Closing the Information Security & Governance Gaps in the New Operational Model

By Kyle Reese, IGP, MBA and Nathan Curtis, IGP
This article was originally published in Law Journal Newsletters Accounting and Financial Planning for Law Firms June 1, 2021.

In 2020, law firms did what they had to do to continue serving their clients.  Information governance may have been sacrificed in the face of an urgent, global crisis.  As understandable as that is, it’s time now to step back and assess best practices for the new operational model that is here to stay.

Firms Cannot Govern Paper Scattered in Non-Firm Locations
Law firm operations have always been paper-centric ---this now presents logistical and information security challenges. Setting up and managing a system where attorneys and support staff working remotely can request and receive paper documents from the firm’s records department is complicated and poses significant risk to data privacy. On top of this, having paper documents scattered in various, non-firm locations in an unsecure, remote environment is the stuff of an information security administrator’s nightmare.

Given the challenges and risks the traditional paper-based document retrieval process presents, firms should look to alternative options, such as scan-on-demand solutions, to mitigate the governance gap created with the physical movement of paper-based documents.

Scan-on-demand, as the name implies, allows firms access to their documents in digital form in as little as a few hours via a secure, encrypted portal. A scan-on-demand solution eliminates the risk of paper-based documents being lost during the delivery or return process, reduces wait times for documents, eliminates unproductive time spent on searching multiple boxes for a specific set of documents and, in many cases, reduces overall cost of retrieval.  

Firms should look to leverage their current off-site records storage provider’s scan-on-demand offering to mitigate the risk of physical records movement in a remote environment.  This is a topic rarely negotiated into storage agreements that may require efforts to secure favorable rates but most certainly should form a negotiation point in all future agreements.

Other scan-on-demand considerations include determining workflow as the ability to order digital files will be limited to those with access rights to traditional records retrieval from off-site storage.  Assuming access will continue to be limited to records personnel, how PDF’s are to be shared with requestors requires guidelines, such as profiling within the firm’s document management system where it can be effectively governed and to avoid sensitive information making it into the wrong hands by way of an errant email.  It’s also important to verify where the storage provider houses this data, for how long, whether deleted files can be recovered, and your firm’s ability to customize retention that coincides with policy.

Digitize, Digitize, Digitize
Transitioning to an electronic-first mindset as it relates to the declaration of records is the cornerstone of an effective information governance policy.  Now, back-file and day-forward scanning strategies can help while also supporting work-from-home users.

Back-file scanning (or back-file conversion) is the process of digitizing legacy client and firm documents and transferring them to the firm’s document management system for digital storage and improved access.

The benefits of a back-file conversion, particularly in the new operational model, are innumerable. A back-file conversion allows authorized users instant access to documents from anywhere, including mobile devices. The information security and governance benefits of a back-file conversion are also a key reason for firms to consider this option.

While the cost of back-file conversions can be very high, the long-term benefits of eliminating physical document storage can quickly offset the upfront cost.  Outside of the obvious physical storage, consider savings associated with retrieval, transportation, and ever-increasing permanent withdrawal fees, in addition to improvements in soft costs achieved through increased productivity.  Given the steep initial investment, one strategy of some firms is to limit back-file scanning to material housed on-site, treated as project work to be completed as time permits.

Day-forward scanning targets current, active files and any documents arriving into the firm from a set point forward. Approaching scanning from a day-forward perspective is much less daunting than a full back-file conversion and allows firms to quickly realize the value and benefits that digitized records offers without weeks, if not months, of internal planning and review.  

Day-forward scanning can be accomplished by leveraging on-site copy centers in larger firms, many of which are now underutilized, which may be the case in the “new normal” given a larger contingent of attorneys opting to work remotely, at least for part of the week. Storage providers also offer day-forward scanning options, whereby paper records are not formally ingested into their physical storage system and are instead imaged as project work.  It is a larger up-front expense that reaps rewards in terms of information accessibility, ease of governance in a firm’s document management system (or provider’s cloud portal), and long-term storage and permanent withdrawal savings. In the new operational model, day-forward scanning has become an integral tool to support the work-from-home users and its benefits extend to firms even when end users return to the office.

Remote Knowledge Workers and BYOD Security
Most work-from-home users were issued firm-owned laptops which allowed firms to monitor and control access like they do in the traditional office environment.  Non-firm owned components and ancillary devices, such as printers, smartphones, tablets, and even WiFi connections, are more prominently being utilized by the work-from-home users. These bring-your-own-devices (BYOD) pose an information security risk to firms in the absence of well-written, effective policies that are fully understood by all users and effectively managed by the firm’s information security team.  

BYOD’s offer the firm great benefits, most notably productivity and cost savings, and should not necessarily be ruled out as part of the strategy to support the work-from-home end users. Allowing access to firm networks and files from smartphones or tablets creates great flexibility for the end user, leading to increases in productivity. Additionally, the cost of allowing end users to utilize their own devices – devices most end users already have for use in their personal life - is quite simply cheaper.

While these benefits are attractive, they do not come without risk. Allowing BYOD’s requires firms to have a specific, manageable policy in place that address key issues with security. These key issues include:

Define what BYOD means to your firm and outlining what devices are acceptable

Define – and enforce - specific security policies that address passwords, authorized users, and authorized uses

Be transparent with language that may require the end user to agree to wiping all data, including personal data, from a lost or compromised device

Determine what application limitations should be in place such as not allowing file sharing applications that are not firm-sanctioned

Having a well written, effective BYOD policy as part of the firm’s overall information security policy is key to keeping firm and client information secure while recognizing the benefits that these tools bring. BYOD’s can be a critical component of a successful remote workforce and effective policy is essential to closing the governance gap this tool creates in the new operational model.

Yes, You Can Govern Teams, Zoom and SMS
The explosion in adoption of messaging and meeting applications such as Microsoft Teams, Zoom and Slack requires attention. Teams, for instance, defaults to retain messages indefinitely and lacks the ability to support advanced retention settings, such as governance applied to sensitive information based on keywords typical in identifying PII and PHI. While retention can be manually applied to Teams, the risk inherent with sensitive information residing in this platform should drive new, appropriate use policies.

Zoom warrants mention given its availability in many flavors – free, Pro, Business and Enterprise.  Only paid subscriptions allow for administrative capabilities, such as the ability to record meetings and set retention.  As such, firms should update IG policies and push out adopted retention settings throughout their user population.

Smartphone texts are another area of concern as it applies to work-related communications as this has historically presented a governance blind spot.  Several applications now exist in the market that allow for automated capture and application of retention to text messages, even in a BYOD environment, and warrant firm consideration as part of their overall data governance strategy.

A Fully Digitized Future
Pandemic or no pandemic, law firms have lagged behind their corporate counterparts in regard to digital transformation for too long.  Firms that successfully face the business mandate to fully digitize and become a law firm of the future will reap the rewards of streamlined client service, while repositioning long-discussed plans for addressing information security and data governance to the front burner along the way. Addressing these information security and governance gaps will allow firms to confidently manage, lead, and support their attorneys and support staff in the new operational model and put themselves in a much more agile position as we move optimistically to a stronger future.


Nathan Curtis, a Lean Six Sigma Yellow Belt, brings over 20 years of experience working with law firms in the U.S. and overseas in developing industry-first solutions across Information Governance, Litigation Support, Digital Imaging, and traditional Office Services. As a consultant for Mattern, Nathan is focused on emerging technologies and their application in the legal environment, driving results through Mattern’s customized RFP process, and overseeing service, technology and policy implementations.

Kyle Reese, MBA, a Lean Six Sigma Green Belt, brings over 14 years of experience working with law firms in the United States, Europe, and Asia utilizing and developing leading solutions supporting all aspects of back and middle office and administrative services. Kyle is focused on driving efficiencies in these areas through the Mattern Method and assisting law firms with navigating through the outsourcing process.

To view the article on Law Journal Newsletters, click here.