Latest News

Guest article: The wrong people are deciding what's confidential

by Keith Lipman

In most law firms today, it’s the risk management team or general counsel who decides what level of confidentiality is called for on a particular matter. That’s simply the wrong way to go about it because they are looking at a matter from the 30,000-foot level. Centralized administration of confidentially is doomed to failure In the era of the electronic file, and the failure can be costly.

Mathew Kluger is only the latest case in point. Accused of providing confidential information for what authorities say was a $37 million insider trading scheme, Kluger faces at least 15 years in prison if convicted. Kluger is alleged to have used his positions at several prominent law firms beginning in the mid-1990s to pass inside information on upcoming mergers and acquisitions to a middleman, who made stock trades based on the information. He then passed on the profits to Kluger and his buddies.

The law firms he stole the information from face an uphill battle to restore their reputations. The assumption of confidentiality is built into any discussion between a client and a lawyer. In reality, a law firm may have only 10 matters out of 5,000 that are walled off from the general firm for confidentiality purposes. This wasn’t nearly as great a problem when we were dealing with physical files. You had to get the key from someone, and you left a trail.  But now that electronic files are ubiquitous and highly searchable, we’ve letting the fox mind the chicken coop.

Complicating the situation is that matters often don’t require confidentiality walls when they are opened but. as they evolve, they do. What started out as a request for advisement morphs into a confidential M&A but the matter coding never changes.

The problem is also partly cultural. In Asia, nearly everything is confidential until it’s made public. In the UK and the U.S. nearly everything is public until it is made confidential. That’s going to change over the next decade as western countries progressively move to the Asian model to prevent the kinds of abuses Luger represents. How law firms administer confidentiality will have to change, too. Can you imagine how large a risk team you’d have to have to manage just 500 confidential matters not to mention 5,000 matters?

The solution isn’t that difficult: decentralize confidentiality processes by putting the responsible lawyer in charge of who has access to the matter. (Or someone on the matter team.) Seems logical, doesn’t it? From a software perspective, it’s a fairly straightforward to distribute security rights. The technology to do it exists: it’s built into Matter Hub, for example. As described in this whitepaper – see link – where we’ve written more deeply on the subject, Matter Hub introduces the concept of a matter owner for every matter and decentralizes and distributes process control and security control.

It’s a fact: the technology to prevent data breaches in a virtual practice exists. But the will to change how we do things, including applying confidentiality standards, seems to be glacial.

7 replies on “Guest article: The wrong people are deciding what's confidential”

Sorry but it just doesn't make sense to give power of access control to Fee Earners. It is not best practice to place such a facility into the hands of those who are earning the fees. How about subsequent monitoring of access – who does that? Also what about teams and staff changes? The cases cited in the above article suffered from a lack of centralised security control. Isn't Kluger a lawyer? All law firms should take note – a strong information barriers product administered by the Risk Team is the only way to enforce privacy. The author of the article seems to be putting a confused message out here and is perhaps behind the times. The new wave of Information Barriers products are the best answer. Law firms are now voting with their feet.

Totally agree with Anonymous – the proposed decentralised approach is precisely the opposite of what firms need to do (and are doing in most cases).

The only way to insure that the firm complies to its risk management guidelines is to centralize the process. If you give the attorney “ethical wall control” it is going to get out of hand. We are well past the days where attorneys can self-police conflicts and wall management.
I couldnt quite tell from the story. Does the author also intend to let the attorney clear the matter for conflicts? Another crazy idea.

I agree that a true information barrier (ethical wall) should be managed centrally. In large law firms, very few matters require a true inclusive barrier. (e.g. less than 20 at one time) and exclusionary walls are always centralized.
What I am talking about is the need for the rest of the matters. How do you keep what would have represented portions of the traditional physical file confidential (e.g. correspondence, client documents, etc). Many lawyers still do not file their email into the electronic matter file or store any client documents in it for this reason.
The idea that there is a central function that will handle access to every matter is not scaleable and not sensible. The responsible lawyer (e.g. matter manager) has the knowledge of who should have access so why not give them the tools?

Relying on technology to enforce from the centre, seriously? In the old ways of the paper file it was the support staff for the lawyer who made sure everything was locked away from prying eyes, not the risk team. Its fee earning teams who should take the same responsibility in electronic times!
So long as the tech is simple and talks in real world terms, FE's are quick capabale of ensuring their matters are secure.

OK – so it's your corporation requesting privacy in an M&A transaction, would you rather trust the lawyer to manage it or a central compliance team who have the organisational and systems overview perspective? And if you are the Managing Partner, or the SRA-enforced 'Officer for Legal Compliance' would you be prepared to devolve control to fee earners?… I don't think so….

I agree with the first comment what he is saying that strong information barriers product administered by the Risk Team is the only way to enforce privacy. That is so very true and it is the only way to keep security in place.

Comments are closed.