Managing Confidential Information Disclosures

A question came up recently on an ACC (Association of Corporate Counsel) listserv about best practices in managing information received under a confidentiality obligation.

“We are trying to develop a ‘best practices’ process for NDAs i.e., how to keep track of info that is received and to who it is disclosed; how to preserve it/destroy it when the nda ends etc. Anything you have prepared in this regard would be appreciated. Thanks”

Several people on the listserv responded that they’d be interested in this information, but no one responded that they had developed such a process, so I thought people might benefit from this. Here’s my response, supplemented with additional information about the solution provided by my company, Pontus Global, Inc., that I didn’t feel I should provide on the listserv:

It’s interesting that no one responded to your posting with a solution, but that several people were interested in the information. In my experience this is something that few companies do well, and that many companies feel uneasy about. The responses seem to support my observations. Also, here’s what Eric Goldman had to say about it:

“Companies need to manage information they receive under an NDA. Specifically, employees must segregate restricted information from that which is unrestricted. Also, they need to know the applicable NDA restrictions, and manage their use and disclosure of information in accordance with those restrictions. Realistically, most people can’t do this.

Worse, few Internet companies have any information intake or management systems. Without such systems, it is very easy for a company to inadvertently breach its NDAs.” http://www.ericgoldman.org/Articles/overusedndaarticle.htm.

Here are some thoughts on how companies should be doing it. (I need to disclose that the company I recently joined as GC provides platforms that helps companies manage these kinds of processes, so I’m trying to keep this information as generic as possible.)

1. The idea of establishing a “best practice” process is good, but it needs to be more than just a document, because policy documents tend to be ignored or forgotten. Rather, the process should be supported by systems that guide people through the process and help them to comply.

2. As soon as you allow employees to exchange confidential information by email you’ve lost control of the information (whether it’s information you disclose or information you receive). Unless all parties involved have and are diligent about using a very good document or content management system it’s too easy for emails to be misplaced or forwarded to the wrong people. As a result, you can never be sure that your company actually complied with a return or destroy requirement.

3. Instead, you should establish a secure central repository for information exchange where all employees involved in a project can upload information and make it available to the other party, and where the other side can upload information and your employees with a need for the information can access it. Access to the information should be controlled and auditable. The system would also inform all involved of their obligations with respect to the information, provide access to relevant sections of the NDA, and require people to agree to comply before they can access the information.

4. Once a project or relationship ends, the system should allow for the destruction or retention (with very limited access) of the information stored in the system. It should also make it easy to inform those who have downloaded information that they are required to return destroy it and require them to certify that they have done so.

5. Because everyone seems to like to use email so much, whatever alternative you provide (mandate) must be extremely easy to use. In fact, it should provide benefits that email can’t provide in order to make sure people actually use it and don’t revert to their old habit of using email.

I don’t know if there are other companies that provide something similar, but my company does provide a system to deal with this kind of information disclosure. We believe a system like this allows companies to easily adopt “best practices” for dealing with receipt of confidential information and is a huge leap beyond exchanging information through email, with all the associated risks and tracking problems that entails.

There are certainly other options. For example, your IT people could probably create this kind of a system using something like SharePoint. However, many companies that try to do this internally find it difficult to design and maintain the system, assuming you can even get your IT department to help. Also, it’s often easier to convince another party to use a system provided by a third party.

I didn’t think it would be appropriate to post specific information about my company’s solution on the listerv, but Pontus does provide a hosted contracts system that can manage not only contracts and contracts processes (including NDAs), but also the associated information disclosed under the NDA.

We provide a place where both companies (or more if more than two companies are involved) can upload the information they intend to disclose and limit access to selected users. We can control whether people can download the information or just view it. The system tracks who accesses the information and who downloaded information. Users can also easily link to the actual NDA to determine what their obligations are under the NDA. If information needs to be archived or destroyed we can remove it from the system or make it inaccessible, and we can provide a log of who has downloaded information so it can be tracked down and destroyed.

If anyone would like additional information or would be interested in seeing a demo of the Pontus system, please contact me or sales@pontusglobal.com.

Contracts Management Presentation for ACC’s Law Department Management Committee

Today Jason Mark Anderman, of Becton, Dickinson and Company, and I presented a “legal quickie” for ACC‘s Law Department Management Committee on the topic of “Contract Management Systems.” This is becoming a hot topic for law departments, as more forward-thinking general counsel are realizing that their departments can make a significant contribution to corporate performance (as well as Sarbanes-Oxley compliance) by implementing better systems and processes to manage their contracts, contract processes, and contract-related information. 

 

Jason described the steps that his company has taken to streamline their contracting processes, including flexible and comprehensive templates for procurement contracts and better processes and systems to manage the contract lifecyle and contractual information. 

 

But as impressive as Becton, Dickinson’s results have been, the kinds of processes Jason described can only take you so far. Any company with a significant volume of contracts or contract activity should be looking at a contract lifecycle management system (CLM — also known as an enterprise contract management system) to help manage and automate the entire contract lifecycle. A CLM system can be defined as:

 

An integrated system that applies business rules to manage contracts of the enterprise on a worldwide basis, from request, through contract creation, negotiation, approvals, distribution, and filing in a central, searchable repository, and that allows people and systems within the organization to access, analyze, and act on contract-related information to improve efficiency, consistency, reporting, and control.

 

Companies that have implemented CLM systems have reported significant improvements in these and other measures. Many companies have been able to decrease the involvement of their legal departments in routine contracts by using CLM systems to implement controlled self-service contract creation processes. There are many examples of revenue improvement through better management of contract renewals and escalation clauses that in some cases are enough to pay for the costs of the systems.

 

Finally, tangible benefits to corporate law departments include better control and visibility of contracts and contract-related risks, the ability to share contract-related knowledge across the enterprise, and the ability to allow highly paid legal resources to focus their efforts on higher-value activities rather than administrative tasks. Many of these systems also allow legal departments to measure and report on performance and performance improvements, something many general counsel struggle with.

 

We didn’t get a chance to discuss the latest trend in contract management, which is CLM systems that combine a technology platform with a team of offshore and/or onshore resources to help manage the often labor-intensive process of inputting information into the system (especially legacy contract information), configuring the system, and mangaging and maintaining it. More information on that topic is available here https://davidmunn.wordpress.com/2008/03/13/next-generation-contract-management-systems-more-than-software-more-than-lpo/.

 

For mor information on contract lifecycle management systems and a list of vendors, see   
https://davidmunn.files.wordpress.com/2008/03/contract-management-systems-session-409.doc

 

The International Association for Contract and Commercial Management (IACCM) is also a great source of information regarding contracting and contract management systems.

 

David Munn

 

Disclaimer: My company, Pontus Global, Inc., provides contract management systems and services using a combination of technology, processes, and people. This was an interesting call for me because I’m currently in Bangalore visiting the Pontus India team, which meant the call started at 10:30 pm Bangalore time. Although the cell phone system in India disconnected me from the call just as I was starting the presentation, I was able to reconnect fairly quickly and the rest of the call went off without a hitch.

Next Generation Contract Management Systems – more than software, more than LPO

Added May 14, 2008. Note: On April 16, 2008, I became general counsel of Pontus Global, Inc., one of the companies mentioned in this post.

David Munn

I’ve been following developments in legal technology for the past ten years or so.  During that time the slow pace of adoption of game-changing technology by the legal profession has been disappointing.

Yes, nearly everyone uses email now, and we all have at least a rudimentary understanding of Microsoft Word (massive overkill for most of what we do), but we’re still fundamentally doing things the same way lawyers have for years. Technology allows us to do certain things faster, but many of the fundamental processes we use haven’t changed much in the 25 years I’ve been practicing law. And instead of having secretaries we now get to do our typing ourselves. How much progress is that?

 So when something comes along that actually promises to fundamentally change the way we work I take notice. That’s the case with a new generation of contract management systems now coming on the scene.

Contract management systems (aka contract lifecycle management systems or enterprise contract management systems) have been getting more attention from legal departments recently. And rightly so. Most companies are terrible at managing their contracts. (See Contract Management Is More out of Control Than You Think.) Contract management is an area that’s crying out for process improvement and automation.

Contract management is something that’s almost entirely done in-house, so the skewed incentives of private practice don’t enter into the picture. In-house lawyers should have an incentive to adopt technology that will improve their processes and efficiency. Yet in spite of all the benefits promised by the providers of contract management systems, companies have been slow to adopt these kinds of systems. And according to anecdotal evidence, many companies’ contract management system implementations have fallen short of the promises or have been abandoned.

So what’s holding the legal profession (and particularly the in-house bar) back from adopting the kinds of technology that could make a real difference? According to Pontus Global, the problem is the fundamental model of expecting busy lawyers to adapt to technology that often causes the lawyers to feel that they have to do more work than they did without the technology.

A system that allows everything in the contract process to be tracked and reported on sounds great until you think about how the detailed information actually gets into the system. That’s where these systems often fall down. If you rely on busy lawyers to enter information into a system it’s almost bound to fail. In fact, that could be the primary reason there hasn’t yet been a true revolution in legal technology.

So the Pontus model goes beyond software. Pontus has a hosted contracts management platform, but they support it with a team of lawyers and technologists in India and processes designed specifically to take advantage of the technology and the offshore team.

The idea is that your in-house team doesn’t have to learn complex software and they don’t have to enter data. The Pontus team will do that for you. This model is very different from the pure software contract management systems that require your lawyers to do much of the data entry. And it’s different from the legal process outsourcers, (LPOs) that provide the labor, but not the integrated technology platform.

I’m familiar with Pontus because my company has been working with them over the past year or so to get our contracts under control. There’s at least one other company that I learned about recently (FirstDocs) that appears to have a similar approach. And I know that some of the big names in the legal industry are looking at this model as well.

Contract management is only one application where this model could work. Many companies are looking at outsourcing legal services or hiring their own offshore legal professionals, but neither of those approaches is ideal if you are still using outdated technology and inefficient processes. The convergence of technology, better processes, and offshore resources by new companies like Pontus and FirstDocs could finally be the key to getting the legal profession to truly take advantage of the promise of technology.

IACCM Americas Conference April 7-9

Last year I attended the IACCM Americas conference in New Orleans. I thought it was one of the best conferences I’d ever attended. Excellent speakers, thought-provoking discussions, and opportunities to network with people outside my normal sphere of corporate counsel made it an event I’d recommend to anyone involved in contracting.

This year I have the opportunity to participate as a discussion leader in the Academic Symposium that kicks off the conference. We’ll be exploring whether current approaches to academic training (both legal and procurement) result in more confrontational and less productive relationships.

Although the IACCM is not primarily an association for attorneys, Tim Cummins and the IACCM have recently been taking a leadership role in discussions about the legal profession. Tim recently wrote on his blog, Commitment Matters:

“I am observing a growing number of corporations – especially US-headquartered multi-nationals – where the Legal organization is gaining increased power. And they are exercizing that power with a renewed focus on standard terms and conditions that are blatantly unreasonable and confrontational. Some are doing this on the buy-side, others on the sell-side – and when these two perspectives meet in the market, the only people who are empowered to fix the problem are …. the lawyers.”

I’d like to think Tim is wrong about the role of lawyers in creating the problem, but I certainly agree with his observation about the increasing prevalence of unreasonable and confrontational contract terms. It will be interesting to hear the views of others involved in the contracting process.

Other programs will focus on issues of globalization, automation, negotiations, risk assessment, and the changing world of business and contracting.

If you can make it to Scottsdale in early April it promises to be another great conference.

IACCM Americas April 7-9

Sun GC’s updated “Reebok Rules”

Sixteen years ago I had just started a new job as Pella Corporation‘s first general counsel. Soon after that the ACCA Docket published an article by Reebok’s then-general counsel, Jack Douglas entitled Reebok Rules, in which he described twenty-three guidelines to help in-house lawyers “focus on the client’s objectives” and remember “the priorities which will keep us successful and challenged in our jobs.” That article was immensely helpful in understanding what I needed to do to be successful as a new general counsel. I keep a copy of that article handy and regularly recommend it to lawyers beginning their in-house careers.

Sun’s GC Mike Dillon recently posted his own updated list of ten rules to help guide in-house attorneys in Life is Different In-House. Not surprisingly, several of them mention using new technology that can help us to connect, collaborate, and be more efficient.

 I say not surprisingly because sixteen years ago email was still a new thing. One of our primary law firms actually loaned me a Mac that they used to send email to me since their system wasn’t compatible with Windows-based email. At that time I also had a Windows machine on my desk, so the Mac was set in a corner of the office. It was not an ideal situation, and I recall being ready to toss the Mac out the window on a number of occassions when it didn’t seem to be working properly (which could have been due to technology problems or operator error), which of course usually happened when important deadlines were looming.

 We’ve come a long way in sixteen years when it comes to technology. But most of Douglas’s and Dillon’s rules focus on relationships rather than technology. That’s something that doesn’t change.

One of the most striking differences between Douglas’s original Reebok Rules and Dillon’s updated rules is how lawyers’ attitudes toward the “n word” have changed. Of course I am referring to the word “no.” Douglas’s rules included “Eliminate the ‘No’ word from your vocabulary,” and I think many in-house lawyers took that to heart sixteen years ago. Unfortunately, following that rule also seems to have landed a number of GCs in jail. In light of the higher standards attorneys are now being held to, Dillon’s new rule is “Sometimes, you have to say ‘no’.”

Both the original Reebok Rules and Dillon’s updated rules should be required reading for in-house counsel.

David Munn

Will social networking work for in-house lawyers?

Ok. I’ll admit I’m a bit older than the typical Facebook user, and maybe that has something to do with my attitude, but I have to say I’m skeptical, at least in the short term, about all the social networking sites for lawyers that are springing up.

There are getting to be a fair number of sites that are directed at the legal profession.* Some of them look like they could be useful for corporate counsel (Legal OnRamp in particular). But the issue isn’t so much whether they offer something of value for us, it’s a question of how much time do we have for this stuff?  

There are a lot of things to like about the concept, and I think it has promise, but people only have so much time, and busy professionals in particular need to be careful about how they allocate that time.

I belong to a couple of professional organizations that I find especially valuable that have social networking components.

I would categorize the ACC, the Association of Corporate Counsel, as a social networking organization for corporate counsel. In addition to an extensive “virtual library” they have at least a couple of very active email listservs for members of their committees. I find that resource to be extremely valuable and worth spending time using and contributing to.  

IACCM, the International Association for Contract and Commercial Management, is a great resource for anyone involved in contracting. They also have an extensive library of resource materials and are adding more social networking-like features. I find myself spending more time there, as it directly relates to what I do on a day-to-day basis.  

But it’s impossible to keep up with the volume of valuable material that comes out of just these two organizations. I’m not sure how much more time there is to even explore and evaluate, let alone participate in, other social networking opportunities.  

So how are busy lawyers going to have enough time to do social networking? I think the answer is that we will eventually figure out how to get value out of social networking, but it’s going to take quite a while and will only happen after:

1.      It becomes clear which resources are truly valuable and worth our time and there is a shake-out that reduces the number of options to a manageable number.

2.      The social networking sites figure out how to target their audiences and target their offerings to make the best use of people’s valuable time.

3.      Lawyers become more comfortable with the concept and the technology becomes extremely easy to use. For corporate counsel that may happen more quickly as more companies start to use social networking as an internal knowledge management tool.

4.      Some law firms figure out how to give away information to corporate counsel while still making money.

5.      A younger generation of lawyers starts to take over.

I believe that social networking will eventually become an important part of how in-house lawyers work, but I think it’s going to be quite a while before it becomes a pervasive part of the legal profession. See also Social Networking Sites: Will they work for lawyers and other professionals? for some other challenges for social networking sites directed at lawyers.

David Munn

* A small amount of research yielded the following: 

Nearly everyone (lawyers and non-lawyers) seems to be on linkedin. 

General Social Networking Sites for Lawyers: 

lawyrs.net: An international law community designed for lawyers and law students. 

LawLink: The First Online Network Exclusively For Attorneys 

Legal OnRamp: “Legal OnRamp provides content, connectivity and execution services to help legal professionals deliver higher quality work in less time and lower cost.” 

Document sharing sites that have social networking characteristics:

DocStoc: “Find and share professional documents.”

JDSUPRA: “offers access to a constantly changing database of legal documents (filings, decisions, forms, documents) from the people whose work gives meaning to the law.”

Related Articles:

Inside Counsel: Net-Working – Web 2.0-enhanced sites get in-house counsel talking.

Contract Management Systems and Providers

In October 2007, Laura Williams of Safeco, Jim Marvin of FMC Technologies, and I gave a presesention on technology for corporate legal departments at the annual meeting of the Association of Corporate Counsel. One of the topics we covered was contract management. The material here (Contract Management Systems) includes  contains a description of contract management software and an extensive list of vendors.

My list of vendors is now up to 36. Although that number is a bit overwhelming, this might be a good place to start for anyone researching contract management systems.  

Updated 03-05-08