“I'M JUST NOT AN IT EXPERT” is a thought that most lawyers have had—and probably some readers have said this very week.
Law firm management addresses many challenges and encompasses what seems to be an ever-expanding group of issues. Sometimes the expertise of individual lawyers fits nicely with some of those issues. An employment lawyer would be valuable to assist with human resources issues, and a seasoned litigator with leadership skills can lead the litigation practice group. But many challenges today involve the use and application of technology. Information technology (IT) permeates every aspect of a law firm today, as it does most businesses. Typically there will be few, if any, lawyers in a firm who believe that they have the expertise and inclination to take the lead in IT governance.
GETTING INVOLVED WITH FIRM IT
Deep technical expertise is not required to participate in law firm IT governance. In fact, the strategic decisions about the firm’s IT direction will likely be very problematic if left only to the in-house IT experts, even though their expertise is valuable and required.
IT governance can broadly be defined as the processes and policies that ensure the effective and efficient use of IT in enabling an organization to achieve its goals.
IT governance is a critical issue for law firms, just as it is for all of corporate America. This is unlikely to change. As we are all aware, in today’s law offices there is little, if any, productive activity when a computer workstation does not function or when the network goes down.
But for the firm to operate and plan effectively, we must recognize the law firm’s IT needs are often represented by two factions with serious differences of opinion: the IT department staff and all of the end users. Their different viewpoints and opinions can cause disagreements just as deep-seated as the feud between the Hatfields and the McCoys, or debates between Republicans and Democrats.
I recall once quite loudly telling an IT professional, “The problem with you is that you think you have succeeded if the day ends without the network crashing, no matter how difficult you have made it for the rest of your co-workers to get their work done.” That was obviously an overstatement made out of frustration. But I sometimes cringe when I am introduced as an IT expert because I am a card-carrying member of the End User Party.
In my view, the key to successful IT governance is to include representatives of both viewpoints as well as some honest brokers more committed to solutions than winning an argument. Law office administrators are extremely valuable in that role.
The participants without an IT background will require a greater amount of time for education and participation, which means that the lawyers will need some allowance for the impact on their billable time if the firm wants their attention. IT governance entails a written plan and principles, followed up by periodic review.
Smaller law firms and solo practitioners do not have the luxury of a diverse team to assemble. They generally rely on independent contractors for outside IT support and the attention of time-challenged lawyers. Yet many solos are sophisticated users of technology and utilize it more ably than do their counterparts in large firms. But other solos have an antipathy to technology which, combined with the fact that purchases quite literally come out of their pockets, often leads them to just say no when the answer should be yes.
Let’s look at a few basic IT governance agenda items.
THE IT AGENDA
Attorneys are ethically obligated to safeguard their clients’ confidences. In a more simple time, that largely encompassed paperwork. Now that information is client data on hard drives. Because law office computers and other devices are connected to the Internet, there can be no such thing as zero risk. Some new evil online tool may be released tomorrow to defeat today’s perfect security plan. Every additional opening to the network increases that risk, including remote access needed by traveling lawyers, Wi-Fi availability, employees logging in to their personal email accounts or anyone visiting an unfamiliar website.
This is where the lawyer skill set at negotiating and problem solving proves so valuable. Results will be poor with a complete lockdown of systems, including a disservice to a client when a lawyer “on the road” cannot access something important or an employee cannot check in with his or her child when needed. But overruling the IT department just because there has been no prior problem also has huge risks, whether a serious data breach or the IT professionals making plans for new employment. The problem-solving lawyer will list everyone’s concerns and craft policies that meet them.
Because people are a major security risk, it’s surprising that most law firms spend relatively little time on training employees to understand basic security, such as why strong passwords are needed and how to recognize a suspicious email attachment or a spear phishing attempt.
The challenge for law firms addressing digital security is to make smart decisions but not overly rigid ones. Clients want their information protected, but they do not want policies that cause lawyers to expend extra billable time for only a theoretical benefit. A lawyer who is unable to remotely access a client file is unacceptable in today’s business world.
Bring-your-own-device issues Another issue to consider today is BYOD. With smartphones and tablets serving as critical business tools today, there is undoubtedly a benefit for employees to use the devices that they are most comfortable using. There are feature differences as well. The firm marketing director may well want a smartphone with a larger screen and more powerful photography-related tools. A study by IBM showed the benefits of BYOD included increased productivity, employee satisfaction and cost savings for companies.
But BYOD is obviously a challenge for the IT department, both from a security standpoint and the efficiencies of standardization. It is not easy for an IT department to support several types of smartphones and tablets. Many employees regularly carry music on their phones, which no one wants synchronized to the firm network.
I noted with interest Law Practice Division Chair Michael Downey applauding and encouraging more “protectionist policies that may limit law firm constituents’ ability to select technology” in the March/April issue of Law Practice. I’m not convinced it will be that easy. There’s a lot to disagree about on this particular issue, and some people are quite emotional about their preferred mobile devices. But some policies have to be written in stone. For one thing, no one should have a mobile device connected to the firm email system or calendar that is not passcode-protected.
Staff training for network and client security should be a given. But it is also critical for law firm operations that all staff and lawyers use their technology tools efficiently. Kia Motors corporate counsel Casey Flaherty created quite a stir recently when he announced that he administered what he considered to be a basic technology skills audit to the law firms Kia used as outside counsel, and all firms had failed. Sample tasks included formatting a motion in Word, preparing motion exhibits in PDF and creating an arbitration exhibit index in Excel. It’s not a small thing when a firm’s client is being billed five or more hours for a task that the client representative believes should take one hour.
Many corporations have noted this audit, and it will be a major IT governance issue to determine what in-house training is needed and how to require that busy people take the training.
Today’s law firms run on technology-based tools. Good IT governance processes are required to have proper strategic decision-making and to balance competing interests. In the large law firm, that means selecting a diverse team. For the smaller firm, that means a combination of an outside contractor and someone in the firm developing expertise.
But the investment cannot be just in dollars. An ongoing investment in time is also needed. This includes time for information gathering and decision-making, in addition to time for training staff on security threats as well as the training to better use their technology-based tools.
One thing that large law firms have in common with smaller ones is the apparent shortage of time. So we must bear in mind that our IT needs are critical and must be a priority.