we do the deal’ in its entirety.”
At Bird & Bird, Jacks flagged the growing pressure to move to a need to know security model “months ago” but says: “I warned people that you need to be very aware of the implications. We’re running a business and it’s not a good position to be in if people feel they have to do loads of admin.”
The move was signed off by a handful of senior management including general counsel and head of risk Roger Butterworth. Jacks said: “We talked it through sensibly and agreed we do need to move forward but we want to take a cautious and steady approach, not a big bang with lots of difficulty.”
Bird & Bird has been working closely with Intapp, including running workshops with the risk and IT team. The new process will start by focussing on matters that are already highly restricted by their nature and expand out from there, starting with new clients, then existing matters, then historical ones.
While the move inevitably hasn’t gone down well with everybody, Jacks said: “The majority of our lawyers understand that you shouldn’t be rummaging around in the DMS.” The firm, which already anonymises its KM material and has a SharePoint-based KM system laid over its DMS, will use the project as an opportunity to refocus people on sorting out their knowhow. Jacks said: “Using the DM to find stuff out is great and there are whole areas that will be unaffected – non-client data will be open to everyone to use. But if someone is in the habit of using the DM to look for other data, we’d rather you don’t.”
The other issue IT directors worry about under a need to know security model is ‘that 3am moment’: what happens if during a big deal someone is prevented from accessing the documents they need, when they need them. Jacks said: “As part of the Intapp product you have gatekeepers – like a ‘break glass’. You say ‘I need access to this’ and you can be granted 24-hour access and the partner or whoever activates it gets notification.”
It would be no surprise if other international or US law firms emerge as adopting a need to know security model in the near future. The US global regulatory position this year moved on from 2016 and regulation came into force in March from the New York Department of Financial Services which includes a provision that financial institutions “shall limit user access privileges to information systems that provide access to nonpublic information.” That regulation applies to any financial institution with a presence in New York and any vendor managing data for those institutions, which includes lawyers.
Guidelines for law firm cybersecurity measures from the Association of Corporate Counsel, which were also published in March 2017, specify that law firms must limit access to data. The ACC guidelines say: “Outside counsel must have logical access controls designed to manage access to company confidential information and system functionality on a least privilege and need-to-know basis, including through the use of defined authority levels and job functions, unique IDs and passwords, two-factor or stronger authentication for its employee remote access systems (and elsewhere where appropriate)”.
Impending European legislation under GDPR – which will affect a post-Brexit UK and the US – is also expected to put firms under pressure to lock down their data. This has been compounded by public data breaches and embarrassing insider trading claims, such as the Securities and Exchange Commission’s prosecution of Foley & Lardner partner Walter ‘Chet’ Little, who allegedly used his unrestricted accessed to the firm’s document management system to make $1m in illicit profits alongside fellow defendant and neighbour Andrew Berke.
Jacks said: “When I went to the iManage showcase a few weeks ago they were showing Security Policy Manager. When we looked at it in the early days they did a show of hands as to how many people were being pushed into a pessimistic security model and it was very few but recently there was a much bigger show of hands.”
iManage has been one of the big drivers of adopting a need to know security model and last year Dan Carmel told us: “We need to remind the industry that we are facing a different kind of threat that is particularly challenging and we need to find a way to balance between client requirements, firm risk management and knowledge management.
“If the lawyers are thinking only in terms of knowledge sharing and not recognising the risks, it falls to all of us to raise awareness.”
Jacks adds: “We’ve all enjoyed open data sharing but the landscape has changed and we need to acknowledge that.”