Practicing Law Securely — Working with Information Rights Management
Information Rights Management (IRM) provides end-to-end control of a document. When beginning to work with IRM, here are the key questions you might have.
1 September 2015
The story of information rights management (IRM) continues where my last post ended.
As we lawyers begin to work with IRM, we face many questions. This blog seeks to ask and address several of them.
I. The rights management server: Should it be inside or outsourced?
Should the rights management server reside within the internal networks of the organization that seeks to use IRM? Can or should IRM be supported by a trusted third party’s system?
Law practices can make the choice to support IRM services with servers and software under their own control. However, that can add a new burden to their IT staff. It also exposes the practice to a technical responsibility to persons outside the firm. Any failure of the operation of the internal IRM server not only affects the practice’s internal users, but anyone else who has received an IRM protected document managed by the IRM server. The practice may also be called upon for technical support for IRM use by both inside and external users.
Even for law practices that have not made a commitment to cloud computing generally, the use of trusted third party systems for important and confidential information is common. Document collections for due diligence and deal management (data rooms) and discovery in litigation are often maintained with third parties. Previous posts in this series have argued for secure shared repositories for safe document sharing. When those same repositories offer IRM, they increase their capability for safe document sharing. IRM is offered by the Intralinks VIA® service and Microsoft® Office 365 and SharePoint through Azure Rights Management.
Reliance on a trusted third party for IRM removes the burdens mentioned above. The third party bears the responsibility for keeping the IRM services operating, and provides a neutral source of technical and customer support for all users. As specialists in their systems, they need not master new systems and skills to support IRM.
II. Does IRM need plug-in or other special software?
Intralinks VIA’s secure collaboration supports IRM without requiring a user to maintain their own rights management systems or use a plug-in. Why is this relevant?
The discussion about IRM servers explains why it can be helpful and desirable that neither a lawyer who creates a document that requires IRM, nor a client, opposing counsel, expert or other person who receives it, should need to maintain their own IRM system to share documents securely. Specifically, the lawyer who creates the document needs the ability to change or remove the permission to access the documents under some circumstances. The IRM system either must be under their practice’s control, or be managed by a trusted third party to be able to assure that recipients can’t circumvent the rights controls.
The installation of plug-in software at least is an annoyance to a person who may work with IRM protecting documents, and a deterrent to its use. At worst, plug-ins may interfere with the operation of critical software such as Microsoft Office in situations that don’t involve work with the IRM protected document. Organizations often lock down their software by Group Policies or other means to only accept approved plug-ins. That will not be acceptable and may cause users to avoid using IRM.
III. Does IRM work on mobile devices?
Recipients expect to be able to read their email, including attachments on smartphones and tablets. Depending on the complexity of the document, the ability to edit documents on tablets, especially, has become a requirement for mobile lawyers. For instance, Intralinks VIA supports IRM protected documents when accessed on iPad® and Android® tablets, and apps from Intralinks support this mobile access. There are other apps that state that they support rights management on mobile devices, such as the RMS Viewer app for documents controlled by Windows Rights Management.
IV. Should IRM apply to every document? What about drafts?
When IRM is considered, should all documents created or gathered for the engagement be subjected to IRM, or a selection? Should the decision be made for each individual document, or can IRM be applied based on criteria for groups of documents?
IRM adds extra effort to the access and editing of documents. If applied indiscriminately, recipients of IRM protected documents may complain. A difficult scenario is easy enough to imagine. A zealous lawyer applies IRM to a draft document, a resistant client receives it, gets frustrated, and complains to the rainmaker partner. That partner, valuing immediate client satisfaction over protection against risks thought to be remote, insists on removal of IRM.
On draft documents: it is easier to choose IRM protection for completed documents than drafts. Recipients have no further need to edit those documents, so locked-down IRM (removing permissions to copy, paste, possibly print) makes the most sense. If applied to drafts, the settings must be more selective. Also, during drafting, frequently a recipient of a document may want a colleague to review and edit a draft. Those changes in rights and their management can become a burden to the author and add friction to the management of the transaction.
These choices must be considered when applying IRM. When using Intralinks VIA, IRM can be applied to an individual document, or to all documents stored in a specific folder. The criteria used to select a folder then becomes those used to apply IRM. Signaling the use of IRM by including a phrase such as “IRM Protected” in the folder name could also help.
V. What IRM permissions should be granted? When should time limits be used?
Intralinks VIA supports two levels of permissions. If the rights granted to an IRM protected workspace or folder are set to “View”, then the users will have permission to view the documents, but not to edit, copy, print, save or export the documents. Otherwise, those permissions to the document will be granted, but the recipient will not have full control, and cannot grant those rights to others, or remove the IRM protection.
Intralinks VIA supports time limits. If permission should be granted for a predictable length of time, setting the time limit when applying IRM protection assures that access will be limited. It makes sense to do this when first applying IRM, since no further follow-up action would be required later to remove access.
We can tie IRM permissions back to the situations described in the last blog post, “Information Rights Management: What, When, How.” In the case of an Expert Witness, limitations to view only and applying an expiration date are straightforward. The witness only needs to read, print and copy content, not to share with others. The assignment to the witness should have a time limit — sometimes to prepare their report, others for the duration of the proceeding. In complex litigation, imposition of an expiration date tied to the proceeding also makes sense. Documents provided as reference and research may be limited to view access, while documents subject to editing would need to have full rights (though not ownership control).
Documents subject to export controls are likely to be limited to view rights. Depending on the circumstances, an expiration date may also be helpful. In patent practice, the additional protections that view rights offers can be important. In the course of a patent dispute, the court may direct that documents be shared, and that direction may be limited to an expiration related to the course of the proceeding. Access to sensitive and proprietary information can be limited to those persons directed by the court.
VI. How can I help those with whom I share IRM restricted documents?
The key step is to establish a common understanding of the purpose of IRM, and clear warning that documents are protected. The recipient should know the system used to apply IRM, and the steps they need to follow to access and use the documents. Using Intralinks VIA, recipients should be advised that they will need to create an Intralinks VIA account and confirm their User ID and password to access or edit IRM protected documents.
VII. What do I need to do to remove IRM from documents?
If you are the creator of an IRM protected document, or are granted full control, you can remove the protection from a document after you receive it. Otherwise, in Intralinks VIA, the creator must remove IRM protection from the workspace or folder, or move the document to an unprotected workspace or folder.
VIII. It’s too hard. What can I do to make it easier?
How much does the extra effort associated with working with a document subject to IRM discourage its use?
It remains the case that among users of technology, lawyers find extra steps required for their documents a chore. That perception must be weighed against the obligation for protection, and especially the ability to block access to documents inadvertently sent to an inappropriate party, or which later become inappropriate, such as with a change of representation.
Robert L. Blacksberg Esq.
Bob’s experience spans more than two decades of technology leadership for lawyers, following a law practice that included partnerships at two Philadelphia law firms. Bob is principal of Blacksberg Associates, LLC and leads engagements with law firms in strategic technology planning and implementation, creates and delivers CLE training programs, and works with leading technology vendors to explain, promote and train leading-edge technology products for lawyers. An author and speaker, Bob has appeared at the International Legal Technology Association (ILTA) conference and on ILTA Roadshows.