Law firms today face huge amounts of risk, and the last thing you need is a mischief-maker inside the firm. Law firm technology has made information easy to store, access and utilize, increasing the risk a bad seed in your firm is fishing for confidential data. While firms acknowledge their document management, records and enterprise search systems are vulnerable, enough don’t think about protecting their timekeeping system.
Most software applications intentionally make internal information easily accessible, which is usually a good thing for clients and attorneys, creating efficiency and a sizeable knowledge base. But open access to information has its own set of risks. Highly publicized breaches have appeared in the media, including breaches to data privacy rules like HIPAA/HITECH and insider trading non-compliance. Not good.
So, what is the best way to wall off your timekeeping system? The simplest way is to make every timekeeper a silo, only able to see his or her own entries. That stops the snooping and fishing, but does not hide confidential client matter names from the user on client matter look-up lists. Evidence suggests that prospecting for confidential names is where most mischief begins, so you want to protect your client matter list. So, the simple silo strategy has holes.
When we designed Smart Time, we designed it with ethical walls in mind. But first, you must have an ethical wall system in place or an accounting system capable of building and managing walls. Ethical wall systems allow you to manage your walls in one central location. Once you set up a wall, these systems spawn security into other applications. I consider these systems a “must have” for firms sensitive to risk management.
We’ve concluded the best way to protect Smart Time is to build a custom client matter look up for each user and to only permit them to look at their own data. We construct the list by reading the inclusionary and exclusionary walls in the ethical wall system.
It works like this:
- An inclusionary wall allows access to the client or matter. Only those timekeepers who have been granted access are permitted to interact with client matter data. For time entry that means only timekeepers who have been added to the inclusionary wall are able to see client/matter names and numbers on their look-up lists, and only they are able to post time to the matter. Everybody else in the firm does not even know the client/matter exists.
- An exclusionary wall prevents specified timekeepers from gaining access to particular client/matters. Timekeepers added to exclusionary walls do not know the matter exists in the timekeeping system and if they attempt to post time by accident, the system stops them,
It sounds simple enough, but not all time entry systems can accommodate wall security. When you examine your risk management policies be sure to include timekeeping on the list of protected systems.