January 2016 | Volume 17, Number 1

Continued on page 3

Technology is rapidly changing the delivery of legal services. Two faculty members at Suffolk University Law School in Boston explain how their program is preparing students to succeed in this environment.

Law schools often claim that they educate students to “think like lawyers,” but lawyers for which century? The reality is that, at many law schools,

students are learning only the traditional “thinking” skills that have been taught for generations. To be sure, those analytical skills are still important, but students also need to learn how to think in new ways about the delivery of legal services. This short article summarizes some of our ongoing efforts to reimagine what it means to “think like a lawyer” in a modern legal marketplace and encourages others in academia and the legal services industry to join us in our work.

A New Legal Services EconomyThere is little question that the legal marketplace is rapidly evolving as a result of technology and increased globalization. Although there is disagreement about the extent to which these changes will disrupt the need for lawyers in the future, there is little doubt that today’s lawyers need a new range of skills and knowledge that they did not need a generation ago. For example, to remain competitive and competent today, lawyers need the ability to safeguard confidential information from cybersecurity threats, conduct Internet-based marketing and investigations, leverage cloud-based services to manage practices and engage clients, implement automated document assembly and expert systems, employ legal project management and process improvement, and understand the basics of data analytics and electronic discovery.1 We’ve come a long way from the days of typewriters as word processors, locked file cabinets as security, books as the primary sources of research, and anecdotes as data.

“Thinking Like a Lawyer” in the 21st Century

By Andrew Perlman, Dean and Professor of Law, Suffolk University Law School, Boston, MA, and Gabriel Teninbaum, Professor of Legal Writing, Suffolk University Law School, Boston, MA

Please direct any comments or questions to either of the editors in chief:

PracticeInnovations

In This Issue EDITORS IN CHIEF

2

EDITORIAL BOARD

Internet of Things: Understanding the Legal Framework

By Mark Radcliffe

If a “connected car” is in an accident while in autonomous mode, who is responsible: the developer of the navigation software, the car manufacturer that installed navigational software, the mapmaker whose map potentially was incorrect, or the user?

The End of Documents: Understanding the Ramifications of Structured Data

By Conrad J. Jacoby

Lawyers are used to thinking about their work product and factual sources as discrete pieces of evidence. Increasingly though, electronic data is being stored within databases and only assembled into the appearance of documents as users request that information.

Attorney Ethics and Obligations on Computer Usage and Learning (Or what do I need to know about nanotechnology?)

By Jeffrey Brandt, Principal

In today’s legal market, clients have high expectations and we owe it to them work as efficiently as possible. What do the changes in attitude and even the law itself mean for attorney regarding their obligations to learn more about and use technology appropriately?

“Thinking Like a Lawyer” in the 21st Century

By Andrew Perlman and Gabriel Teninbaum

Technology is rapidly changing the delivery of legal services. Two faculty members at Suffolk University Law School in Boston explain how their program is preparing students to succeed in this environment.

The Matter Centric Crystal Ball

By Lisa Kellar Gianakos and Rajiv Mukerji

The term “matter centricity” was coined about 10 years ago, referring to a legal technology trend to alter systems that were not already organized around clients and/or matters, and to introduce the paradigm of matter-based visual containers and folders to enhance the user experience.

William ScarbroughChief Operating OfficerBodman PLC6th Floor at Ford Field1901 St. Antoine StreetDetroit, MI 48226office: 313-393-7558fax: 313-393-7579email: wscarbrough@bodmanlaw.com

Lisa Kellar GianakosDirector of Knowledge ManagementPillsbury Winthrop Shaw Pittman LLP2300 N Street, NWWashington, DC 20037-1122202-663-9162lisa.gianakos@pillsburylaw.com

Sharon Meit Abrahams, Ed.D.National Director of Professional DevelopmentFoley & Lardner LLP Miami, FL

Toby BrownChief Practice OfficerAkin Gump Strauss Hauer & Feld LLPHouston, TX

Silvia CoulterPrincipalLawVision GroupBoston, MA

Elaine EganHead of Research & Information Services - AmericasShearman & Sterling LLP New York, NY

Lisa Kellar GianakosDirector of Knowledge Management Pillsbury Winthrop Shaw Pittman LLP Washington, DC

Jean O’GradyDirector of Research Services DLA Piper, US, LLP Washington, DC

Don PhilmleeLegal Technology ConsultantWashington, DC

Kathleen SkinnerDirector of Research ServicesMorrison & Foerster LLPSan Francisco, CA

William ScarbroughChief Operating OfficerBodman PLCDetroit, MI

Lisa Kellar GianakosDirector of Knowledge ManagementPillsbury Winthrop Shaw Pittman LLPWashington, DC

The Alarming Rise of Data Breaches

By Don Philmlee

Data breaches are becoming more frequent and common. Even if a data breach cannot be avoided, with thoughtful planning, preparation, and diligence it can be more easily survived.

3Practice Innovations | October 2015 | Volume 16, Number 4

“Thinking Like a Lawyer” in the 21st Century — Continued from page 1

A 21st Century Law School Curriculum Law schools have started responding to these changes in a number of ways. For example, at Suffolk University Law School, we have established an Institute on Law Practice Technology & Innovation, which is guided by a diverse group of expert outside advisors. With their input, we developed a proposal for our faculty’s consideration to create a new Legal Technology and Innovation concentration. In 2013, the proposal was unanimously approved, creating one of the first formal programs in the country to equip JD students with the skills and knowledge they need to compete more effectively in a rapidly evolving legal marketplace.

All students in the concentration take cutting edge classes and discover a new way of thinking about the delivery of legal services. Students learn how to employ legal document automation and build expert systems. They develop legal project management and process improvement skills (and earn a yellow belt). They are also taught how to develop business plans and identify market opportunities and gain an in-depth understanding of the current legal marketplace. The program also offers a range of technology and innovation-related elective courses, many of which are jointly offered at Suffolk University’s Sawyer Business School.

The learning extends beyond the classroom. Students in the concentration complete a required internship with a company or firm that uses technology or other innovative methods to deliver legal or law-related services. The goal of this requirement is to make sure that our students gain practical experiences that give them new insights into how legal services are delivered today. They also develop networks in an emerging part of the legal industry.

The concentration has begun paying professional dividends for our students. This past spring, we graduated our first class of legal technology and innovation concentrators. Although the first group was small, each one of them is now employed in the legal technology/innovation sector. Demand has been so strong for students who have these new skills that even graduates who did not complete the concentration, but who took a couple of courses within it, have found employment in the legal tech field.

The concentration has also proven to be valuable to the larger community. Students have developed tools to make underfunded public defenders more technologically advanced, worked with overseas legal tech startups, built expert systems to allow immigrants to know their rights, and automated court forms with

plain language instructions to guide people who would otherwise go without assistance.

These students also have helped our clinics learn how to deliver legal services more efficiently. For example, they worked closely with one of our clinics—the Accelerator-to-Practice Program—to help develop a new way of approaching clinical education. The Accelerator is a three-year course of study that includes an embedded fee-generating law practice within the law school, teaching students firsthand how to leverage new technology and innovative methods to deliver legal services to people of modest means more efficiently, effectively and profitably.

Finally, we are building relationships that provide exciting opportunities for our students. One new partnership is with legal process outsourcing leader, Integreon. Integreon is establishing a center inside of our law school, which will hire up to 30 students to work on various client engagements. The students will receive training in legal project management, and will then be paid to work on projects involving e-discovery, document review, contract review and management, due diligence, and compliance. In an ever evolving legal job market, this focus on the provision of relevant skill sets will give the participating graduates a competitive advantage at the point in their careers when they need it most.

Of course, our students are still learning the analytical skills that are lawyers’ traditional hallmark, but we’re also ensuring that our students can learn to think about the delivery of legal services in new ways. They are learning how to leverage technology and other innovations in order to remain competitive in a rapidly evolving marketplace. We believe that lawyers who can marry traditional legal analysis with new insights about legal services delivery will be the ones who are best prepared for professional success.

Broadening the MissionWe are not content to stop at curricular innovations. The Institute hosts various events for students, lawyers, and the public, such as the ABA’s first ever Legal Hackathon, a virtual program with MIT’s Media Lab, and the debut of Evolve Law Live, which brings together legal startup founders and venture capitalists.

We also seek to help those outside our walls become more adept at using basic law practice technology. A few years ago, Casey Flaherty, a former corporate counsel at a major auto company, pioneered an innovative legal technology audit to test the efficiency of his outside counsel. We have partnered with Casey to

4

“Thinking Like a Lawyer” in the 21st Century

enhance and automate the audit, and we have helped to create a free version of the audit for law students.

We also serve the legal profession as it searches for ways to use technology and innovation to bridge the justice gap. For example, one of us serves as the vice chair of the ABA Commission on the Future of Legal Services, and the other on the Web Technology Group of the Massachusetts Access to Justice Commission.

We’re still in Beta…and might never leave itWe are proud of the work we have accomplished so far, but it is just a start. There are so many exciting possible directions for our work, and we cannot possibly pursue them all. The market is constantly evolving, creating new opportunities all the time. That is why we are delighted that a growing number of law schools are involved in these kinds of efforts,2 and why we are eagerly watching and learning from their work.

There is plenty of room for anyone who might want to teach law students how to think about the delivery of

legal services today. You just need an entrepreneurial spirit, the courage to make mistakes (we have made a few), and a recognition that the next generation of lawyers is going to need to think differently from the last. We believe that, if we all work together, the legal profession, law schools, and the public will all benefit from fresh thinking about what lawyers do. We want “thinking like a lawyer” to take on a new meaning—understanding what it takes to deliver legal services successfully in the 21st century.

Sources1. Andrew Perlman. The 21st Century Lawyer’s Evolving Ethical Duty of Competence. ABA Professional Lawyers, Vol. 22, No. 4 (2014).

2. Richard Granat and Marc Lauritsen. Teaching the Technology of Practice: The 10 Top Schools. ABA Professional Lawyers, Vol. 40, No. 4 (2014).

Text tk

5Practice Innovations | January 2016 | Volume 17 | Number 1

Attorney Ethics and Obligations on Computer Usage and Learning (Or what do I need to know about nanotechnology?)

In today’s legal market, clients have high expectations and we owe it to them work as efficiently as possible. This is one reason for attorneys to become more tech savvy. Further, not doing so could be construed as malpractice! What do the changes in attitude and even the law itself mean for attorney regarding their obligations to learn more about and use technology appropriately?

There are lots of “then and now” comparisons and a whole subsection of Internet memes on the subject of comparisons. Let’s start with one of the legal world:

THEN • Big Law used to

be 500 lawyers

• Attorneys talk to the GC over lunch and a smoke

• No such thing as budgets, and bills simply read “for services rendered”

• Use manual typewriters

• Keyboarding was a “secretarial” skill

• Secretarial ratios are 2-to-1

• You protect the client file in a locked file cabinet

NOW • Big Law now has over 6,000 lawyers

• Procurement departments dictate to attorneys

• Complex budgets, unable to bill photocopying or legal research, alternative and fixed fees

• Use smartphones and tablets

• Keyboarding is an everyone skill

• Secretarial ratios are 4, 6 and even 8-to-1

• You protect the client file behind firewalls, with in-transit and at-rest encryption and two-tier secure authentication

If you Google “lawyers ethics technology,” in 0.59 seconds you get 19.8 million articles. The State Bar of California’s website has 66 entries on its page, Ethics Opinions Related to Technology.1 The world of technology has changed so much that the American Bar Association added Comment 8 to Rule 1.1.

“To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”

To date, 17 states have approved or added similar language. Those states include: Arizona, Arkansas, Connecticut, Delaware, Idaho, Illinois, Kansas, Massachusetts, Minnesota, New Hampshire, New Mexico, New York, North Carolina, Ohio, Pennsylvania, West Virginia, and Wyoming. Despite the fact that the codes of professional conduct in Canada do not explicitly require the use of technology, even the Canadian Bar

By Jeffrey Brandt, Principal, Brandt Professional Services, Ashburn, VA

6

Attorney Ethics and Obligations on Computer Usage and Learning

Association issued a 27-page paper entitled, Legal Ethics in a Digital World2 with the intention of helping lawyers “navigate the intersection between the use of technology and your ethical and professional obligations.”

What Does It Mean?I think we can all agree that basic technological competence is intertwined with professional competence. So where do the attorneys’ ethical obligations begin and where do they end? The good news: I don’t think any of the Bars expect lawyers to turn into CIOs, Microsoft Exchange administrators or experts in nanotechnology. The bad news: I think it’s a little more involved than knowing the top legal apps for the iPhone or iPad. Sharon D. Nelson and John W. Simek had an article in Slaw on “Why Lawyers Resist Ethical Rules.”3 They said, “The change does not require a lawyer to become an IT professional—indeed, for most lawyers, dabbling in IT would be dangerous. They need outside or inside IT help in most cases—the small firms generally contract IT work to an outside IT service company. But all lawyers should be aware of the benefits and risks of technology to be a competent lawyer in the digital era.”

Where to Start?A good place to start might be with the Legal Tech Assessment.4 Developed by Casey Flaherty and picked up and enhanced by Andrew Perlman and the Suffolk Law School Institute on Law Practice Technology & Innovation. It is designed to assess how lawyers “use basic law practice technology, such as word processing and spreadsheets, to complete commonly encountered legal tasks.” Depending on how well you do you might want to spend a little more time with the firm’s trainers to bring yourself up to speed.

Some of the best-educated lawyers I know use an “opportunities-based approach” to their technology education. Have a new matter going into the firm extranet? Take the opportunity to sit down with the administrator and get an overview of how it works, what technologies it uses and what security precautions are in place. Is your client having issues with production of electronically stored information from backup tapes? Visit the IT department and find out how your own firm approaches these issues.

Why Change?There are reasons to become more tech savvy, not the least of which is NOT doing so could be construed as malpractice. In today’s legal market, clients have

high expectations and you owe it to them to do work as efficiently as possible. The cost and proliferation of more advanced technology are such that it is the common industry standard, and thus you need to be more aware of it. With secretarial ratios at an all-time high, the ability to be self-sufficient and get materials to a client late on a Friday evening without support staff has merit. In addition, you don’t want to be embarrassed by being unable to pass a technology skill assessment. And who knows, it may also give you something new to talk about with your teenager.

What Needs to Change?Change is hard enough without added pressures. You need to acknowledge the digital age and acknowledge commoditization. There are better ways of doing things and not everything you’re doing is lawyer work. Invest in the education, workflows, and technology that allow you work more efficiently and at the right level for your client. Unless you work as a solo practitioner, you probably have a firm culture that needs changed or tweaked. The culture must emphasize and reward technology competency, which may come down to adjusting the compensation formula for the partnership.

With a desire, you can engage in change. With the right knowledge, you know how to change. With new abilities, you can implement skills and new behaviors. And with the right reinforcement from your peers and firm, you can sustain that change.

Sources1. “Ethics Opinions Related to Technology.” The State Bar of California, 2015.

2. “Legal Ethics in a Digital World.” Canadian Bar Association, 2014–15,

3. Sharon D. Nelson and John W. Simek. “Why Do Lawyers Resist Ethical Rules Requiring Competence With Technology?” Slaw, March 27, 2015.

4. D. Casey Flaherty and Andrew Perlman. “Suffolk Law School Institute on Law Practice Technology & Innovation Legal Tech Assessment.” Suffolk Law School Institute, 2015.

Text tk

7Practice Innovations | January 2016 | Volume 17 | Number 1

When we think about our written work product, we tend to think in terms of documents—“I wrote this memo” or “I sent that email message.” Within the legal community, that perspective is taken one step further. The vast majority of discovery requests specifically demand discrete documents and tangible objects. Rule 34 of the Federal Rules of Civil Procedure, which governs such requests, is even

entitled, “Producing Documents, Electronically Stored Information, and Tangible Things, or Entering onto Land, for Inspection and Other Purposes.” Even in the digital age, lawyers still think in terms of documents and boxes of documents.

Such analysis helps translate potentially unfamiliar e-discovery issues into more understandable traditional terms (e.g., 136 terabytes of Electronically Stored Information equals 1 Library of Congress, or approximately 17 million books). However, viewing digital information purely in terms of documents overlooks increasingly critical repositories of digital information—databases and other structured data

systems—that contain an increasing amount of the information organizations create and manage. Equally important, this blind spot also overlooks how lawyers themselves are increasingly creating and organizing their own work product.

Structured data systems aren’t new by any stretch of the imagination—payroll systems have used databases for decades. State, local, and federal governments have used databases to track taxpayer information—and taxes paid—for at least as long. However, the past 15 years or so have seen a sharp increase in the use of databases as replacements for storing information that used to be shared via discreet documents.

For example, at the dawn of the World Wide Web, websites were crafted out of individual pages, each built from HTML code, and each page was fixed or static in nature. That helped pages load quickly, especially in the age of dial-up Internet connections. This also meant it was possible to harvest a copy of a Web page or even an entire website if it became relevant in a legal dispute. On the other hand, static HTML pages meant that website updates were manual and required a programmer to update the code. As the Web became more popular, sites requiring frequent updates, such as e-commerce and job listing sites

The End of Documents: Understanding the Ramifications of Structured Data

Lawyers are used to thinking about their work product and factual sources as discrete pieces of evidence. Increasingly though, electronic data is being stored within databases and only assembled into the appearance of documents as users request that information. Email and Microsoft SharePoint are only two examples of how structured data is replacing discrete documents, and this fundamental information management change impacts investigators, litigators, and IT professionals in a variety of ways.

By Conrad J. Jacoby, Esq., Founder of efficientEDD, Washington, DC

8

The End of Documents: Understanding the Ramifications of Structured Data

relating to [topic X] ... ” While these requests almost always include email messages in their definition of “document,” they typically omit specific reference to structured data repositories; some even explicitly exclude structured data systems from the definition. That oversight can further extend to interviews or depositions of fact witnesses, because many lawyers don’t take the time to ask with specificity about intranets, extranets, databases, and other structured data repositories used by the witness and their organization to create, store, and otherwise manage documents.

Similarly, the producing litigant side also faces the separate issue of how to best impose legal holds on subject matter that now resides in a fluid database. Previously, document custodians could simply be told not to touch or edit existing files—and concerned counsel could conduct an overbroad collection of files to be searched and filtered later. However, it’s not really possible to “freeze” a corporate SharePoint site or shut down an email server without immediate and significant negative business consequences. That’s not to say that it’s impossible to impose legal holds on structured data, but it does require focusing on specific database records or fields, rather than the database as a whole. This can be more complicated than it sounds, as an organization may need to invent or tweak existing procedures and workflow, rather than flip a switch. Few databases have been designed to selectively freeze content while permitting other content to be updated.

Adapting Records Retention Policies to Include Structured Data RepositoriesRecords Management and Information Governance have become increasingly complicated topics in recent years, as more corporate and organizational “records” move from traditional hardcopy archives to virtual electronic repositories. Much of this migration actually took place years ago, as employees moved to using computers to generate nearly all new work product. However, even today, many organizations maintain hard copy archives of final or signed copies of documents that were created electronically, and it is this hard copy archive, not the electronic “originals,” that are managed via formal records retention policies.

Managing this information hasn’t become complicated because of an organization’s records schedules. These continue to undergo periodic review and revision in light of statutory and regulatory changes and are amended according to existing procedures. Rather, complications arise as the information in structured data repositories becomes, increasingly, a mixture of old and new information in the same larger storage container.

like Amazon.com and Monster, needed a completely different structure that would operate and update itself with little hands-on maintenance. These companies pioneered coding principles of dynamically populating HTML templates from backend databases, which rapidly became the standard way most websites are created and content served up today. However, unlike the days of static HTML, the pages themselves no longer contain any substantive information, with most if not all information pulled from an underlying database. Saving a Web page does not capture all of the potential content on a page, but only the subset of information that was served up in response to user input.

Databases have also become much more common in personal productivity technology. Email messages, which many people view as discrete documents, are much more like dynamically populated web pages than discrete files. Mail messages are stored in large email servers as database records, and incoming email messages are simply added to the mail server’s database as additional records. The email messages that end users display when double-clicking a message are built on the fly from this structured data, much the same way that Amazon.com Web pages are created from an underlying database. Similarly, as SharePoint makes greater inroads into corporate and government offices, information such as office policies, Human Resource Office forms, and many other items formerly stored as discrete documents may now only exist as database content that is assembled from fielded information when requested by a user. This makes it easy to update forms, but it may also make it more difficult to recreate exactly how a form looked at an earlier point in time.

The impact of these technology changes is significant, and lawyers need to be particularly aware that this technological evolution has several particular areas of concern for them: (1) changes in strategies for requesting and collecting litigation discovery documents; and (2) adapting existing document-centric records retention policies to adequately account for the increased use of structured data systems to store virtual documents.

Recognizing Litigation Discovery Request and Legal Hold Challenges in the Structured Data EraIt can be a challenge to move past a document-centric viewpoint and focus instead on relevant or responsive information, regardless of how it may be stored. Traditional discovery requests seek document-level work product that may be relevant in the dispute. To this day, it’s still common to see document requests start with the language, “Please produce all documents

9Practice Innovations | January 2016 | Volume 17 | Number 1

The End of Documents: Understanding the Ramifications of Structured Data

Large databases are updated constantly, thus lack the creation and last edited dates metadata that helps manage electronic documents. This information can often be found in individual database records, but new procedures are required to do so. What procedures will be needed and what transactional logs need to be kept in order to purge information from a structured data repository—once it no longer serves a business purpose—pursuant to a standing records retention schedule? The answer to that question will involve both technology and process.

Constructively Working with Structured Data RepositoriesIt’s relatively straightforward to identify some of the key issues surrounding the transition from granular documents to larger systems that are replacing traditional document-centric files, but it’s more complicated to identify universal next steps, because so many of them depend on the specific technology used and the precise content that is loaded into these systems. Fortunately, several guiding principles can provide some direction.

First, litigators and their clients should focus discovery requests and preservation efforts on “relevant information,” rather than “relevant documents.” This is easily said, but not always easily done. Most lawyers have already expanded their witness interviews to include the topic of how and where the witness created and stored potentially relevant written work production. However, it’s now increasingly important for them to follow up with IT staff within the witness’ organization to understand the extent to which this work product is

stored within a structured data system, and the tools that the organization can—and cannot—use to identify and isolate these materials. From the legal hold perspective, it’s also doubly important to check that potentially responsive information stored in a structured data repository can be tracked and removed from automated document deletion policies that could inadvertently purge content before all legal retention obligations have been satisfied.

Second, lawyers should work with their clients to confirm the identity of their official “records” copies of documents, versus convenience copies that exist outside of and are not controlled by formal records retention policies. If employees are being referred to an intranet to download forms and to find the latest version of documents, it is possible to argue—not necessarily successfully—that this virtual location has become the official repository for organizational documents, even if official records copies are still maintained elsewhere. In a worst case scenario, this could require records management to be applied to multiple information silos, rather than a single official repository with all other copies classified as convenience copies. Using a structured data system as the official repository for organizational records can be a cost-efficient move for organizations, as tools like SharePoint offer greatly increased search and metadata tagging functionality, offering content management while requiring less effort than managing these same materials elsewhere.

10

The term “matter centricity” was coined about 10 years ago, referring to a legal technology trend to alter systems that were not already organized around clients and/or matters, and to introduce the paradigm of matter-based visual containers and folders to enhance the user experience. But even with modern matter centric DMS’s available, Big Law often spends significant time on custom integration projects trying to bring siloed information together in an attempt to build the perfect matter-centric system, a potentially time consuming and costly endeavor. Will there ever be an end to the interminable integration projects in attempts to bring all data together into a single monolithic matter-centric system? Does Microsoft’s Matter Center offer the Holy Grail in matter centricity?

Even though law firms have always been focused on matters, the term “matter centricity” was coined 10 or so years ago. It primarily referred to a trend in legal technology to change systems that were not already organized around clients and/

or matters and specifically related to the document management system to introduce the paradigm of matter-based visual containers and folders to enhance the user experience. For solo, small and midsized firms, there have been “all in one” products or suites that might fit the matter centric bill for virtually all facets of legal practice. This might include billing, document management, accounting, client management, task management and even legal research. These often integrate with Microsoft Office, the predominant office

suite used in legal. Many also integrate with consumer tools like Box, Dropbox, Evernote, and offer mobile editions for i-devices and Androids. Unfortunately these products don’t always scale well to Big Law, as matter teams can be much larger, work more complex, geography (and currency and language) distributed, and information governance and security standards stricter, just to name a few examples. They may not offer flexible set-up options or provide paths for customization, and they may not integrate with other back-office systems like cost recovery.

For these reasons, larger firms often spend significant time trying to bring siloed information together in an attempt to build the perfect matter centric system. This approach provides the most flexibility but can be time consuming and costly. There are all kinds of integration products and vendors in the legal market, like IntApp, HandShake, and K2, depending on what kinds of things are trying to be accomplished.

The single biggest core technology, that was late to the matter centricity table, is the document management system. (This isn’t to say that DMS’s did not include client/matter numbers and details. They just didn’t center

The Matter Centric Crystal Ball

By Lisa Kellar Gianakos, Director of Knowledge Management, Pillsbury Winthrop Shaw Pittman LLP, Washington, DC, and Rajiv Mukerji, Director, Document Management Services, eSentio Technologies, Washington, DC

11Practice Innovations | January 2016 | Volume 17 | Number 1

The Matter Centric Crystal Ball

visually around this construct.) This was more or less addressed, during this last wave of matter centric improvements. Still, with modern matter centric DMS’s available, we still see lots of custom integration projects underway. Will there ever be an end to the interminable integration projects in attempts to bring all data together into a single monolithic matter centric system? Often times the intranet becomes the interface that brings these different systems together with client/matter numbers, the needed glue. Since SharePoint is the most common intranet platform used in legal, it seems if Microsoft could come up with a matter centric solution, it would be a big win for everyone. There have been a few attempts in the past to build SharePoint as a DMS solution—none has worked supremely well, due to intrinsic limitations of SharePoint for the DMS functions required by large law firms. A number of third party providers such as Epona and MacroView have attempted to fill the gap with an additional layer of integration and user interface to make the interface and functions “legal-friendly,” however, no AMLAW 200 firms have deployed these successfully yet in the U.S. Such add-ons insert a layer of complexity and licensing in the mix. More recently, Microsoft introduced an in-house solution for its Legal & Corporate affairs group called Matter Center. This was announced with a great deal of fanfare and to our knowledge has been piloted by a few large law firms. A panel session at the International Legal Technology Association (ILTA)’s annual conference covered some of the early Matter Center user interface and experience. In Microsoft’s words:

“Microsoft’s Legal and Corporate Affairs group developed Matter Center for Office 365, a SharePoint-based document management and collaboration solution. It takes advantage of all the deep enterprise content management capabilities that the SharePoint platform provides, and offers many additional benefits of being integrated into the Office 365 platform, including: integration with Outlook and Word, rich content search and discovery with Delve, analytics with Power BI, personal document storage and collaboration with OneDrive for Business, extensive compliance, management and security, and a growing list of capabilities as Office 365 continues to move forward.

Microsoft is rolling Matter Center out to all of its legal professionals globally and we are pleased to make it available to our customers and partners via GitHub by the end of calendar year 2015. Microsoft is committed to ongoing contributions to the solution and its roadmap, and by making it available through an open GitHub repository,

customers and partners can build or extend the solution to meet specific needs even faster.”

To summarize, it appears that Matter Center is being positioned as a document management and collaboration platform with deep integrations to other Microsoft solutions. But at this stage, the direction implies Microsoft will not directly support it as a product, but instead make it available as an open-source platform for Microsoft partners and solution providers to customize for the needs of their client. In this form, it could indeed be a very powerful “matter centric” platform allowing the aggregation of disparate data and functionality specific to the need of individual law firms and even specific groups within a single law firm. Time will tell if this proves to be a viable solution, as no large law firm has deployed it yet as their primary DMS or content management system. Much work is still required to add the expected functionality and integrations with the common legal productivity and governance systems.

Looking through our crystal ball, the matter centric model of the future may indeed follow the Matter Center model. It looks to be a customizable practice group- or practitioner-specific, contextual, and minimal user interface that is supported by robust backend content management, collaboration, and business intelligence systems. This replaces the “all or nothing” approach available today in the major legacy DMS user interfaces. Ultimately, the future matter centric system will be data-driven, intelligent, and contextual menus that appear and then disappear as users need to perform specific functions.

Until then, the main contenders for large law firm matter-centric DMS systems are still the market leader iManage, which is showing renewed energy and customer focus after its recent divestiture from HP, and NetDocuments, a strong challenger and rapid innovator that has recently made significant gains in the large law firm space. Although the other legacy provider, OpenText, has a strong presence in the large corporate and enterprise software market, it continues to lose market share in the law firm arena. All these products are primarily focused on the document and email management space and require a number of supporting integrated solutions to complete the full matter centric solution suite.

Source“Matter Center: Boosting Productivity for Legal Professionals.” Microsoft, 2015.

12

Internet of Things: Understanding the Legal Framework

Just as the Internet of Things (IoT) brings new business opportunities, it raises new legal issues. If a “connected car” is in an accident while in autonomous mode, who is responsible: the developer of the navigation software, the car manufacturer that installed navigational software, the mapmaker whose map potentially was incorrect, or the user?

The IoT presents one of the most sweeping changes to business in the past 20 years. Gartner predicts that 4.9 billion connected things will be in use by the end of this year, up 30 percent from 2014, and will reach 25 billion by 2020. The highly-regarded consulting firm McKinsey described this opportunity succinctly in its

recent report, The Internet of Things: Mapping the Value beyond the Hype: “Our central finding is that the hype may actually understate the full potential of the Internet of Things.” This conclusion mirrors Accenture’s in its report for the World Economic Forum, Driving Unconventional Growth through the Industrial Internet of Things. The report described the Industrial IoT as a fundamental change to business that brings “unprecedented opportunities, along with new risks, to business and society.” IoT will provide the opportunities for operational efficiencies, particularly in making more effective use of equipment, as well as new business models such as those based on “outcomes” for products and service or pay-per-use.

Just as IoT brings new business opportunities, it raises new legal issues. For example, if a “connected car” is in an accident while in autonomous mode, who is responsible: the developer of the navigation software,

the car manufacturer that installed navigational software, the mapmaker whose map potentially was incorrect, or the user? The answers to these issues are open. IoT will also greatly increase the amount and value of data, but the ownership and legal protection for data remains very uncertain.

Although some of the new legal issues raised by IoT will be unique to certain industries, such as privacy in healthcare, a number of legal issues will be important across all IoT industries. They include privacy, cybersecurity, data use, and software licensing.

Privacy. Many countries, including those in Europe, Asia-Pacific and Latin America, have privacy laws which require prior consent to the collection, use, and sharing of personal information. However, it is not always clear how such consent would be obtained in many IoT situations, from connected cars to wearable devices. In the United States, there is no comprehensive data privacy regime governing the collection and sharing of personal information. However, the Federal Trade Commission has published guidance on the application of privacy principles to IoT. Privacy issues may arise in unexpected ways: in October, 2015, a major equipment manufacturer described industrial equipment which will use a camera to identify the individual operator and configure the equipment for that operator. This type of personalization will raise privacy issues in an unexpected environment.

By Mark Radcliffe, Partner, DLA Piper, East Palo Alto, CA

13Practice Innovations | January 2016 | Volume 17 | Number 1

Internet of Things: Understanding the Legal Framework

Cybersecurity. Cybersecurity is one of the most important legal issues in the IoT. The hacking of a car, including turning on the windshield wipers and slowing the vehicle, organized by Wired magazine graphically demonstrated these risks. The consequences could be even more serious as IoT technology is implemented to control infrastructure systems such as the power grid. A successful hacking of the power grid could cause damages in the hundreds of millions of dollars. This problem is compounded by two factors: many of the companies entering the IoT market are not familiar with cybersecurity, and most IoT systems, by their nature, combine components from a wide variety of companies and the combined product may create additional vulnerabilities. Yet the legal obligations to provide cybersecurity are still unclear. In October 2015, Vint Cerf, the Google vice president and one of the founding fathers of the Internet, stated that IoT industry is losing the security battle during his keynote at the Systems Security Association International Conference. This problem is compounded by three factors:

1. Legacy system controls (referred to as supervisory control and data acquisition (SCADA) controls), such as those for train switches, power plants, and energy grids, were designed with only the most basic networking functions and almost no security.

2. Many of the companies entering the IoT market are not familiar with cybersecurity and have not built their IoT controls with cybersecurity as a goal.

3. Most IoT systems, by their nature, combine components from a wide variety of companies, and the combined product may create additional vulnerabilities. Yet the legal obligations to provide cybersecurity are still unclear. Among the suppliers developing IoT systems, these risks will probably be managed by contract.

Data Security. The use and analysis of data will be critical to capturing the value of IoT. However, the legal protection of “data” is uncertain. Generally “raw data” is not protectable by traditional legal theories of intellectual property such as copyright. Copyright in the United States will protect the “organized data” such as data in a database, but such protection is generally limited to the manner in which the data is organized (i.e., the “structure, sequence, and organization” of the data). If the raw data is organized in a different way, then copyright protection will not be violated.

In addition to copyright law, the European Union has its own separate (noncopyright) protection for databases,

but it is likely to be of limited use in this situation. The potential problems in the ownership and protection of data can be illustrated by data from a cardiac monitor where four parties may want to use (and own) the data: by the manufacturer of the implant, by the physician, by the health insurer, or by the patient.

Given this uncertainty about the meaning of “ownership” of data and its protection, companies will need to focus on trade secret and contract law to deal with these issues.

Software Licensing. Software licensing will be critical to IoT because most of the critical functions of IoT systems will be implemented through software. In the United States, Article II of the Uniform Commercial Code, a state law that is not actually “uniform” across all states, governs software licenses. Traditional software licenses address issues such as the scope of the license grant, the ability to sublicense, the liability for failure of performance and the liability for infringement of third party copyrights and patents. However, given the fact that the IoT is likely to be an aggregation of software from a variety of different vendors, the coordination of these license terms will become very important. The application of tort law to software continues to be very uncertain. Despite the suggestion in dicta to apply strict liability in tort to software in Wilhelm Winter, Cynthia Zheng v. G.P. Putnam’s Sons 938 F.2d 1033 (9th Cir. 1991), courts have not done so, and how to apply negligence, strict liability and other tort theories to software remains uncertain.

As McKinsey noted in its report, 40 percent of the value and, in some cases, 60 percent of the value of IoT products will be based on interoperability. Free and open-source software (FOSS) is the most natural solution to this potential problem. Several of the major FOSS foundations, such as the Eclipse Foundation and the Linux Foundation, are already sponsoring IoT software projects supported by multiple companies to deal with common problems in the IoT.

Given the breadth of opportunity and potential liability arising from IoT products, companies should use legal counsel for advice early in the design of IoT products. The legal rules governing IoT are unclear and evolving. For example, on October 28, 2015, the California Assembly Select Committee on Emerging Technologies held an informational hearing on challenges and opportunities in IoT. The product decisions about how to comply with current and future privacy and cybersecurity rules need to be a consideration from the initial product design and cannot be “bolted on” at the end of the design process. This

14

Internet of Things: Understanding the Legal Framework

approach of bringing in lawyers at the beginning of the process was unanimously endorsed by a recent keynote panel, which I ran at the IoT Solutions World Congress in Barcelona on Legal Issues in Internet of Things. The panel included Katherine Butler (General Counsel, GE Software), Giulio Corragio (DLA Piper), Lorena Marciano (Senior Counsel, Cisco), and Edwina Baddeley (Senior Counsel, Accenture). The video of the panel is available at http://www.iotsworldcongress.com/download-videos-26#.

IoT will cause fundamental changes across multiple industries. Companies need to ensure that the design of IoT solutions considers how to mitigate the legal uncertainty around these products by seeking legal advice from the beginning of the design process. Companies must be prepared to modify the products as the law and regulations become clear.

Text tk

15Practice Innovations | January 2016 | Volume 17 | Number 1

The Alarming Rise of Data Breaches

Data breaches are becoming more frequent and common. Even if a data breach cannot be avoided, with thoughtful planning, preparation, and diligence it can be more easily survived.

In the past year, we’ve seen an increasing number of high profile data breaches. Some involved the US government losing critical data. Corporations and firms, large and small, also experienced significant data breaches affecting their business and impacting their customers and clients. In a 2015 security survey by the CyberEdge Group, 71 percent of

the organizations that responded said they had been affected by a successful cyberattack.

It is difficult to gauge how many law firms are being affected by data breaches since a data breach is a private issue. However, law firms are not immune. According to a 2015 American Bar Association survey, there was a significant jump in reported security breaches for law firms, from 10 percent in 2014 to 23 percent in 2015 for firms with 100-499 attorneys.1 Additionally, Digital Guardian, a company that provides data security services, claims that at least 80 percent of the top 100 law firms have had some type of electronic data breach.

Law firms do recognize the security problems they face. In the 2015 ILTA/InsideLegal Technology Purchasing Survey for the first time in eight years, security management was named as the biggest challenge facing legal IT departments.2 Recognizing

the problem is a good first step, but there remain many significant hurdles for most law firms.

• An Unseen Problem—It’s hard to fix what you can’t see. Data breaches are not only on the increase but, apparently, it’s not always obvious when a firm has been attacked. According to a security survey done by Ernst and Young, 56 percent of surveyed organizations say it is unlikely or highly unlikely that they would be able to detect a sophisticated attack.

• Better Security Skills—As security problems become more prevalent, the biggest roadblock for an organization is the need for better internal security skills.3 As demand has increased, so has the need for security skills within an organization. A 2015 report from Verizon indicated that attackers are getting better at what they do at a faster rate than defenders are improving their trade.4

• Agility and Response—Security breaches can arise quickly and can rapidly grow more complex. Some firms may not be able to react or adapt quickly in order to provide an effective response.

• Lack of Security Budget—One of the biggest hurdles any organization has when dealing with security is the lack of budget. The Ernst and Young survey also indicates that 43 percent of respondents say their organization’s security budget will stay the same this year and a further 5 percent said their budget will actually decrease.5

By Don Philmlee, Legal Technology Consultant, Washington, DC

16

The Alarming Rise of Data Breaches

• Given the rise in data breaches worldwide, there is no doubt our problems are not going to get better.

• There was a reported data breach involving over 4 billion stolen user accounts.

• Governments are investing in state-sponsored computer attacks as a new form of warfare.

• “Ransom-ware” is a new wrinkle to the common data breach and adds an element of extortion where your data is not only stolen, but it is encrypted and then you must then pay a ransom to have it unencrypted.

The Situation is Not HopelessProtecting your firm is not hopeless, but you do need to plan and prepare what you will do to protect your systems. The following is by no means an exhaustive list of security ideas. Every firm will have specific priorities that will drive security requirements. This list is meant to help stimulate your own ideas and efforts to assess, detect, protect, and react to a security breach.

Assess and PlanCreating a customized security strategy starts with an understanding of your firm’s current security posture and planning what your firm needs to do.

• Assess Your Security Regularly—Get an independent, third party full security assessment done of your systems on a regular basis.

• Assess the Assessment—Be proactive and follow up on your last security assessment.

• Learn from Other People’s Mistakes—If possible study how other firms and companies have handled data breaches.

• Understand Threat Vectors—What security threats are unique to your firm?

• Manage Risk—Each security threat has its own associated risks. How will your firm mitigate them?

• Budget—Not enough budget money for security initiatives is often a common complaint.

• Make Effective Security Policies, Procedures, and Guidelines—Does your firm have security policies, procedures, and guidelines that are clear and actionable?

• Make Employees Aware—Low security awareness among employees continues to be one of the biggest barriers to establishing effective security.6

• Train your People—Make sure your internal security staff is trained and ready to respond.

DetectRecognizing security problems is a key element of any technology deployment today. This typically includes firewalls to protect the network, antivirus/spyware/malware scanners to protect the computers and data. Other ways to detect security problems include:

• Scan for Vulnerabilities—This scanner will actively scour your systems looking for vulnerabilities and identify items that are a threat.

• Detect Intrusions—This scanner detects suspicious network activity in real time and sends alerts.

• Scan File Integrity—This system proactively tracks any changes made to key files on a system.

• Monitor Event Logs—Computer systems can be set to log activity that happens to them. Log monitoring systems effectively data mine these logs for critical events and can provide alerts to the firm.

• Routinely Validate Your User Names—Compare a list of employees to a list of user login names in order to confirm all user names are valid.

• Scrutinize the Activity of High Risk Users—a “high risk” user is any user who has enhanced or administrative rights, or is a user whose activity may involve unique risks (e.g., external vendor with access to system).

Protect and ReactYou need make it hard for anyone to gain unauthorized access to your systems and information. Protection is the traditional core security strategy.

• Have Complex Passwords—The heart and soul of any security system is a good complex password that is routinely changed.

• Two Factor Authentication—This technology provides a more secure means for user identification because it requires the combination of two different components, usually something that the user knows (password) and something that the user possesses or something that is inseparable from the user (cell phone or key fob).

• Encrypt Your Data—Encrypting your information makes it unreadable and inaccessible when it is leaked. Information needs to be encrypted both when it is in transit and when it is stored (at rest).

• Make and Test Backups—Make sure your critical information is given an alternate and encrypted storage location and have verifiable tests done to make sure data can be restored.

17Practice Innovations | January 2016 | Volume 17 | Number 1

The Alarming Rise of Data Breaches

• Hide and Compartmentalize—Security through obscurity is still a good method to hide data. Keep important data in an alternative and little known location. Keep availability on a need to know basis.

• Egress Filtering—Typical firewall rules restrict incoming traffic, but egress filtering restricts data leaving the network. This can prevent leaks of internal data and stop infected hosts from contacting their command and control servers.

• Whitelisting—This is a technique that only allows specified email addresses to get through an email system or only allows specific applications to be run by users.

• Plan Your Incident Response—What happens when there is a data breach? Do you have a response plan in place? Has it been tested? Success depends on trained staff members who know how to deal with problems when they happen.

Where Is This All Going?Alarmingly, data breaches are becoming more frequent and common. Even if a data breach cannot be avoided, with thoughtful planning, preparation, and diligence it can be more easily survived.

Sources1. “American Bar Association—2015 Legal Technology Survey Report.” American Bar Association, 2015.

2. “2015 ILTA/InsideLegal Technology Purchasing Survey.” International Legal Technology Association, 2015.

3. “Get Ahead of Cybercrime: EY’s Global Information Security Survey 2014.” Ernst & Young, October 2014.

4. “Verizon 2015 Data Breach Investigations Report.” Verizon Enterprise, 2015.

5. “Get Ahead of Cybercrime: EY’s Global Information Security Survey 2014.” Ernst & Young, October 2014.

6. Ibid.