Electronic storage and document management brings huge benefits for law firms, but it also carries significant risks.

Not so long ago, managing legal documents meant managing paper, at a time when ‘the cloud’ was simply a visible mass of condensed watery vapour floating in the atmosphere high above ground. But advances in technology have revolutionised document management systems. ‘While there may be a few firms which maintain dual copies and various items in print, most people managing legal contracts, documentation, advice letters and so on are storing it electronically,’ notes Alex Smith, senior product development lead at LexisNexis, which provides business software and solutions for the legal industry.

Law firms need only to get two things right to succeed, says William Robins, director of operations at Keystone Law – client service and internal efficiency. A good document management system, Robins says, is crucial to achieving the latter. ‘Keep the business simple and make the firm’s processes as efficient as possible,’ he adds. ‘With simple processes, the business of practising law will itself be simple, leaving lawyers free to concentrate on client service.’

Making the move

‘Twenty years ago, before IT advances really took a grip on law firms, managing documents meant managing paper,’ says Duncan Eadie, IT director at south-west firm Foot Anstey. ‘That meant, compared with expectations today, slow transfers, duplication and a pace of delivery that would not be acceptable to us or our clients today.’

To know what type of document management system firms should implement, ‘you really need to understand yourself as a firm’, Robins advises. ‘We are a large firm, we cover many service areas and types of clients. We operate a BOYD [bring your own device] policy and our lawyers average 22 years’ PQE. As such, we need to have a flexible, user-friendly but entirely secure solution. The solution we implemented is built on an industry standard software, but we have overlaid on that our own piece of custom-built “middleware”. The whole system is then integrated into our intranet.’

Robins says a relatively high percentage of Keystone Law’s turnover is invested in IT compared with other firms. Indeed, cost will be a key issue for firms looking to invest in a suitable document management system. ‘Dependent on your market – for example the sole practitioner on the high street who probably doesn’t have enough money to buy an advanced document management system, up to a large law firm which has a massive document management system and budgets – there are diverse approaches,’ Smith says.

Purchasing an industry standard document management tool can be relatively cheap compared with investing in a bespoke solution. But, Robins warns: ‘If the “off-the-shelf” system is not fit for purpose, then any saving will be shortlived. Indeed, the cost of subsequently changing will be all the higher.’

Keystone Law has its own intranet which forms the backbone of the firm, called Keyed-In. The firm differentiates between three main classes of documents:

1. Templates/knowhow: read only, freely available.

2. Client documents: editable and filed by client and matter, access is permissions-based, with only lawyers working on the matter having access to the matter file.

3. Internal documents: editable, access is permissions-based, but within the management teams only.

In addition, administrators and the compliance team have access to all documents.

‘In our model, the document management system needs to be a tool that makes our lawyers’ lives easy while reducing risk,’ says Robins. ‘Our lawyers should be the master of the document management system, not a slave to it.’


As technology has evolved, managing documents remotely has become easier and popular. ‘Any member of a team can access all their team’s documents instantly,’ Eadie says. ‘It doesn’t matter whether their colleague is across the other side of the desk or 200 miles away.’

BYOD is fast becoming a common trend with the rising popularity of smartphones and tablet devices. ‘In essence, a lawyer is no longer [tied] to the office but able to have the tools to manage that work-life balance now desired, or indeed support a client who may be in a different timezone,’ Eadie notes.

Counterintuitively perhaps, the use of cloud computing has helped to improve general data security. ‘The biggest data risk comes from lost or stolen laptops and USB drives,’ the Solicitors Regulation Authority says in its report, Silver Linings: cloud computing, law firms and risk (November 2013). ‘Cloud systems remove the need for USB drives and mean that data need not be kept on individual laptops.’

USB drives can also be affected by Trojan Horse programs and viruses, the regulator adds. ‘Similarly, removing the need to transmit working files by email removes an insecure means of data transmission.’ Another advantage, the SRA adds, is that with data stored remotely on the cloud and with computers properly configured to require log-ins and passwords before connecting to the provider, information will not be leaked in the event of a burglary at the firm’s offices.

Forecast: more cloud

Cloud computing comes in three forms: public, private and hybrid.


  • Data is stored in a network of computers, with server use pooled among a number of clients.
  • Providers often subcontract server capacity for reasons of flexibility, so may not be able to tell where any particular client’s data is held.  
  • This is the most flexible and cheapest form of provision.


  • Data is stored using resources dedicated to the client.
  • This may mean using the client’s own servers with a cloud technology for access, or may mean dedicated server space at the cloud provider’s data centres.
  • This provides greater security and control for the client, but at significantly greater cost.


  • These combine aspects of both public and private clouds, often involving private cloud storage which is supplemented by public cloud use on an as-needed basis.

In all cases, the user will have a service level agreement with the provider defining the terms on which data is to be processed.

(source: SRA)

Regulatory duties

While the ability to manage documents has become easier, issues such as security and regulatory compliance have become harder. ‘Everyone’s trying to answer questions around how to share files, how to involve multiple parties on the life cycle of a legal document – cost versus ease of use, versus people wanting easy access to documents on multiple devices, especially phones or iPads that aren’t firm equipment,’ Smith says.

‘Documents look nice on an iPad, even an iPhone, and people’s expectations now are that they can look at documents on the move, when they’ve got that spare minute on the train to look and review something. That’s going to change the way people want to move around information. But law firms have to push the security side, they have to keep an eye on making sure users are compliant with client confidentiality, regulation, geographical issues and so on.’

Some of those obligations relate to:

  • Outcome 4.1 of the SRA Code of Conduct (client confidentiality);
  • Outcome 7.3 of the SRA Code of Conduct (identify, monitor and manage risks to ensure compliance);
  • Outcome 7.10 of the SRA Code of Conduct (SRA access to inspect data); and
  • Principle 8 of the Data Protection Act 1998 (personal data may not be transferred out of the European Economic Area unless the territory to which it is sent ensures an adequate level of protection).

‘Whatever comes along that is new and that somebody suddenly wants to integrate with – you are opening up more and more things that need to be compliant with legal and regulatory obligations, with IT policies,’ says Smith.

For in-house lawyers, ensuring they meet these obligations is even harder, as ‘they are sat within the IT of an organisation which isn’t framed around the same obligations as a law firm’, Smith observes. ‘The business people are looking for answers, doing things quickly, [seeking] a quick yes or no to certain things, contracts are being passed around between you as a business and whoever you’re selling to.’

He adds: ‘Many in-house lawyers come from private practice. They expect certain tools like document management systems and locally hosted stuff, and suddenly they go to an international corporation where they are a small part of the IT infrastructure and the IT is based more around the sales team or X, Y and Z. They are trying to remain compliant with their obligations and understand what they are, while at the same time deal with the business folk who don’t get why they have to meet those regulations.’

Encryption is imperative

Recent disclosures in the US and the implementation of the nation’s PATRIOT Act highlight further the need to ensure data is secure and firms are complying with regulations and obligations. The US is given separate mention by the SRA in its Silver Linings report for two reasons:

1. The high concentration of technology companies, including cloud providers, which are based in the country.

2. Weak US protections for personal data, coupled with strong data seizure powers and intrusive surveillance.

‘Recent news coverage of US National Security Agency activities conducted under the terms of the PATRIOT Act, including acquiring data from providers such as Google under the PRISM program, has brought this issue to public attention,’ the SRA says.

‘The exact details of the NSA programs remain unclear at the time of writing, but it does appear that the US government has the ability to examine “metadata” – information such as the recipients and subject lines of emails – at will, and can more selectively obtain the content of information directly from providers. The harvesting of metadata reveals networks of individuals. This may represent a confidentiality issue, for instance when firms are acting in confidential merger negotiations.’

‘Information held by governmental agencies can leak, as shown by the PRISM publicity,’ the SRA adds.

Firms are warned to consider the risks of storing data in countries with weak data privacy protections. The SRA says if firms intend to use US providers, ‘they must at a minimum ensure that the provider can meet the terms of Safe Harbour’. The regulator adds: ‘Given the possibility of data seizure from the provider, the recommendation to encrypt sensitive information at the user’s end is of particular importance in this case.’

(For more information, visit the SRA website).

What next?

Robins believes the future of document management needs to include a degree of social and collaborative working. ‘Why should a document management system just hold documents? What about the life of a document? What about working on it, sharing it, discussing it? Why are they not part of the solution?’ he asks.

‘There are cutting-edge tools that offer this functionality and we have looked at them, but they do not meet the needs of today’s law firms. In the next two years though, we will see new entrants which crack this challenge and which offer usability, security and familiarity on the one hand, and collaborative working for the life of the document on the other.’

Whatever happens next, Smith believes there needs to be an ongoing dialogue ‘between organisations and their IT, the Law Society, IP and IT experts and forums, and people who supply services’.

Monidipa Fouzder is a Gazette sub-editor