Practicing Law Securely — Information Rights Management: What, When, How
Information Rights Management (IRM) is a capability that provides end-to-end control of a document — without impeding on collaboration and productivity.
15 June 2015
Previous posts have urged the use of a secure repository to protect the confidentiality of documents that lawyers share and exchange with clients, co-counsel, experts and other consultants and, where appropriate, third parties and adversarial, and their counsel, experts and other consultants.
A secure repository alone protects documents from risks associated with their transmission and delivery as email attachments. It does not, however, fully protect against deliberate or accidental transmission or delivery of documents to unauthorized third parties — whether they be good actors or bad. For that protection, we can add the capability of “information rights management” (or IRM, for short) to our toolbox.
This blog post will begin to answer these three questions:
- What is IRM?
- When should we use IRM?
- How do we put IRM to work?
I. What is IRM?
IRM is a capability that provides end-to-end control of permission to access of a document for the entirety of its content lifecycle, wherever a document travels — without ever impeding on collaboration and productivity. Note that in the implementations described below, IRM can provide these protections to Microsoft Office and to PDF documents. IRM can:
- Control and limit rights to save or export (Save As) a document.
- Control and limit rights to view, modify or print a document.
- Control and limit rights to copy and paste from a document.
- Preserve limits on rights and permissions for a document when it is copied, whether or not the document is renamed during the copying.
- Disable Windows Print Screen function to limit the ability to capture the content of a document as an image.
- Preserve the controls and limits on rights to a document attached to an email message, whether the attachment is included in a reply or forward of the original message.
- Set an expiration date for a document so its contents will be unavailable after a prescribed time.
- Allow permissions for one or more previously authorized users to be turned off. This will stop access to the document for those users, even if they are authorized for other documents.
- Maintain an audit trail of record access to a document, and any changes made to the rights and privileges associated with a document.
These controls follow a document inside and outside a business, law practice, or other organization — no matter where the document is shared. Documents with IRM protection are encrypted in a manner that connects them to an information rights management server. That connection must be made before any of the controlled activities occur. A recipient can’t change the rights associated with the document without being granted the power to do so from a document owner, and must be connected to the server to make the change. Each document protected by IRM contains an encryption lock. That lock must be opened by a key provided by the rights management server. The server contains all of the rules that control the use of the document. Unless a recipient is given authority, he or she cannot change the rules on the IRM server. The rights management server also maintains the audit information of the activities performed on the document.
A few years back — perhaps to the world before email — red confidential envelopes come to mind. In much earlier times, red wax sealed a confidential envelope’s contents. Either way, “red” became the symbol for extra warning that the contents of the envelope required care to avoid accidental or purposeful disclosure. IRM can be understood as an electronic version of the red envelope. Unlike the contents of a red envelope, IRM stays attached to a document even after “breaking the seal.”
II. When should we use IRM?
To use IRM, the creator of a document must connect it to the IRM server. Then, a recipient must be granted access to the document under his or her authorized identity to view the document.
These rights management capabilities have started to be built into enterprise collaboration platforms, but a plug-in free model is indeed necessary to ensure use and adoption. When selecting and planning technology, lawyers must consider IRM for sharing highly sensitive information where the risks are higher.
Here are four critical situations to consider:
- Situation I — The Expert Witness: Exchange of documents with expert witnesses provides a focused example. Expert witnesses are often called upon to review sensitive business information. Their need for the information is limited in time. An expert may be dismissed from their engagement for several reasons. And in some cases, when an expert completes the work, the expert may need further access to the information provided. In some situations, an expert may need to affirm that he or she has destroyed all copies of the information received. In one example, failure to properly shred information required by government contract resulted in a $1.1 million liability for Iron Mountain and Shred-It. It is easy to imagine delivery of materials to an expert witness in a red confidential envelope. Content delivered electronically to an expert witness deserves the similar “red envelope” protection of IRM. The extra protection makes sense — destruction of access to documents can be assured.
- Situation II — Complex Litigation: A key characteristic to complex litigation are the number of parties, counsel, experts and consultants who may participate in some stage of the work. During the development and prosecution of a case, lawyers must obtain from their clients documents that can contain highly sensitive information. Concerns may include:
- Protecting information, the release of which would compromise confidential communications between attorney and client.
- Controlling information protected by law, including personal identity information, and personal health information.
- Controlling highly valuable business information, including trade secrets, the disclosure of which could destroy the value of the information to a business, or even the business itself.
To conduct the litigation, such information must be able to be shared and accessed by trusted parties. Can their systems and staff be trusted with the information? What if someone leaves the case? Using IRM can allow a much greater assurance that documents will only be accessed by those persons authorized and trusted to view them, that redistribution or leakage will not expose their contents to unauthorized persons, that the usage of the documents can be tracked or audited, and that access can be revoked when necessary. IRM’s value may be best applied in the communications between attorney, client and third parties of documents not yet produced in discovery. Once produced, protections can be directed by the courts.
- Situation III — Export control: Export control limitations, especially International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR), may prohibit the transmission of or access to documents containing controlled technical information from being shared with persons in proscribed countries or who may be citizens of proscribed countries. IRM can assist in compliance with export control by tracking the recipients of a document, and the power to terminate access to the content of the document if the owner determines that it has traveled into a proscribed country, or is accessible to a proscribed person. In one instance in 2002, General Motors agreed to a $10,000,000 fine and $10,000,000 in remedial expenditures for permitting access to ITAR controlled information to nationals with citizenship in proscribed countries.
- Situation IV — Patent Practice: Patent lawyers must frequently access and share very sensitive and valuable client information, including information that may contain trade secrets. Protections of IRM can provide patent lawyers and their clients with additional safeguards that such information deserves. An example of the loss of proprietary information was the reported hacking of information about Israel’s Iron Dome antimissile system.
III. How do we put IRM to work?
The next blog post will explore how information rights management can be optimally deployed. An initial question will be whether the rights management server resides within the internal networks of the organization that seeks to use IRM. Can or should IRM be supported by a trusted third party’s system or should it be native to the technology you've deployed?
Capabilities for IRM can be found in Microsoft’s Office 365 offerings. Intralinks VIA’s secure document sharing capabilities supports IRM without requiring a user to maintain their own rights management systems or use a plug-in.
Why is this relevant? Stay tuned for my next post where I’ll answer some of these questions.
Robert L. Blacksberg Esq.
Bob’s experience spans more than two decades of technology leadership for lawyers, following a law practice that included partnerships at two Philadelphia law firms. Bob is principal of Blacksberg Associates, LLC and leads engagements with law firms in strategic technology planning and implementation, creates and delivers CLE training programs, and works with leading technology vendors to explain, promote and train leading-edge technology products for lawyers. An author and speaker, Bob has appeared at the International Legal Technology Association (ILTA) conference and on ILTA Roadshows.