The Heartbleed bug, which allows hackers (and the NSA?) to exploit a hole in Open SSL sockets (used by many companies to transmit “secure” data), has sharply posed the issue of Best/Worst practices. In any event, I have been thinking about this for a while since I have several recent Worldox installations where firms have come down insistently on a “worst practice” implementation.
The question is posed most starkly over the issue of passwords. It is trivial for hackers today to break through standard passwords (the most commonly used password is “123456" followed closely by ... “password”). And if you use the same password for all or most of the sites you visit, once the first password is broken, everything else you do, your bank accounts, credit cards, social security information, is completely exposed. So obviously the “best practice” is to use passwords that are difficult to break, to change them often, and to use a different password for every site. Does anybody do this? Not likely (I don’t either). Password managers can achieve this result, but hardly anybody uses them either.
The reason for “worst practices” in this case is not just laziness, but the fact that best practices can be very difficult, if not impossible, to implement. I can’t count the number of times I’ve said “now, which one of the half-dozen or so passwords that I regularly use did I use for this site?” A general principle here is that the more secure you make a system, the more complex and inconvenient it will be to use it. Each user has to determine their personal trade off between “best practices” (inconvenient but safe) and “worst practices” (convenient but can put you at great risk).
This raises the more general question: how do you define “best practices” or “worst practices” and why is there so much resistance to “doing it right?” Take my favorite topic, document management, as an example.
“Best practices” are not a rabbit out of a hat. They exist to respond to certain needs and conditions of a given program/operating system. Best practices can be defined as a set of procedures that will let users accomplish their goals as efficiently as possible while at the same time protecting the integrity of the system they are using and safeguarding the firm’s data. Best practices should be defined in terms in terms of what best serves the needs of a significant majority of the firm (The greater good for the greater number...).
The key phrase here is “accomplish their goals.” It makes no sense to talk about best (or worst) practices without talking about what you want to accomplish. In terms of document management, this means being able to organize, store and, most importantly, retrieve, documents of whatever nature (scans, emails, imported discovery documents, etc.), as efficiently as possible and to protect the integrity of the document store. A good measure of this “integrity” would be provided by the ability to give an affirmative answer to the question: “can the firm guarantee that ALL its documents are available through the document management system?”
By way of contrast, what would define “bad practice”? The dividing line between best and worst practice is a matter of degree and percentage, not a line in the sand. If 90% of your users need to organize something a certain way 90% of the time (and there are no substantive downsides), then inconveniencing the 90% for the sake of the 10% is a “bad practice.” The “best practice” standard should optimize the system for the 90%. This is frequently difficult to accept in law firms with a “medieval dukedom” form of organization: each partner is like a medieval duke isolated in his own castle on the top of his own mountain.
Obviously there is a qualitative difference here between a pure solo and a firm of even 10 or so users. A pure solo can define things however they want because it doesn’t affect anybody else. As soon as you get more users, things change. One of my newer clients recently insisted that all users had to have the right to define document types. Big mistake. They insisted. So I capitulated. Within a week they had two document types for the same thing: retagmt (retainer agreement) and retlet (retainer letter). Murphy’s law dictates that the retainer letter/agreement you are looking for will always be classified under the “other” document type.
Assuming that attorneys are trying to maximize their efficiency, then why don’t they follow “best practices?” When you set aside not inconsequential reasons like inertia, stubbornness, etc., the fundamental reason has to be that they believe their goals can be accomplished only by a different way of proceeding and not what is presented as “best practices.”
When I suggest a given “best practice” there are typically three main objections:
(1) We’ve always done it our way. This is manifestly a bad argument. The reason a firm is adopting a new program is precisely to change how it does things and to remedy the problems that existed previously.
(2) Our firm is unique. Partly true, but not as true as they think. Out of several hundred firms in a given practice area, there are probably less than a dozen “unique” variants, almost all of which are already known to the consultant community at large, and ways have been designed to accommodate them.
(3) We need to be able to accomplish “x.” This is the only serious argument. The question is, will the means they suggest actually be the best way to accomplish what they need to do?
To assess a firm’s perceived needs where they diverge from standard best practices, you therefore need to do two things: (1) analyze whether they are in fact correct. Do they have a legitimate need that can only be satisfied in some other way? (2) analyze why the strategy they wish to pursue, which may have been adequate (or the only one available) in a non-document management world will not produce optimum results in the context of a document management system.
Lets take one of the most common issues: how many document types does a firm need and should document types be further subdivided into sub-types? You have to return to the central question: what goals does the use of document types accomplish? Generally, you want to use doc types to respond to the query: “find all pleadings for a given client or matter” or “find all pleadings that contain certain language.” You need enough doc types to provide adequae search results but not so many as to be confusing. Generally speaking in this area less is more.
Users are accustomed to micro-managing subdirectories in Windows Explorer because they have no serious search options. This is not the case with a document management system. If you do a search that turns up less than a single screen worth of documents, it is extremely easy to process them rapidly with the Worldox viewer or other functions. Micro-managing document types so that you can turn up only one or two instances is simply not worth the effort it takes to create and maintain the desired structure. In addition, multiplying document types will often lead to error in assigning document types and be counter-productive.
This issue is multiplied when it comes to sub-document types. Many litigators, at least initially say that a doc type of “motion” is not adequate to accomplish what they want to do, which is to find specific types of motions rapidly. I have one client who insisted on using sub-types and has nearly 30 types of motions as sub-document types. My experience is that unless there are only one or two people working with the system, this kind of micro-managing doc types creates more problems than it solves and is therefore, on balance, not a good idea.
There is a lot riding on whether or not a firm’s system is generally consistent with a best practices framework. Firms that insist on implementing deviant configurations will experience a lot of problems and discontent and, in extreme cases, a failed installation.