As new computer-based threats like ransomware attacks, phishing scams, and hacking plague law firms on a daily basis, it’s easy to forget about security risks caused by paper documents. In recent years, firms have aspired to a paperless or paper-light law office, but mostly motivated by efficiency, not security objectives. The fact is that paper is downright dangerous to data security and compliance initiatives for the firm, so it’s time to eliminate paper from the law firm’s workflow.
Paper documents can be stolen, lost, photographed, grabbed from a shared company printer, or sent to the wrong place to be read and circulated by unintended audiences. Since paper documents are physical objects, they are not necessarily tracked or contained like electronic files are—there is no audit trail for them. Paper documents potentially expose a law firm and its clients to risks that have real consequences.
As digital transformation and information governance programs have infiltrated law firms, it’s unfortunate that paper documents and records are often excluded or only partially included in the scope of these initiatives. Provisions to stop creation of more paper documents going forward are often avoided or not even considered, meaning paper will continue to multiply unchecked. Even proactive law firms that have scanned and OCR’d their entire records rooms, and which scan all incoming mail upon arrival, still have to contend with lawyers and legal staff printing out more paper documents every day.
Paper is risk, made fresh daily. So where does the paper problem end? The only way to eliminate the security risk of paper is to enact a comprehensive digital transformation plan which includes scanning and OCR’ing both legacy (existing) and incoming paper, preventing people from printing more paper documents, and destroying unessential paper as quickly as possible.
Here are eight ways to eliminate your firm’s paper problem and ensure greater data security:
1. All Roads Lead to the DMS
Most firms now have a document management system (DMS) and are profiling and saving documents into it. All electronic documents should be saved to the DMS, whether they originated in electronic or paper format, and all paper documents should be OCR’d upon scanning to render them text-searchable. This includes documents stored on thumb drives, generated on lawyers’ home computers. It also includes documents uploaded to portals and team sites like Microsoft Teams and Slack unless they have already been saved to the DMS. The DMS should be configured to prevent people from closing or averting the DMS upon Save. All incoming emails and their attachments should be profiled and saved to the DMS and not scattered across desktops, hard drives and elsewhere.
2. Scan and OCR All Incoming Paper, Including Snail Mail
Paper documents that enter the firm from external sources must be scanned and OCR’d upon arrival, then saved to the DMS so they are searchable. The most common daily entry point for paper documents into the firm is via the mailroom where envelopes and packages are initially received. Envelopes or boxes must be opened, paper documents and packing slips scanned and the contents should be emailed to their recipients. The paper original should then be destroyed per the firm’s destruction policy. If the firm has no centralized mailroom, this process will be completed by those receiving and distributing incoming mail.
3. Storing Paper is the Exception, Not the Rule
Very few documents require “wet” or actual hard copy pen-and-ink signatures anymore. When original paper documents must be kept, the firm’s policy should dictate proper action to be taken. Copies of documents resulting from deal closings, etc. should be scanned in the day of the final transaction, scanned and OCR’d and then shredded or sent to a secure dedicated storage location. The storage location should regularly be purged of documents that no longer need to be archived in paper form.
4. Compliance Regulations Apply to Paper, Too
Treatment of paper documents as well as electronic ones must be compliant with regulations such as GDPR, CCPA (effective Jan. 1, 2020) and others depending on jurisdiction. A quality OCR process is so important when scanning to determine whether the document has sensitive content that must be protected in keeping with these laws. By ignoring paper documents in compliance planning and execution, firms are leaving themselves and their clients open to significant risks of government sanctions and financial penalties.
5. Print No More (or Much Less)
Day-to-day printing of documents must either be stopped altogether or severely limited to minimal amounts. Printouts should be securely filed or shredded rather than left on desks or in unlocked file cabinets. Lawyers should also advise their clients that printing out confidential client information and leaving it in printer trays shared by colleagues could lead to loss of attorney/client privilege on those documents.
6. Red-Flag Emails Containing Sensitive Data
Before leaving the firm’s servers, email messages and attachments should be monitored to prevent data loss. Technology can assist in searching email and attachment content and red-flagging emails that appear to contain confidential or sensitive data. Search algorithms and analytics tools can locate number groupings such as credit card or social security numbers, and can find trigger words like “confidential”, “sensitive” and “privileged” based on the firm’s practice areas. Software can either halt sending of “quarantined” messages or can send the message and provide an after-action notice that the document possibly contained sensitive information.
7. Don’t Forget about the Fax
Surprisingly, some areas of law still use faxing, whether by requirement of clients, government agencies, or their own workflow habits. Electronic faxing is preferable to paper and most DMS products can be configured to save faxes upon sending or receiving. Beware of keeping paper fax documents, including cover sheets and confirmation pages. Faxed documents, cover sheets and confirmations should be stored only when absolutely necessary and otherwise destroyed by shredding.
8. Destroy Unneeded Paper ASAP
Most law firms keep substantially more paper records than they are required to, and these records are forgotten about. Whether they are on-site in a records room or file drawers in lawyers’ offices or off-site in a huge facility, they still pose a security risk. Create a paper destruction plan to shred or securely dispose of paper files that the firm is not required to retain. Ideally, this schedule can include monthly if not weekly or daily destruction activities to destroy paper. Staying on top of this will prevent accumulation of paper that becomes dangerous, risky, and expensive to store.
Data security and digital transformation measures must include the government of paper as well as electronic documents. By scanning and OCR’ing legacy records and incoming mail, reducing paper storage in the records room, restricting or eliminating printing, and ensuring that the DMS is capturing and indexing all documents and email, the firm is better protected from risk and stays on the right side of compliance regulations. Establishing clear firm-wide policies that convey these rules is a good first step. No information governance plan is complete without incorporating plans to manage past, present, and future paper documents.
To learn more about the ways AccuRoute is helping firms across the globe to solve legal document processing and communications challenges, reach out today to talk with our experts.
Karen Cummings is EVP and General Manager of the Upland Document Workflow and PITM suite of products. Shawn Freligh is Director of Research & Development for Upland AccuRoute.
Reprinted with permission from the November 14, 2019 edition of the Legaltech News © 2019 ALM Media Properties, LLC. All rights reserved.