There is hardly a law firm around that doesn’t use a piece of Microsoft technology. Be it for collaboration, productivity or communication. But the security capabilities of the Microsoft toolbox is growing which makes it easier for law firms to keep data safe. We spoke to Rodney Mhungu from Microsoft, who works in Amsterdam, but doesn’t speak Dutch professionally so we interviewed him in English. He is a Technical Specialist for Information Protection and Compliance, and we asked for his vision on security and productivity for law firms. Rodney got his law degree in South Africa, and then got a scholarship to Tilburg for a Law & Technology degree. After working for Philips and Deloitte, always on the balance between legal and technology, he moved to Microsoft.
Rodney, looking at the digital capabilities of most law firms, how do you think they can improve?
“What I noticed is that in Dutch law firms and corporate legal departments there is a lot of focus on being and staying compliant with current regulations. Much more than in other countries. The compliance game, however, is changing. In the past legal professionals received an irregular flow of questions and requests, but in the digital age and economy, risk is always around the corner. Organizations are “on” 24x7, which means you need to stay safe 24x7. Also new technologies enable new business models, so the ongoing challenge is how you quickly learn these new possibilities to improve your services. How do you change your internal culture from wait and reply, to a proactive and continuously ready to answer way of working?”
How does technology help make a lawyer’s life better?
“Every type of data carries its own type of risk. That is why one of our solutions is focused on data classification. We look at what type of data you have, what it’s about, how it’s stored and how it’s currently being used. It gives you a sense of just how much sensitive data you actually have and what kind of risks can be associated with it. By classifying all the data, it creates an overview with insights on how the information needs to be stored and secured from a legal perspective. After classifying the data our tools can help improve both security and privacy. We do this by i.e. recognizing files that contain BSN-numbers or medical data and then adding watermarks with “confidential” to those files, or applying sensitivity labels to limit distribution or changes.”
How do all these technologies give legal professionals more assurance about, for instance integrity or safety?
“One of the things our software does is keep an audit trail, or at least if the administrator enables it. What that does, is it keeps track of changes and actions that were applied to a file. That gives you as a lawyer the certainty that you’re using the right version of a file and that it wasn’t altered or tampered with. It helps prove the legal value of the file you use, which helps you to do your job.”
When it comes to collaboration, productivity often used to go before safety. How does Microsoft look at this?
“There is this delicate balance between productivity and security/privacy. It’s a very important topic to us; how do you keep users and data safe without compromising productivity? The automatic classification that I mentioned earlier is a good example of that balance. We noticed that there is a lot of “noise” in data stores, meaning a lot of the stored data is relevant to the company but not sensitive in a legal sense. So that makes it hard to manually define what needs to be classified and protected and in which way. That is where our automation comes in. We can help set up rules and classification labels, for instance a classification “very strict” which prevents the classified file from being moved to another location or even limits access to specific devices or geographic locations. Like the name implies this is very strict. So our software allows for a manual override, if requested by the firm. Now the user is reminded that he or she’s about to do something that could be risky, but it allows him or her to make a judgement call about it. The audit trail then records that choice so a user can be held accountable for his or her choices.
What I think is a great thing to help keep the balance between safety and productivity, is our Activity Explorer. This is a dashboard that gives a bird’s-eye view of how the data in your firm is being accessed and what Data Loss Protection Policies were triggered. This complements our tooling to detect other security risks like failed log on attempts. So if this shows that for instance a lot of users are manually overriding your policy, you can investigate whether you need to enhance this, or talk to your users.”
How do you challenge your IT provider to keep your data safe?
“You need to realize that as a firm, you are responsible for everything that happens to your data. When outsourcing IT to a cloud provider or MSP (Managed Service Provider), that doesn’t mean that you can just forget about all this stuff. It’s still your data. It has become a collaborative effort to keep your data safe, and not just that of your IT partner. So even if you’re not an IT professional, your opinion on the topic matters because cloud computing allows your tools to be more flexible and relevant to your day job. It impacts your productivity and profitability, so you’ve got a responsibility to learn about it and have a vision on your desired outcome.”