Survival in a Data Security Obsessed World

Knowledge management encourages transparency and information sharing. But data security concerns are driving more organizations to lock down their data so that is “safe.” In the process, security measures can make it harder to share information. In this data security obsessed world, how can knowledge management survive?

[These are my notes from a private international meeting of large law firm knowledge management personnel. The sessions were off-the-record, so the comments below are without attribution.]

Even though some data should legitimately be locked down (e.g., personnel information), organizations often tend to go overboard and sweep up even innocuous information in the lockdown. Is personal privacy dead? The optimists say no, but it has changed. The pessimists say it’s not dead — yet — but it’s on life support. What are the biggest threats? Private hackers (theft-focused), hacktivists and state-sponsored incursions into privacy.

Key concerns impinging on KM content:

  • Data security concerns
    • inquisitive, disgruntled or departing firm personnel
    • insider trading issues
    • hackers
    • foreign and domestic government intelligence gathering
  • Data privacy concerns
    • data privacy protection regulations (eg., EU)
    • protected personal health information
  • Legal access/discoverability concerns
    • reach of (primarily US) courts and agencies
  • Proprietary data concerns
    • client-related content deemed to be proprietary
    • copyrighted and permission-restricted content
  • Data management concerns
    • traditional DMS and records management concerns
    • data storage and archival costs

Law Firm Responses:

  • Data security audits
    • clients are trying to protect their data (primarily from competitors and from hackers)
    • growing numbers of clients in financial services (and, increasingly, other industries) are conducting audits
    • these audits contain detailed questions and require the law firms to “prove” that their security measures are appropriate and effective
    • Some firms are trying to use document automation tools to expedite how they respond to client audits
    • Some firms are losing clients when the fail to meet the requirements of the data security audits
  • Content hiving
    • This intended to protect from threats from employees
    • Increased use of restrictive client/matter security
    • Document access restricted by default instead of open by default
    • Increased/extended use of firewalls and firewall maintenance tools
    • As a result, you can see only the data to which you already have access. ┬áThis means, you can know only what you know.
    • It means that firms have to hire people or buy tools that can locate and sanitize information so that it can be shared
  • Physical balkanization of data
    • Removing sensitive content from US-based servers (including enterprise search)
    • Restricting access by US-based users and administrators to non-US content
  • Information security education
    • Clients are insisting on information security education programs
    • This is a great opportunity for KM personnel to participate and explain knowledge sharing even in a data lockdown
  • Data privacy managers
    • More firms and clients are hiring data privacy managers

What’s the upside for KM?

  • The need to manage the matter team (in order to implement hiving). This requires a more thoughtful approach to creating and managing teams, heir workflow and their data handling.
  • There has always been a lot of “personal hiving” (where lawyers squirrel documents and information away on hard drives and thumb drives or in email). In this new data security obsessed world, KM can step in to try to curtail the personal hiving.
Share