Cowen Cafe: The Curse of Shadow IT

On Thursday, September 17, 2020, about 40 corporate, law firm, and provider participants gathered for another Cowen Cafe Zoom meeting, sponsored by Integreon, Lineal Services, Litera, and United Lex. This week’s question was, “What is the most surprising trend you are seeing?” The response, dominating this week’s discussion, was Shadow IT.

While participants mentioned several trends, the one that capture the group’s attention was shadow IT.

According to TechTarget, “Shadow IT is hardware or software within an enterprise that is not supported by the organization’s central IT department. Although the label itself is neutral, the term often carries a negative connotation because it implies that the IT department has not approved the technology or doesn’t even know that employees are using it.”

The problem

The shadow IT discussion was kicked off by A… (corporate), who remarked he recently got a shadow list of collaboration tools people in his organization were connecting to. He was surprised at the sheer number of platforms.

B… (corporate) responded that the shadow list thing is a little overwhelming. In response to the pandemic, her company went to an always-on VPN, which means that as an employee no matter what device you use and where you use it from, you automatically are connecting via VPN. Employees have responded by conducting company business on their personal computers so they can use personal email accounts and other personal tools. That means the company now has a sea of corporate data swimming through the ether.

Others chimed in:

“Shadow It was a problem before, and I agree it has gotten worse. Sometimes senior execs are the problem!” — C… (law firm)

“This issue of shadow IT is becoming more and more severe as time goes on! The ‘period of forgiveness’ is over.” — D… (association)

“Its amazing!!! How much shadow play goes on. I am daily checking this with information security as well as corporate communications. It’s a nightmare – also had to put a stop to at home use of voice activated devices.” — E…(corporate)

“I have found that some organizations don’t know the extent of their shadow IT until a data breach occurs. Not the best time to first learn of that.” — C…

“I’m not even technically in our IT group but it still impacts me on the lit support side.” — F… (law firm)

“When the security/convenience equation is too inconvenient, the outcome is shadow IT.” — D…

“Odd how the more senior they are, the more above the (IT) law they think they are . . .. ;-)” — C…

“Ethics is going to be another topic of integrity management – as a serial litigant I am finding in my interactions I have more work ensuring plaintiffs’ counsel adhere to evidence management and security of information.” E…

Specific areas of concern mentioned by participants included:

  • Personal email accounts: “People emailing documents to personal accounts is the bane of my existence right now.” — F…
  • Home voice-activated devices: I just dealt with the at-home voice active devices such as Alexa. — E…
  • Shared files: “Law firms and corps need to be aware of the owner of a file shared between firm & clients in Teams for example. If there are three parties sharing a file in Teams on a call, the owner/keeper will be the company hosting the meeting. HHJJ.” G… (corporate)
  • Law firms: Now I need to find out what law firms are doing, such as whether their routers are secure. — E…


Participants discussed not just the problem posed by shadow IT but also what they are trying to do about it. The solutions discussed focused on forms of risk management.

As C… remarked, I like the chat discussion about risk management. Everyone needs to deal with that. If we are going to be in this for the next 6, 9, 12 months, well, lawyers have obligations and have to deal with them.


In response and with support from senior management, A… is the process of drafting a global communication whose message is, “Here are all these nice tools we have, please use them and not the unauthorized tools you have been turning to.”

At B…’s company, their next step is to create a corporate video addressing the problem.

Risk assessments

G… asked, “Do you send risk assessments to all your outside counsel?” He continued, For the last couple of years we have been sending out information security to outside counsel and inquired, Is that a common practice or do the law firms hide from the corporate security folks?

“Does the risk assessment for outside counsel include their vendors as well? (thinking hosting vendors, etc.),” asked H… (corporate). “It all depends on who has the master services agreement. If the law firm contracts with vendor, law firm still needs to comport with our agreement/rules.”

Risk aversion

Its “all about risk aversion,” noted H…, how much you want to chew on versus how much you want to trust.

I… (provider) asked, “Does the risk assessment for outside counsel include their vendors as well? (thinking hosting vendors, etc.)”

B… replied, “We do the vendors separately.”

“We are healthcare,” said G…, “so they have to sign a business associate agreement (BAA) which gives them responsibility for some of the risk.”

“Oddly enough,” came back E…, “the vendors were much easier as I think they prepared better (or at least mine did).”


“Personally scaring people is the only way I have found success/people listening when it comes to risk,” commented F… Some of biggest offenders, I went to them and said, how would you like to see that in the news? Those people stopped doing that. Big win.

“I always go back to the early days of email: don’t send anything you wouldn’t say on a postcard…” wrote J… (law firm).

F… agreed: “First day at my job out of college, I was told ‘don’t put in writing anything you wouldn’t want to see as an exhibit in court or a deposition’ . Great advice!”

An ethical duty

C… pointed out that the lawyers among us have an ethical duty of technical competence.

In reply, D… quipped, “I like ‘the technical duty of ethical competence!'”

Leave a Reply