Information Rights Management: The Next Step in Information Governance and Security?

As the guardians of privileged and sensitive data, law firms have their work cut out for them on the security front. External bad actors are constantly trying to get their hands on firms’ confidential information through cyberattacks, while insiders pose a threat of their own if they use their internal access rights to view content they shouldn’t.

Ian Raine

As if that wasn’t enough to keep law firms up at night, data leakage can occur through far less nefarious and much more mundane events than cyberattacks or internal sabotage. For example, a lawyer could accidentally email a confidential document to the wrong recipient. That’s right: a simple user error ― like sending a finalized contract to your old colleague Jane Smith instead of your client Jan Smith ― can wreak just as much havoc on your firm’s reputation as an external or internal breach.

For these reasons and more, law firms and legal departments should be implementing comprehensive security and information governance strategies. And increasingly, organizations are recognizing that information rights management (a type of digital rights management) could play an important role in these strategies.


So what exactly is information rights management, and what does it do? In summary, it encrypts a document and then restricts who can access it and what they can do with it. Information rights management is flexible in that the restricted operations for a document can vary ― for example, preventing printing or re-saving to a different location, disabling the ability to copy or restricting viewing and editing of the data.

At this point, you might be saying to yourself: “I have a very good document management system (DMS) and a need-to-know security solution that segregates content and controls which files someone can access. Why do I need information rights management?”

Information rights management ensures that protection travels with the document always, even beyond the perimeter of the DMS or even outside the firm.

A DMS and a need-to-know security solution can certainly provide a very effective layer of protection for sensitive documents ― as long as the documents stay within the “perimeter” of those products. However, if somebody within a law firm were to export a document from the protected workspace of their DMS and drop it into an unprotected Windows file share or email it to someone, then the access control and protection provided by the DMS and security solution are lost.

That’s why information rights management is so important: It ensures that protection travels with the document always, even beyond the perimeter of the DMS or even outside the firm. It doesn’t matter if a document is exported to a file share, checked out to a local C drive or attached to an email — whenever a document from a sensitive matter or restricted workspace leaves the DMS perimeter, information rights management ensures that it continues to be protected while it’s “out in the wild.”

Information rights management is only useful, of course, if it has been applied to documents. And people will only implement information rights management if it’s an easy, frictionless process.

An ideal information rights management solution will automatically stamp a document with policy that reflects the DMS’s security settings as soon as it leaves the perimeter. All the various permissions ― the users who are allowed access, the types of operations that are allowed with the document ― will follow the document as it circulates outside the DMS perimeter, automatically protecting against the possibility of that content getting into the wrong hands.


Think of the uncontrolled copies of sensitive documents that are sitting around a firm as locally stored items on users’ laptops. Consider the number of documents that are accidentally emailed to the wrong person or emailed to someone who then, without the original sender’s knowledge, forwards it on to somebody else.

Information rights management aims to address these problematic scenarios, helping to cut down the potential for data leakage. With information rights management, there is a greatly reduced chance for somebody who wasn’t supposed to receive a document to access and view its contents, regardless of whether they obtained the file through malicious activity or through user error.

Consider information rights management as one more piece of the security puzzle that is coming down the road for law firms or legal departments. Security is an ongoing journey, and information rights management could very well be the next step in information governance for organizations that want to ensure greater levels of protection for their critical files and sensitive information.