Karakor
All case studies
LEGAL TECHNOLOGY · DMS & GOVERNANCE

A DMS configuration a managing partner can defend

An eight-week document architecture review for a mid-size litigation firm: ethical-wall enforcement, retention defaults, and audit-trail design — replacing a configuration inherited from a managed-service provider.

Client
Litigation firm, ~95 attorneys, two offices, US. Mixed practice — commercial and IP.
Duration
Eight weeks
Practice
Legal Technology
Results
48Matters reviewed for ethical-wall configuration during the assessment sample
2Specific matters incorrectly accessible to the wrong attorney — remediated in-engagement
12 → 4Seats with audit-trail access, after the redesign
42 ppBound document the managing partner can hand to a client
01 — Challenge

The firm's DMS had been deployed five years ago by an MSP whose security framing was generic — built for enterprise IT, not for a firm operating under privilege. A new managing partner had asked for a written defense of the current configuration ahead of a client conflicts question, and the firm could not produce one. The IT lead could explain what was configured; nobody could explain why. Three specific gaps were visible without an assessment: ethical walls were enforced by convention rather than the system, retention defaults had been set to a uniform seven years across all matter types, and audit-trail access was unrestricted across the firm's matter-management seats.

02 — Scope
  1. 01Document-architecture review against an ethical-wall threat model written for the firm — not against a generic compliance template
  2. 02Retention default review against the actual state-bar obligations and client-contracted retention windows for the firm's practice areas
  3. 03Audit-trail design — who can read it, who can export it, what is retained, and how long
  4. 04Conflict-checking workflow audit, including a sample of historical matters to find where the system was relied on versus worked around
  5. 05Written remediation roadmap with a sequence the firm's existing IT lead can run in-house
03 — Work

Weeks 1–2 were the threat-model interviews: the managing partner, two practice-group leaders, the firm's general counsel, and the IT lead. Weeks 3–6 were the assessment proper — a sample of forty-eight matters reviewed for ethical-wall configuration, retention defaults audited against state-bar obligations, and audit-log access traced against the firm's actual seat list. Week 7 was a working session with the partners to agree priorities and the firm's appetite for in-house remediation. Week 8 delivered a forty-two-page bound document the managing partner can put in front of a client.

04 — Outcome

The firm's ethical walls are now enforced at the DMS level rather than by convention, with two specific matters that had been incorrectly accessible to the wrong attorney remediated within the engagement. Retention defaults have been split by practice area against the actual obligations — corporate matters at three years, litigation at seven, IP at indefinite. Audit-trail access is now scoped to four named seats, with monthly review by the IT lead. The managing partner has a written document she can hand to a client asking the privilege question.

DMS configuration is a privilege decision before it is a productivity decision. A firm cannot defend a configuration it inherited and never reviewed. The deliverable is the document the partner can hand to the client — everything else is in service of that.

From the deliverable

Short excerpts representative of the actual documents shipped in this engagement. Anonymised to preserve client confidentiality; faithful to the structure and substance of what we delivered.

From the threat model
The adversary in this model is not a sophisticated external attacker. It is an attorney on the wrong matter with legitimate DMS credentials, opening a folder she should not be able to see — and the resulting privilege-waiver argument from opposing counsel six months later. The DMS configuration must make that opening either impossible or auditable, not both optional.
From the report — Finding 07
Retention defaults are set to seven years uniformly across all matter types. This exceeds the firm's actual obligations in two practice areas (corporate transactional, employment) by four years, increasing the firm's discovery exposure with no compensating benefit. In IP, seven years is insufficient; the firm's standing engagement letters obligate it to retain prosecution files for the life of the patent plus six years.
From the remediation roadmap
Phase 1 (in-house, two weeks): ethical-wall enforcement migrated from convention to system-enforced. Two named partners executing. Phase 2 (in-house, four weeks): retention defaults split by practice area, with sign-off from the relevant practice group leader. Phase 3 (Karakor, scoped separately if commissioned): audit-trail access redesign and monthly review cadence.
Engage

We respond within two business days. Scoping calls are obligation-free and run thirty minutes.