Data Loss Prevention: A Concept in Motion

Certainly, Data Loss Prevention (“DLP”) has been part of the legal IT professional's mantra for years. In fact, you most likely have some form of DLP in place at your firm to identify, monitor and protect data at rest, such as ethical walls in the document management or records management systems, disabled USB ports, or locked down access to public e-mail providers like Yahoo. However, according to a recent survey of the top 25 Am Law 200 firms, what's really keeping general counsel or risk partners up at night is the risk exposure associated with data in use and data in motion (conceptually speaking). Why? Because law firm business is extremely document intensive and active work can be conducted anywhere; on a laptop, in a coffee shop, at home or on a hand-held device. (Quantitative telephone survey of risk professionals at the top 25 Am Law 200 firms, conducted by The Frayman Group in February 2009.)

The current economic climate, along with portable devices and the mobility of today's workforce, has truly created the perfect storm ' exacerbating DLP issues and expanding the definition of DLP and related needs beyond the piecemeal technology offerings currently available. Preventative steps like ethical walls can easily be applied to stored data ' but data in use is the true risk to address.

Snapshot of the Issues

Changes in the technologies available to access and exchange data, the way that people interact with data, and the use cases for that data make managing DLP risks all the more challenging. See the risk permutations chart below.

[IMGCAP(1)]

Take e-mail as an example. e-Mail is the number one software application used by attorneys. They spend the majority of their time interacting with their clients, colleagues and staff as they work on a particular matter. Today's protections (typically ethical walls applications) are designed to manage integration and block access to systems at the database level, but are not designed to manage e-mail interaction and communications as they occur, where the majority of the leaks happen. For example:

Attorney John Smith is behind the wall for XYZ Corporation for a particular matter. He justly checks out a pleading from the firm's document management system and saves it to his desktop. He then e-mails this pleading to a group of colleagues for review, including Jane Doe, who does do work for XYZ Corporation. However, Jane Doe happens to be excluded from this particular matter. The ethical walls in the document management system cannot protect against this unintentional breech because it occurred via e-mail without a way to check against the access control list.

Or, consider the implications of the following:

The law firm of Alpha Omega LLP has just announced layoffs. Associate Mary Brown checks out a slew of documents from clients that she's worked with. Once checked out, Mary saves these documents to a thumb drive. While the firm may have systems in place to alert to unusual volumes of activity, potentially a gigabite or more of confidential information could very easily walk out the door uncontrolled.

Speed to new business is also opening the door to risk when information is hastily moved along. To expedite the process, firms may cut corners during intake and security measures that should be set up (e.g., walls as mandated by a waiver) might be skipped or implemented inconsistently. One potential risk is that a lawyer conflicted out of working on a matter may be exposed to, or able to access, confidential data related to that matter.

Risk Exposure

Your firm has a fiduciary duty to its clients. Clients have a reasonable expectation that you are protecting and securing their information with respect to confidentiality, appropriate communication and ethical handling. Imagine the fallout if a disgruntled former firm employee posted confidential client information on a public blog. Leaks of internal firm information can be just as damaging. For example, if firm management is planning on laying off associates, junior partners and staff in record numbers and word inadvertently gets out internally (or externally, for that matter), it can be harmful to business on many levels. Employees, for one, may be angry, making their ability to access and remove data a very real threat to the firm.

Your firm's risk professionals, while worried about these types of exposures, may not be as prescient about the technology part of the picture. Perhaps they have a false sense of security that ethical walls cover data in motion. IT can help firm risk professionals take a broader view that, while risk management methodologies for stored data are important, what's also needed are methodologies for data that's in use.

Re-Defining DLP

Updating the definition to address today's risks, DLP is a computer security term referring to systems that identify, monitor, and protect data in use, data in motion and data at rest through deep content inspection and with a centralized management framework. The systems are designed to detect and prevent the unauthorized use and transmission of confidential information. Thus, an ethical walls implementation is not sufficient to ensure compliance with the ethics rules and regulations. A more comprehensive data loss prevention strategy is needed to ensure that effective lock-down and permissions are in place across all systems and applications. This way, a lawyer that is walled from a matter cannot receive an e-mail attachment from a colleague that is able to access the information. He or she would be stopped from copying onto a USB drive a document that belongs to a matter marked as particularly sensitive, and also would not be able to use a handheld device (such as a BlackBerry) in circumvention of the firm's policies.

So, how can you go about identifying the right technologies to provide your firm with a proactive, 360-degree approach to addressing all facets of DLP?

• Centralized rules applied consistently across all technology touch points.
• Deep content analysis using lexicons ' word, patterns, strings and phrases ' with automated blocking of unauthorized users or recipients.
• Smart analytics that can differentiate between a client list and grocery list.
• Digital fingerprinting to prevent unauthorized access or transfer from server to an unauthorized device.
• Integration with enterprise e-mail for subject line, body text and attachment analysis.
• Integration with mobile devices.
• Detailed alerts and audits.

In short, you need to apply the same rules to the same users consistently, and the proactively monitor to prevent breaches. That means that the user access applied against a document in the document management system should be the same for files sent or received via e-mail, downloaded to the desktop, shared in a collaborative workspace, etc.

What's needed is a one-stop way to manage all common data storage and data flow paths out of the box, with a rich range of configuration, alert and automatic response abilities, and one that will grow and expand proactively with your firm's systems and needs. It is essential that any vendor solution be intimately conversant not only in all the relevant technologies, but also with the risk impacting law firms on the business end as well.

Today's business environment exposes firms to unprecedented levels of risk and mandates that outdated definitions of security (e.g., point issues/solutions) must be updated to effectively manage that exposure.

Certainly, Data Loss Prevention (“DLP”) has been part of the legal IT professional's mantra for years. In fact, you most likely have some form of DLP in place at your firm to identify, monitor and protect data at rest, such as ethical walls in the document management or records management systems, disabled USB ports, or locked down access to public e-mail providers like Yahoo. However, according to a recent survey of the top 25 Am Law 200 firms, what's really keeping general counsel or risk partners up at night is the risk exposure associated with data in use and data in motion (conceptually speaking). Why? Because law firm business is extremely document intensive and active work can be conducted anywhere; on a laptop, in a coffee shop, at home or on a hand-held device. (Quantitative telephone survey of risk professionals at the top 25 Am Law 200 firms, conducted by The Frayman Group in February 2009.)

The current economic climate, along with portable devices and the mobility of today's workforce, has truly created the perfect storm ' exacerbating DLP issues and expanding the definition of DLP and related needs beyond the piecemeal technology offerings currently available. Preventative steps like ethical walls can easily be applied to stored data ' but data in use is the true risk to address.

Snapshot of the Issues

Changes in the technologies available to access and exchange data, the way that people interact with data, and the use cases for that data make managing DLP risks all the more challenging. See the risk permutations chart below.

[IMGCAP(1)]

Take e-mail as an example. e-Mail is the number one software application used by attorneys. They spend the majority of their time interacting with their clients, colleagues and staff as they work on a particular matter. Today's protections (typically ethical walls applications) are designed to manage integration and block access to systems at the database level, but are not designed to manage e-mail interaction and communications as they occur, where the majority of the leaks happen. For example:

Attorney John Smith is behind the wall for XYZ Corporation for a particular matter. He justly checks out a pleading from the firm's document management system and saves it to his desktop. He then e-mails this pleading to a group of colleagues for review, including Jane Doe, who does do work for XYZ Corporation. However, Jane Doe happens to be excluded from this particular matter. The ethical walls in the document management system cannot protect against this unintentional breech because it occurred via e-mail without a way to check against the access control list.

Or, consider the implications of the following:

The law firm of Alpha Omega LLP has just announced layoffs. Associate Mary Brown checks out a slew of documents from clients that she's worked with. Once checked out, Mary saves these documents to a thumb drive. While the firm may have systems in place to alert to unusual volumes of activity, potentially a gigabite or more of confidential information could very easily walk out the door uncontrolled.

Speed to new business is also opening the door to risk when information is hastily moved along. To expedite the process, firms may cut corners during intake and security measures that should be set up (e.g., walls as mandated by a waiver) might be skipped or implemented inconsistently. One potential risk is that a lawyer conflicted out of working on a matter may be exposed to, or able to access, confidential data related to that matter.

Risk Exposure

Your firm has a fiduciary duty to its clients. Clients have a reasonable expectation that you are protecting and securing their information with respect to confidentiality, appropriate communication and ethical handling. Imagine the fallout if a disgruntled former firm employee posted confidential client information on a public blog. Leaks of internal firm information can be just as damaging. For example, if firm management is planning on laying off associates, junior partners and staff in record numbers and word inadvertently gets out internally (or externally, for that matter), it can be harmful to business on many levels. Employees, for one, may be angry, making their ability to access and remove data a very real threat to the firm.

Your firm's risk professionals, while worried about these types of exposures, may not be as prescient about the technology part of the picture. Perhaps they have a false sense of security that ethical walls cover data in motion. IT can help firm risk professionals take a broader view that, while risk management methodologies for stored data are important, what's also needed are methodologies for data that's in use.

Re-Defining DLP

Updating the definition to address today's risks, DLP is a computer security term referring to systems that identify, monitor, and protect data in use, data in motion and data at rest through deep content inspection and with a centralized management framework. The systems are designed to detect and prevent the unauthorized use and transmission of confidential information. Thus, an ethical walls implementation is not sufficient to ensure compliance with the ethics rules and regulations. A more comprehensive data loss prevention strategy is needed to ensure that effective lock-down and permissions are in place across all systems and applications. This way, a lawyer that is walled from a matter cannot receive an e-mail attachment from a colleague that is able to access the information. He or she would be stopped from copying onto a USB drive a document that belongs to a matter marked as particularly sensitive, and also would not be able to use a handheld device (such as a BlackBerry) in circumvention of the firm's policies.

So, how can you go about identifying the right technologies to provide your firm with a proactive, 360-degree approach to addressing all facets of DLP?

• Centralized rules applied consistently across all technology touch points.
• Deep content analysis using lexicons ' word, patterns, strings and phrases ' with automated blocking of unauthorized users or recipients.
• Smart analytics that can differentiate between a client list and grocery list.
• Digital fingerprinting to prevent unauthorized access or transfer from server to an unauthorized device.
• Integration with enterprise e-mail for subject line, body text and attachment analysis.
• Integration with mobile devices.
• Detailed alerts and audits.

In short, you need to apply the same rules to the same users consistently, and the proactively monitor to prevent breaches. That means that the user access applied against a document in the document management system should be the same for files sent or received via e-mail, downloaded to the desktop, shared in a collaborative workspace, etc.

What's needed is a one-stop way to manage all common data storage and data flow paths out of the box, with a rich range of configuration, alert and automatic response abilities, and one that will grow and expand proactively with your firm's systems and needs. It is essential that any vendor solution be intimately conversant not only in all the relevant technologies, but also with the risk impacting law firms on the business end as well.

Today's business environment exposes firms to unprecedented levels of risk and mandates that outdated definitions of security (e.g., point issues/solutions) must be updated to effectively manage that exposure.