The Essentials of Information Governance for Law Firms - Part 1

20
Jul
2023

Chris Giles & Chris Hockey

Why do law firms need information governance (IG) more than ever, and how should they implement it? Over two articles, Chris Giles offers a sector-wide perspective and Chris Hockey draws on his experience of implementing IG at a mid-sized US firm. In Part 1 we discuss why IG matters, where it should sit, and policy creation. 

Information has always been the lifeblood of law firms, but now its stewardship has become a critical discipline for firms to master. This is partly because the volume of data is growing quickly. To provide a quality service to clients, lawyers, including those who work remotely, must be able to retrieve the right information easily and securely without wasting any time. Firms also need oversight to identify gaps in information systems or procedures that when filled will make information flow more efficiently. 

Firms need to proactively manage increasing hosting costs associated with cloud-based document management systems, MS Office 365 and other content repositories to minimise storage costs through data retention and disposition.  They should also organise information to help with things like seamless collaboration, improved evidence-based decision-making, and knowledge management that leverages the value in institutional memory. 

We also know that the risk of cybercrime is higher than ever. Law firms are a prime target so need robust information security, but also mechanisms that supply an early alert if an attack is underway. Relatedly, firms need to store, secure and handle information in ways that contribute to overall resilience as part of business continuity. This includes backups and rehearsed disaster recovery procedures that will speed up the firm’s recovery should the worst happen.

Compliance matters

Meanwhile the regulatory environment is getting more prescriptive about data privacy and protection. On the heels of GDPR, there’s a growing number of US state privacy laws, while the Canadian national data privacy regulation, Bill C-27, came into force in 2022. They all deal with how you’re collecting, using, protecting and disposing of personal data. They add to your existing professional and ethical obligations around client confidentiality, so firms need proper information controls. Otherwise, you risk the exposure of a publicised regulatory breach that can incur lasting reputational damage, and potentially very costly fines.   

In tandem, clients are more demanding than ever. They’re looking for cast-iron assurances of data security when selecting firms to work with. They’re quite likely to introduce Outside Counsel Guidelines that stipulate how they want their information to be held, accessed and disposed of. It’s wise to have robust provisions in place to ensure these requirements are unfailingly met. Otherwise, you might lose valuable and likely hard-won clients. There’s also potential here for the firm to face malpractice suits. 

Information governance 

All these information-related concerns come under the umbrella of information governance (IG), which is simply how firms manage their information assets across the entire organisation to meet their information-related operational, regulatory, legal and risk requirements. Effective IG has now become a cornerstone of client trust and competitive advantage. But that doesn’t make IG implementations straightforward. 

We see how law firms vary widely in structure, capacity and approaches to information. Consequently, for many firms IG can be a slippery concept, one they can’t quite get hold of it. A key issue is who, between IT, records management, risk, and compliance, should own IG? Should it be the General Counsel, the CIO, the CISO or someone else? The reality is that IG should be the responsibility of everyone. Effective IG comes from embedding a cross-disciplinary approach to information sharing and ownership and nurturing a climate where everyone in the firm, from top to bottom, takes responsibility. 

To get it done in practice, an increasing number of firms are choosing to create dedicated IG roles, such as Information Governance Directors. When the New York State-based firm of Bond, Schoeneck & King (BSK) identified the need for greater information governance control, it appointed Chris Hockey as Director of Information Governance and Management. He reports to the CIO but says that IG roles can equally report into General Counsel or Risk and Compliance. 

Whichever route you take, senior management needs to be committed to the concept and ideally a member of the senior management team should take ownership of driving IG through the firm. This will include providing direction, helping overcome obstacles and – critically – ensuring adequate resources are allocated to support IG so it takes root and thrives.

Policy, processes, procedures, roles

Thereafter, IG is a matter of developing an overarching policy, supported by processes, procedures and controls that the firm implements to help it meet all its information related requirements in relation to operations, compliance and risk management. Step one is the creation of an information governance policy. 

When Chris Hockey created an IG policy for BSK, it established the fundamental high-level principles of IG at the firm, set responsibilities and reporting guidelines for designated personnel, and provided a framework for IG across the firm. It also covered the information issues that matter to the firm, including matter lifecycle management; information security and incident management; IG awareness and education; IG technology and data governance; and privacy and regulatory compliance. Each of these in turn may well merit its own policy. With these frameworks in place, it’s time to embed IG across the firm, which we’ll cover in part 2. 

To find out more watch our ILTA Masterclass where Chris Hockey, Director of Information Governance and Management at Bond, Schoeneck & King, will outline the approach he’s taken at his firm, while Chris Giles of Legal RM will supply a sector-wide perspective. Click here to register.