Law firms have been too lax about enforcing their own policies through process management, audit, and enforcement, especially around DMS & cybersecurity
This article was written by Joshua Fireman, the founder and president of Fireman & Company.
Law firms have an inglorious history of internal non-compliance with security and information governance policies, such as around their document management system (DMS). Now, however, in a world in which the COVID-19 pandemic has scattered lawyers and staff to remote locations, the risks to firms and their clients are exponentially greater.
Remote work requires a focus on previously-ignored foundational work processes, especially in areas of law firms’ information security polices and lawyer usage of their document management systems. Law firms need to immediately stop turning a blind eye to non-compliance and adopt the changes needed to protect themselves and their clients.
Today, most firms are emerging from the first phase of their transition into virtual organizations, having managed to connect lawyers and staff in remote locations through basic system access. Phase two is where the real work starts: Mastering the ability to manage clients, collaborate on matters, and generate work product efficiently. And, to be blunt, most law firms are not remotely prepared for that challenge.
Policy compliance in law firms has always occupied a flexible spectrum. On one end are rules with reasonable (but rarely universal) compliance: time entry, conflict checking, billing. On the other end we find the policies that many lawyers and staff treat as optional: security, information governance, communications. Many firms will feign surprise at this, but don’t delude yourselves — law firms have been notoriously lax about enforcing many of their own policies with explicit process management, audit, and enforcement.
The Issue of Information Security
Consider information security as one example. Studies have shown human error is the main cause of 95% of information security breaches, and most of these errors are skill-based or decision-based. Even in the controlled environment of a physical law office, we are continually provided examples of egregious security actions taken by lawyers and staff, mostly justified by the firm’s own members as being necessary to perform the normal course of work. For example, lawyers will email documents to personal accounts and download confidential content to personal computers, either for home use or when travelling. Another example, lawyers and staff will download documents to hard drives for a variety of uses (organizing trial binders, uploading to regulatory sites, etc.) and never delete or merge these documents with the original versions in the firm’s document management system (DMS).
Again, to be blunt, I doubt there is a law firm in the Am Law 200 that does not have lawyers and staff storing confidential information in personal email accounts, personally owned computers, or other high-risk locations such as their work hard drives.
Additionally, the basic concept of a matter file has been treated by firms as a suggestion rather than a clearly defined work process. Anyone old enough to remember the age of paper matter files also remembers the processes we were all taught: Working files had a defined structure for correspondence and documents; working files had to be stored eventually within physical master files. Any member of a matter team always knew who was working on what elements of a file and where that material could be found.
Law firms have been notoriously lax about enforcing many of their own policies with explicit process management, audit, and enforcement.
Not so today. As a legal industry consultancy, we meet with thousands of attorneys and staff annually to understand their work processes, and there is little consensus as to the purpose of a DMS. Some lawyers store early drafts on hard drives, only saving later versions in the DMS. Some only save final versions; others take the opposite approach, only using the DMS for work in progress. Many use the Outlook email system as a parallel DMS. Network file shares occupy another role in this world of creative autonomy, where lawyers and staff organize client content in whatever way pleases them and their individual needs at the moment. The end result, from firm to firm, is an embarrassing mess of balkanized content across secure and insecure systems. Indeed, the most common complaint we hear from lawyers about locating matter file content is, “I can only find my stuff, because I can’t read my colleagues’ minds.”
The Value of Training
At the core of these behaviors are an almost industry-wide lack of enforcement of security and information governance policies through clear process definition, mandatory training, change management, and behavior monitoring including sanctions for non-compliance.
Training, particularly for attorneys, has always been understood to be optional. Training staff within law firms have thankless jobs — they know that their initiatives will be willfully ignored by an unacceptably high number of lawyers. And law firm management has, implicitly or explicitly, chosen to turn a blind eye to this gap. This is one of the reasons why we see such minimal attention to change management initiatives in law firms. Change requires significant investment and effort, and it doesn’t happen because an email from the managing partner sprinkles magical compliance dust over the firm.
There must be a point where standards — including how a matter file is to be created, managed, and accessed — must be adopted and enforced. It is impossible to achieve 100% consensus on these issues, but standards and related policies and processes must be laid down and enforced because they are good for the firm and its clients. In other words, no partner gets a free pass because of the size of his or her book of business.
This brings us to our current situation in the COVID-19 maelstrom, where law firms are looking at a long-term situation of continuing at least partial remote work. Collaboration, communication, client and matter management, and work product production are essential — all of these areas require policy, process, and enforcement. Firms now need to take on the even harder task of change management, with remote resources helping remote workers to change their daily work habits and ensure that security, compliance, and the most basic work processes move forward in a clearly defined way.
This work will not be easy, but any law firm that believes it can function effectively in the future without addressing the foundations of its work processes is rolling the dice — with the future of the firm and its members at risk.