Anxiety at the Executive Committee

“We have over a petabyte of documents stored outside our DMS,” reports Rebecca, the CIO of an Am Law 100 firm at the Executive Committee's first review of cybersecurity readiness following several widely reported breaches at other firms. “These documents are more vulnerable to virus attacks and many are not even being backed up.”

“What's a petabyte?” asks Ralph, the chair of the litigation group.

“It's 1,000 terabytes,” replies the CIO. “That's a quadrillion bytes – a staggeringly large amount of data.”

“Please explain more about why it's a problem to have documents stored outside the document management system,” asks Keith Mayfield, the chair of the firm.

The problems of allowing documents outside the DMS

“As I mentioned, documents stored on share drives and local drives are not protected by the heightened security of our DMS, so if a virus or malware breached our system those would be more vulnerable. While we back up the share drive servers, local drives on individual computers are not backed up.”

“There are several other problems as well,” the CIO continues.

• “There's no central way to identify and access these documents or associate them with clients or matters. That means we can't put together a complete client file, for example if we needed to defend ourselves in a malpractice claim or furnish the file to the client under ethical rules.
• “Similarly, other users can't find or access the documents either. Team members can't readily find them for work on the matter. And that work product becomes unavailable to future teams for knowledge-sharing purposes.
• “With the inability to group related iterations of the same document, version tracking becomes lost or distorted.
• “Finally, even the original author may be unable to access the documents remotely.”

Why is this happening?

“Can you tell us why this is happening? Can't you force users to store documents in the DMS?” asks Virginia, the chair of the corporate group.

“We can't force storage of all documents into the DMS without dramatically hampering the functioning of our computers for users. We'd have a mass rebellion,” replies the CIO.

“This problem has been building for a long time, and we are far from alone, based on reports from my counterparts at other firms,” continues the CIO. “It's caused by user decision. But we don't have good insight into why they make those decisions.”

What should we do next?

“What do you recommend, then?” asks Keith, the chair of the firm.

“I suggest we hire an outside firm to interview lawyers about their reasons for storing documents outside the DMS,” the CIO responds. “Then we'll need to make changes to address those reasons and make the DMS be seen as a viable, or even a better, alternative than storing on a local drive or share drive. We can also use some technology tools to track the main users of local drive and share drive storage, and follow up with them directly.”

“I hope we can get this resolved before the cybersecurity audit we have to undergo next year for BFG Financial,” says Ralph, the litigation chair. “They're 20% of our revenues and are under pressure themselves from the financial regulators to tighten up cybersecurity with their law firms.”

“Let's get the survey done quickly and then make a plan,” concludes the firm chair.

Formulating a plan

The Executive Committee convenes to hear the results of the lawyer survey on DMS usage overseen by the CIO.

“We were surprised but also somewhat relieved by the survey results and our further analysis,” begins Rebecca, the CIO. “The surprise was in some of the reasons lawyers don't use the DMS. The relief was that the majority of the non-DMS documents are not work product but corporate due diligence and litigation discovery documents. These are valuable during a matter but not especially important after completion.”

Reasons lawyers don't use the DMS

“The reasons lawyers don't use the DMS boils down to these,” continues the CIO.

• “Completing the document profile is too cumbersome. Besides client and matter number, we have 5 additional mandatory fields to gather important information about the document.
• “The lawyers want privacy. They don't want unpolished drafts to be found by others using search, even their own team members.
• “The matter workspace folder structure is too cumbersome. We have 6 standard folders for each matter, which cannot be changed.
• “The lawyers simply don't understand the problems from storing outside the DMS, such as the security risks and the loss of work product sharing.
• “The remote access process (checking in and checking out) is too cumbersome.
• “There's no easy way in the DMS to load at one time an entire collection of due diligence or e-discovery files that have been received from outside the firm. And there's no way for the lawyers to preserve the folder structure of that collection. They have to call an IT specialist and then wait for a day.

“I think we can address each of these issues in some fashion,” concludes the CIO. “But we'll also need to accompany the fixes with a publicity campaign backed by firm leadership about the importance of using the DMS.”

The Executive Committee weighs in on two of the problems

“I've experienced some of those problems myself,” says Eduardo, the head of the real estate group. “Usually I'm in a hurry and I ask my assistant to fill out the document profile. I can easily see an associate, especially after hours, deciding it's just easier to store the thing on the share drive.”

“We can fix that by making the data fields optional,” replies the CIO. “We'll probably stop receiving most of that data, but getting the documents into the DMS is most important, and we can work with the practice groups to establish an after-the-fact process to gather the information. I'm not sure how accurate it is anyway,” she concedes.

“The privacy concern is surprising,” observes Virginia, the corporate group chair. “But if I think about it I do remember when I was an associate not wanting my raw work product to be seen by others.”

“We already have private workspaces, which lawyers can use for that purpose,” suggests the CIO. “We need to do a better job of making them aware of this option and allow them to establish folders so they can file by client and matter for easy retrieval.”

“Do you have suggestions to address the other reasons?” asks Keith, the firm's chair.

Solutions for the other problems

“Regarding rigidity of the workspace folders,” the CIO responds, “we can alter our settings to allow users to delete and add folders. I think we may want to spend a little more time with our users to see whether they'd prefer no folders at all, or perhaps a shorter set of automatic but editable folders, such as a Final Documents folder.”

“Regarding remote access and checking out documents,” the CIO continues, “we can make that process smoother by buying an add-on software product for our DMS.”

“Regarding the lawyers' not understanding the importance of using the DMS, we can cover that in our publicity campaign, and impress upon them the firm policy that work product must be stored in the DMS,” the CIO advises.

“As for due diligence and e-discovery documents, we can designate a specific share drive for that purpose. We can enforce policies about what gets saved there, who can access it, the backup process and what happens to those documents at the conclusion of the matter,” the CIO suggests.

Digging out of the existing hole

“What do we do about the one petabyte already outside the DMS?” asks Ralph, the litigation chair.

“We'll need to take a multi-pronged approach,” responds the CIO. “First, we'll announce the new policies and ask users to move documents to the DMS or the new due diligence/e-discovery share drive. Second, we'll use special software to scan all the share drives and local drives and make a list of users and the amount of storage used by files they've created or accessed. We'll go down the list in order of size, contact users individually and assist them in moving their files. This will take some time and we may need to hire some temporary staff to help. Eventually we'll change the files to read-only and then archive them, so that users wishing to access them will need to reach out to us.”

Timing

“How long will all this take, and can we be ready by the time of the BFG cybersecurity audit in 6 months?” asks the litigation chair.

“If we start right away and get a strong commitment from management,” replies the CIO, “we can finish it all in 6 months except the existing petabyte. We'll have a good start on the existing petabyte but I estimate it could take a year or more to complete. For purposes of the audit, though, I think that will be sufficient because we will have mostly addressed the problem and have a credible plan for completing our fix.”

The Executive Committee seems generally satisfied with the approach proposed by the CIO. The chair of the firm makes a point of confirming that money and management support will be provided.

Conclusion

The Executive Committee learned to their surprise that a huge number of documents was being stored by lawyers outside the document management system. This created heightened security risks for the firm in the event of a network virus, liability risks in the event of malpractice claims or requests for complete client files, and loss of efficiency and quality through inability to share prior work product.

There were multiple reasons identified through lawyer interviews, and the solution involved a corresponding multi-pronged approach. The effort would extend for 6 months and involve a significant internal publicity and education campaign, as well as changes to the configuration of the DMS itself and a manpower commitment for analysis and follow-up. The pending security audit required by an important financial services client placed additional pressure on firm leadership to address the problem promptly.

[Photo credits: © Can Stock Photo Inc. / olechowski & Fotosearch / Lushpix]