Remember when document management systems were implemented as a way to maintain versions of a document?  With the advent of PCs, WordPerfect, and a server to store documents on – version control was something that law firms could quickly lose control of.   Document management systems became the way to manage the authoring process – and a big upside was the ease of sharing documents.

Of course, along with the sharing of documents came the issue of over-sharing, or managing ethical walls between clients and attorneys.  This fostered the invention of ethical wall solutions which helped automate managing document sharing and access.

Today, document management systems are responsible for much more than ethical wall security.  Evolving legal requirements surrounding client confidentiality and data privacy concerns are among the risks forcing law firms to re-evaluate their technology infrastructure and policies for securing client matter information subject to an ethical wall.[1]…

This is why the document management system is the technology of choice for 98% of all law firms to protect and govern sensitive client information.

When scanned mail items are trafficked outside of the DMS, a firm cannot secure or govern information nor place it behind proper ethical walls to avoid conflicts. So how could we go wrong?

 Don’t Forget the Daily Mail

The notion of scanning paper and securing the scan within the DMS seems to have been forgotten regarding daily mail, but the concerns of conflicts and need for ethical walls reside here as well.  Legal mail items contain sensitive client information. At the onset of the pandemic, most law firms cobbled together a quick fix in scan-to-email, but this method involves a variety of security risks that put law firms – and their client’s sensitive information — at risk.

Scan-to-email solutions mean vital documents are left drifting through cyber-space, often left in email inboxes or perhaps an email folder – without the security of the DMS. The solution: a best practice Digital Mailroom operation.

A best practice digital mailroom operation is the answer because it delivers documents not as email attachments but directly into the firm’s DMS where sensitive client information can be properly secured and governed — completely negating the risks created through scan-to-email. A digital mailroom utilizes intelligent, asynchronous processes to enable clerical operators to work efficiently and securely.

Not only can a best practice Digital Mailroom be created, but they already have been. DocSolid’s Airmail2 Digital Mailroom completely transforms the law firm’s paper centric mail into a secure and efficient digital operation that enables the hybrid work environment.

With Airmail2, skilled mailroom staff (those that can accurately determine appropriate client-matter-folder) can profile scanned mail items directly to the DMS.  This is accomplished without the need to provide direct access to the DMS (which should be reserved only for qualified legal staff and attorneys).  The benefit of this approach is the shift of the profiling step from legal staff or attorneys to the mailroom team.  Airmail2 also supports profiling scanned mail items by recipient (easily determined by addressing information on the mail item)  – a method that is deployed to mailroom staff who are less skilled.

The scan-to-email solutions firms conjured as a response to the pandemic were only designed as a stop gap and never intended for long-term use. The hybrid legal workplace is here to say. Airmail2 Digital Mailroom enables productive, secure delivery of daily mail directly into the DMS. Learn more about the Airmail2 and how to transform your law firm’s mailroom and institute best practice principles for security and governance in our latest white paper here.

[1] https://inoutsource.com/ethical-walls-and-confidentiality-screens-not-just-for-conflicts/ )

The article originally appeared in Legaltech News: Here

Security is a funny thing.  For it to work, you have to do it all of the time.  Wearing a seatbelt half the time isn’t a good strategy.  Wearing the seatbelt every time is.

Sending scanned images of inbound, daily mail via email attachments is a ‘scan-to-email’ method that was never intended to be a secure, permanent operation. This was only a temporary solution conjured in response to the pandemic crisis. So why are law firms still doing it this way? The only answer is that nothing bad has happened- yet.

But something bad will happen because it’s not secure.  We don’t have our seatbelts on. Sending scanned images of paper mail as email attachments creates these risks:

• Lack of governance. When documents are sent as email attachments, the exchange occurs outside of the document management system (DMS), the technology intended to secure and govern them, multiplying risk exposure across the firm.
• Cybersecurity risk. Along with the rise of remote work, cybersecurity threats have increased by 3x. Email attachments expose the firm to these risks.
• Conflicts, PII and more. When an email message goes to the wrong recipient or an attachment contains personally identifiable information (PII), firms are exposed to conflicts or significant regulatory fines resulting from lack of compliance with GDPR, CCPA and other regulations.

Security and governance of their information is the number one issue keeping clients awake at night. Firms must take the right steps to secure client information from the moment it arrives. Firms that do not secure client information from the moment of arrival are at risk of an event no one wants. In short, we need to wear our seatbelts all the time.

Lack of Governance

At the most basic level, when a law firm mailroom delivers a confidential file via email attachment, the firm has no control over the document and cannot govern or secure it. Scanned mail delivered as a PDF email attachment often goes to more than one person, so the exposure is multiplied, then subject to the behavior of all receiving parties. Recipients can open attachments on their desktop, circumventing conflicts, or confidentiality, share the file with other attorneys, staff, or external entities outside the confines of the firm’s information governance policies.

And during this process, sending a document by email attachment means the file exists on the Exchange Server, not the DMS. It may then be stored in multiple locations on multiple devices including local computers, network folders, other recipients’ mobile or desktop inboxes, other mail servers and more.

 Cybersecurity Risk

Email is the #1 attack vector for cyber criminals. Users are attacked at the inbox, and the organization is attacked at the email server. Building a permanent daily mail scanning operation on top of this exposure zone is unwise, and unnecessary.

Another risk factor is wrong recipient error. Organizations with over 1,000 employees send approximately 800 misdirected emails every year. That is a rate of more than two emails per day, making it the most common type of error to cause a breach.

The System of Record is the DMS

Wrong recipient occurs most often as a result of an erroneous auto-fill in the send field – but wrong recipient is not the only risk caused by an unintended auto-fill in the send field.

The other negative consequence is unintended conflicts risk.  Email is not a technology that can check for conflicts nor build ethical walls to ensure that only the intended parties of a communication have access to that communication.

The technology for this is the document management system (DMS).

Client information arriving by postal mail needs to be scanned directly to the firm’s document management system (DMS) and be available to users only by a link to the DMS. Simply put, the DMS is the technology of choice for 98% of all law firms to protect and govern sensitive client information and why it is regarded the firm’s “system of record.”

For instance, a wrong recipient “may” occur when receiving an email with a link to the DMS, but the recipient wouldn’t be able to open the link if they were not assigned access.  That’s security.

Not only does DMS secure and govern client information but it is also the technology that helps firms comply with regulations such as The European Union’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) at scale. These regulations mandate, among other requirements, that firms be able to classify, track and, if requested, delete personal data held anywhere by the firm. This is effectively impossible with scan-to-email.

This is what it means to build a best practice solution and not an expedient solution.

 Ethical Obligations

Direct-to-DMS delivery of digital mail is not just a good idea, but potentially an ethical duty of a law firm. Several of the ABA Model Rules are particularly related to safeguarding client data, including competence (Model Rule 1.1), communication (Model Rule 1.4), confidentiality of information (Model Rule 1.6), and supervision (Model Rules 5.1, 5.2, and 5.3).

What do these duties require? When using technology, they require that we employ reasonable measures to safeguard the confidentiality of client information, that we communicate with clients about our use of technology and get informed consent from clients where appropriate, and that we supervise subordinate attorneys, law firm personnel, and service providers to ensure compliance with these duties. In comparison to the capabilities of how a DMS protects client information, email is not a reasonable measure.

Conclusion

Security of client information isn’t a part time job.  We’ve got to wear the seatbelt at all times and, unfortunately, the way many digital mailrooms now operate expose the firm to a multitude of risks.  We don’t need to wait for the unfortunate event to happen – firms can act on this today and install the right technology that integrates digital mail with the DMS.