A Duty to Safeguard Client Content

We’ve all read the headlines. Security breaches continue to shock us for their magnitude and reach—from reports on hacking of Democratic National Convention (DNC) email servers during the 2016 presidential election; to the reported theft of more than 1 billion Yahoo account holders in December.

The impact of a breach can be significant. And, not just for the clients—whose loss of personal information can make them vulnerable to financial loss—but also for the organizations who have failed to safeguard that information.

A Measured, Disciplined Approach

Digital security is complex and requires a multi-pronged approach. One part of this approach is provided by Enterprise Content Management (ECM), which many consider a “must have”—a foundational technology to safeguard sensitive digital content, while ensuring it remains readily accessible for day-to-day operations.

At the core of every ECM solution is a Document Management repository—providing a secure home and a structured approach for saving, managing, and governing digital content. Content in the repository is protected by system-wide security and varying levels of more granular security. The ability to securely access content anytime, anywhere by mobile devices is key, as is the ability to check out and securely share content externally in the cloud.

User Adoption is Essential

Solutions for securing content are only as good those who use them—and many choose not to. Hyperion Research tells us that in the average ECM-enabled legal organization, for example, only 70 percent of users actually use the system. The rest store content however and wherever they like—on desktops, in file shares, in unsanctioned, poorly secured cloud file-sharing repositories.

Ethical Reasons to Safeguard Client Content

Everyone gravitates to what is easy; to the path of least resistance. In the end, however, the decision to safeguard client content can be considered an ethical or moral one. Lawyers, in particular—regardless of whether they are employed by law firms, in government, or in legal departments of organizations across varying industries—have a professional duty to safeguard client content or “property”.

The American Bar Association, for example, requires that lawyers safeguard client property in their possession by holding it separate from their own property to prevent co-mingling (ABA, section 1.15). It is generally accepted that files and documents belong to the client, not the firm. In addition, lawyers must maintain client property in a way that is not only secure, but also readily available and retrievable over time.

Complying with Regulatory Requirements

ECM solutions are purpose-built to meet these fiduciary requirements, as well as applicable regulatory requirements—and not just for legal, but for firms in many industries. If employees don’t effectively maintain client information they may compromise ethical obligations to safeguard client property and also increase their firm’s exposure to compliance risk.

In the end, those firms will have a tough time demonstrating compliance with HIPAA. They’ll have difficulty securing documents in compliance with ISO 27001, Sarbanes-Oxley (SOX), and countless other regulations.

Client information is a valuable commodity and a growing target for theft. Hacking techniques are constantly evolving. Regulations are growing to protect that information. We all have an obligation to ensure the safe, secure management of client information, and with ECM solutions like eDOCS, securing content is not only possible, but easier than ever.

More information is available here.

Sharon Malloch

Sharon Malloch is the Product Marketing Manager for OpenText eDOCS

Related Articles

2 thoughts on “A Duty to Safeguard Client Content”

  1. This is an excellent article but it does not address the entire set of issues related to securing content. One area unmentioned is that of users who have the rights to access content and abuse that right. For instance, the whistle blower in the organization that wants to make content public, such as the Panama Papers. Or, the attorney who wants to leave a firm and take his or her documents with them. There are of course audit reports that can be run that show what the user has done after-the-fact, But it doesn’t much help to find out what someone has done on Monday after reading about it in the newspaper on Sunday, or after the user has quit and is long gone.

    That’s where Guardian for eDOCS comes in. This solution, from OpenText, audits end-users while they are in the system and also sends alerts whenever the individual is in the act of stealing the information. And, what truly sets this solution apart is its ability to log a user off the system if they continue to exceed established thresholds for their activity.

    As an example, imagine an Edward Snowden-like user sitting at his computer in Hawaii at 3am, downloading confidential materials, and all of a sudden his smartphone rings, and his boss is on the other end, asking him what he’s doing downloading documents and emails. The user had security clearance to work with those documents, but that didn’t mean he should be taking them off the system. He’s caught in the act.

    Or, the attorney sitting at her desk sending clients’ documents to her personal email before she quits, and all of a sudden she’s logged off the system and can’t continue. Alerted to her unusual activity, her supervisor or partner calls her and asks what she’s doing, and wont advise the IT department to allow her back in unless she has a good reason for sending so many documents to herself.

    These are but two examples of how Guardian for eDOCS can help address the problem of insider hacks into your system. Guardian allows you to configure role-based rules for monitoring user (or group) access to your information, and take appropriate steps to help you respond in real time.

  2. Thanks Josh, appreciate your comments. Safeguarding content in the document repository is a critical first step to ensure it is protected by system-wide and more granular layers of security. Once there, however, additional security measures can be added to monitor user interaction with contents in the DM and protect against internal security breaches. As you mention, OpenText Guardian for eDOCS provides that additional layer of security for eDOCS DM – giving firms real-time insight into possible internal breaches so they can take action. This was the topic of a previous blog on security and provides more info on Guardian, available here.

Leave a Reply

Your email address will not be published. Required fields are marked *