7/7/17

Knowledge Management in the Age of Need to Know Security

[Ed. Note: Please welcome back guest blogger, Keith Lipman, President at Prosperoware. Keith is a long-time friend of the Geeks, and well-known leader in the information management field of the legal industry. -GL]

Double-edged Sword: Protect & Deliver
2016 was a banner year for cyber incidents as records breaches increased by 556% with more than four billion records leaked. The regulatory and client response has been significant. The regulatory side brought the introduction of the New York State Department of Financial Services (NYS DFS) cybersecurity regulation, in addition to pending other regulations such as the General Data Protection Regulation (GDPR) which also mandate security requirements. From the clients, the Association of Corporate Counsel (ACC) released their Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information. The provisions of all these effectively create a standard of care for handling and protecting client data; that standard is fairly clear that firms must lock down access to only those who require it. This means that only those who clients authorize to have access to their matters can have it; this is commonly referred to as ‘need to know’ access.

Historically, firms have operated open access environments under the guise of knowledge sharing and collaboration. They must now fundamentally change an entrenched practice that has generally allowed everyone inside the firm access to clients’ sensitive documents. The challenge is that lawyers rely upon prior work product as the basis for new work product.

As firms scramble to comply with these new mandates, they’re concerned that locking down and limiting access to data repositories will impede knowledge sharing. They fear that cutting-off access to valuable work product will diminish operational efficiency, and that need to know access will destroy knowledge management. For those firms already thinking about the bigger picture and finding other ways to leverage their valuable data, need to know security may be an opportunity, not a hindrance.

Need to Know Access May Limit the Value of Prior Work
According to most indicators, electronic information is doubling every two years and will exceed 44 zettabytes by 2020.  The amount of data firms manage has been growing, exponentially. Disappointingly, firms seem to have struggled to properly collect, maintain, and harness the vast array of data they process, or even make use of that which they already manage.

To enable their professionals to benefit from the wealth of experience learned from prior matters, firms allow lawyers to search for prior work product. It makes little sense to reinvent the wheel for every new, yet similar matter when lawyers can rather improve service delivery in terms of time and quality by re-using others’ prior work.

Logic dictates that implementing need to know access will throw a wrench in the works by limiting the pool of prior work product any one lawyer can search or access; specifically, it would limit them to re-using only the work product for certain clients from other lawyers who provide services as a team.
Many law firms’ document repositories already exceed tens of millions of documents; contrary to what some might assume, this actually may improve efficiency. This is because the more limited dataset being searched could ensure a greater relevance of results, making it easier to locate specific items that lawyers need, especially when searches are being conducted on such a regular basis. Nevertheless, this alone is not the answer.

The Solution for Efficiently Locating Prior Work: Matter Profiles and Experiential Data
The problem that needs to be solved is how to enable lawyers to find work product they don’t know exists and for which the firm does not yet have any published template. Firms need to enable their lawyers to find others’ work product. Thankfully, there is a solution.

If firms properly tracked and organized the correct metadata around their engagements and used it to create matter profiles, this challenge would be solved – and the firm would be positioned to improve numerous other aspects of its operation. Matter profiles are also beneficial to business development, marketing, and knowledge management. Having robust matter profiles makes searching far more powerful.

Matter profile search can readily drive key knowledge sharing needs. Profiles deliver a more holistic method for readily identifying the most appropriate work product, even when the lawyer already has access to the documents. Matter profiles provide better context as to the purpose of each document.

Some examples of the data that should be tracked in such profiles include:

  • Matter type, sub-type
  • Area of law
  • Qualifiers or tags
  • Deal / Demand / settlement amount
  • Court / Location
  • Industry


Lawyers can track and easily find an appropriate matter and then request access to the data, without falling foul of maintaining need to know security. This ability to ‘pierce the veil’ allows a combination of need to know security while offering a method to enable awareness of the wealth of experience and prior work that exists within a firm.

These same matter profiles would also empower business development and resourcing decisions. Firms can make more intelligent decisions about where to invest and focus resources and marketing programs to improve pitch success rates. In this regard, that same metadata can drive:

  • Opportunity Management for firms to track and forecast pipelines
  • Proposal Generation to streamline and reduce costs and improve results
  • Matter, Client, Lawyer, Staff, Vendor, and Other Profiles for better search capability; and,
  • Comprehensive Firm Directory with integrated Experience Scoring to more quickly locate and identify appropriate personnel

Need to Know Security Doesn’t Apply to Public Data
The requirement to apply need to know security is not applicable to public data. As such, that data is easier to handle from a knowledge management standpoint. A significant portion of the data that law firms work with is or eventually becomes public. Examples of this type of data include pleadings filed in court (except for matters under seal, which are rare) and documents filed with most government agencies such as the SEC or UK Companies House. This data is still important to and plays and integral part of the broader firm knowledge management initiative. Although today it can be readily automated, prior to everything being made available in electronic format, lawyers manually created indexes to track this type of data; this included pleading indexes, closing indexes, bundles, and other various indexes.

Streamlining the creation of pleading and closing indexes is ‘low hanging fruit’ for process re-engineering. Ensuring the data is ordered in an optimal format is valuable to clients and lawyers for sharing and future re-use; almost all the valuable matter profile information is contained in these documents. Information such as closing dates or key court dates and transaction amounts are typically included in the closing index. A trained person can easily extract and capture such valuable metadata during preparation of an index.

Better Investments in Templates 

In today’s competitive market for legal services, firms must be able to demonstrate expertise, understand cost structure, price competitively, manage a pipeline of work, and recognize opportunitites for cross-selling. Core to all of these processes is leveraging the firm’s data, and it goes well beyond knowledge sharing.

In the age of need to know security, the argument asserting the inherent value of sharing prior work product without any limitations can no longer eclipse the security needs and demands of clients. Rather, firm leaders should take the opportunity to invest in the right technology to complement the new processes. This includes better data collection and management as well as automation of processes such as creation of forms for volume practices. This is an opportunity to improve data practices overall. Everything firms do today is related and can be tied-together with the same core data—and the mandates of need to know security just provide another opportunity for improvement.

Bookmark and Share

1 comments:

Brent Miller said...

Keith does a great job of making the argument for matter profiling. I'll put in a plug for tools like Prosperoware's Umbria to facilitate matter profiling and I'll be right there shoulder-to-shoulder with Keith and Toby and everyone else promoting matter profiling and associated standardization efforts like the SALI initiative. However, with respect to locking down work product based on "need to know" restrictions now being pushed by standards organizations and outside counsel guidelines, legal knowledge management leaders need to stand up and sound the "get real" alarm. The IG/IT side has done a fine job of awareness-raising about the increasing challenges of security and privacy, but solutions like "need to know" based access controls are, frankly, either pernicious or pointless. They're pernicious to the extent that they're actually enforced. They're pointless (actually, counterproductive) to the extent that lawyers and support staff figure out work arounds (which they usually do).

The very common search scenario used by Keith to illustrate the benefits of tracking matter metadata also illustrates the problem here. First, it assumes that the firm is comfortable with making all matter metadata generally searchable and exempt from the "need to know" access restrictions (a dangerous assumption from an IG perspective). Second, it assumes the search yields a single relevant result as opposed to numerous possible relevant results. It may be practical to request permission to access one matter's content, it's an altogether different challenge to request permission to 10 or 20 or 100 matters for every new search, but that's quite frequently going to be the case. Third, it assumes the critical information for a successful search resides at the matter metadata level and not also or primarily at the document level. In reality, the order of search importance is reversed - the document text and document level metadata are likely to be more important than the matter metadata. Fourth, it assumes that the "need to know" policy requirements are allowed to be "pierced" simply because the user has a valid reason to be conducting the search in the first place. I'm not aware of any good guidance from any of the authorities on when it is appropriate to grant access to someone who didn't work on a matter or otherwise have a prior valid "need to know" status just because they are working on a new matter with comparable work product requirements.

We still have a long way to go before this KM vs. "need to know" challenge is resolved.

 

© 2014, All Rights Reserved.