Bring your own device – or not

by Joanna Goodman

I was privileged to attend this year’s ILTA INSIGHT at the Grange St Pauls Hotel in London, where event chair Janet Day, Director of Technology & Infrastructure Services at Berwin Leighton Paisner, and the advisory planning committee organised an interesting selection of sessions on topical themes. This review focuses on some of the current technology-related challenges facing law firms: the volume of regulation; the increasingly popular ‘bring your own device’ (BYOD) policy and the risks and benefits of cloud computing.

The rising volume of regulation
In a deeply academic keynote address, Philip Wood, Special Global Counsel at Allen & Overy impressed us with a potted history of global economics, focusing on the relationship between financial risk and the development of the legal and regulatory system. One highlight was that the sheer volume of regulation has made it impossible for lawyers to learn even a small proportion of the enormous number of laws and regulations they may need to refer to. For example the recent Dodd-Frank Act, which regulates stock exchanges, runs to 100,000 pages! Although Wood did not focus directly on technology, the issues he raised highlighted the crucial role of technology in enabling lawyers to deal with the exponentially growing volume of legal regulation and information and identify and access what they need to provide their clients with timely and appropriate advice.

Mind what you monitor
Aaron Turner, President of Chaos Enterprises, an information security consulting company that provides strategic guidance on managing the risks associated with emerging technologies, brought us sharply back to the present day and lawyers’ use of technology. He explained how a BYOD policy can bring risk to all organisations, and not least to law firms and lawyers. However, hearing how vulnerable smart devices are to tracking and interception did not deter many of us from tweeting our comments.

Like Wood, Turner started with some history – the history of employer-provided communication devices – from Roman mounted messengers and Incan runners to today’s smart mobile devices. Turner emphasised the need for all organisations to devise an acceptable use policy for mobile devices and update it regularly. Users need to know where they stand in terms of privacy, especially given the trend for people to use personal devices for professional purposes.

People’s expectations of privacy may differ, but organisations need to consider the various rules around consent. Some jurisdictions operate a dual consent regime – ie both parties need to consent to a conversation or message exchange to be monitored – while others are less rigorous. Most firms that allow employees to link their personal devices to corporate systems and other resources require them to agree to the organisation tracking and monitoring communications, but this agreement does not cover third-party communications.

An important point was that people travelling on business with mobile devices are not protected by the fact that their device is linked to their employers’ systems. Turner reminded us that all data on smart phones – including location data – can be accessed by their manufacturers who have compromised standard encryption keys to allow and by governments and officials.

Turner illustrated this with a case study involving a lawyer and her firm facing the consequences of her using her smart phone for business and personal purposes while travelling on company business. The problem arose when she responded to a text from a personal friend asking for advice on a taxation problem while waiting in the passport queue at a foreign airport. She forwarded him a client email containing the information he needed. However, monitoring by local officials flagged up her text exchange with her friend about the IRS and the confidential client information in the subsequent email. The IRS was alerted, the client withdrew from the transaction the lawyer was handling, which was then subject to further investigation and the lawyer’s own job was put at risk. The fact that the firm was also monitoring and storing employee communication exacerbated the difficulties as the parties with whom she was communicating had not consented to their communications being monitored and stored by the firm.

Turner’s message was that individuals should be aware that information they receive and send is not secure, particularly in certain foreign jurisdictions, which surprisingly included France. Firms need to be careful about monitoring employees’ communications, even if they have obtained their consent. He advised firms to have an action plan in place in the event of official investigation and policies to prevent the improper capture of non-consenting individuals’ communications and to meet requirements to inform clients about any breaches. Employees of law firms in particular need to be aware of the risk of responding to emails when travelling in other jurisdictions. (CC comments: this session seemed to deeply disturb the American delegates – I'm guessing France will not be their holiday destination of choice this year. C'est la vie en roaming.)

Turner advised firms to mitigate risk by eschewing the BYOD policy and purchasing mobile devices for their staff. He argued that this is not always more costly as firms can negotiate advantageous prices and carrier contracts and can avoid supporting multiple devices. He also recommended distributing risk awareness information to everyone in the organisation.

A brief question and answer session raised an interesting issue – if vendor software is compromised and data can be accessed by the vendor and by other parties, would extra encryption help? Although this clearly was not a planted question, it gave Turner the opportunity to let us know that he is currently working with a contractor to design a platform to protect mobile communication – a single-use virtualised server that would protect individuals and organisations. This would mean communication was not automatically saved by the enterprise, so third-party communication would not be monitored or stored, and it would also be more secure against interception by external parties.

The programme then split into two streams:
The Business of Law 2020
•    Legal Project Management: Not An Oxymoron
•    Money: The Only Green That Matters? (sponsored by: Legal Sector Alliance)
•    Follow the Money: Future of Financial Applications in Law Firms

Law Technology 2020
•    Social Media: Not Just For Teenagers Anymore
•    Life in the Clouds: The Future of Cloud Computing
•    How to Say Yes to iPads (sponsored by: LITIG)

iPad – size matters!
The iPad panel led by Mabel Evans of Field Fisher Waterhouse continued the BYOD theme. It was sponsored by LITIG, the Legal IT Innovators Group, which had conducted a survey on iPad usage which revealed that only a small minority of its members used iPads, which suggested that it was somewhat early in the day for the participating firms to provide comprehensive guidance.

Derek Southall, partner & head of strategic development at Wragge & Co – a lawyer who uses an iPad – provided a genuine user perspective. He found the iPad especially useful for reading documents (transferred via Dropbox), browsing and collaborating with colleagues and clients (via Citrix). Useful apps include time clocks, stock prices and writing applications.

Jan Durant from Lewis Silkin summarised her perspective on the iPad with the phrase “Size matters!” and wondered how firms had got away with using BlackBerry for so long. She highlighted a key challenge for IT departments: firms that allow employees to use their own devices need to decide which devices to support and establish the level of support they offer users, bearing in mind that the consumerisation of technology is producing a plethora of new devices.

Other topics included data protection and security and firm provided technology versus BYOD and the increasingly blurred boundaries between professional and personal use of technology – echoing the theme of Turner’s session from a very different perspective – as well as the growing trend of using different devices for different purposes. The consensus was that the BYOD policy is here to stay as part of firms’ more flexible working practices – particularly as these encourage people to do more work outside office hours.

Passing clouds
The panel moderated by Gareth Ash from Allen & Overy featured an excellent range of panellists with very different perspectives on cloud computing, which has long been a hot topic in legal IT. At Clifford Chance, Paul Greenwood had introduced cloud services for IT ‘hygiene’, replacing point solutions with managed services that enable the IT function to focus on value-added work. Doug Cadell from Foley & Lardner spoke about the financial and operational benefits of moving the firm’s document management system from iManage to NetDocuments. David Bennett, from mid-size UK firm Thompson Snell & Passmore, outlined the rationale for moving the firm’s entire IT infrastructure to the cloud: the new cloud-based practice management system was a catalyst for streamlining systems and processes and transforming the firm’s culture.

Simon Kosminsky of SJ Berwin wondered why he had been invited to sit on the panel as his approach was not focused on cloud computing but on identifying and delivering his firm’s specific requirements. Sometimes, but not always, the cloud was the best solution. Kosminsky highlighted some of the challenges: paying cloud providers for excess capacity and services and the importance of knowing where key data is held. Bennett and Eric Hunter, Director of Knowledge Management at Californian firm Bradford & Barthel, whose firm was an early adopter of Google Apps, outlined the benefits of cloud computing to mid-size firms whose operations are generally in one jurisdiction, in terms of scalability, business agility and making the best use of limited IT resources.

The conclusion of this and other panels was that leveraging innovative emerging technology meant taking a long, hard look at the firm’s profile and requirements and finding out where cloud services represented the best way of delivering on these while addressing ongoing challenges, particularly the data protection and security issues highlighted so effectively by Turner’s earlier session.