IT Security Isn't Just a Tech Issue, It's a Governance Issue
Terry Coan & James Britt
No matter the line of practice or industry focus, all law firms are entrusted with highly sensitive client information. When it comes to protecting this extremely confidential data, many firms rely on technical solutions, such as: firewalls, antivirus software, perimeter defenses and multifactor authentication.
However, in an increasingly complex cloud-based and mobile world, the protection of valuable enterprise and client data can no longer be looked at as purely an IT security challenge, but instead should be approached as a broader information governance strategy. In other words, the fact that extremely valuable data now often resides outside of firm firewalls, means firms should not only be evolving their supporting technology, but also their internal information governance policies and procedures.
Today, forward-thinking law firms are currently taking steps to advance their data security tactics into comprehensive information governance programs: initiatives that outline not only supporting tools, but also processes and policies for ensuring the security, integrity, discoverability and proper disposal of their client data.
The promise, and paradox, of information governance
A sound information governance strategy extends well beyond basic records management. In this digital-first era, it encompasses physical files in addition to electronic materials and must be comprehensive to cover data privacy, storage, eDiscovery and metadata management.
Formulizing an information governance policy serves to guide firms through the intricate process of determining what data to retain, what to destroy and how to destroy it. As more firms maintain digital records on massive networks – often with no clearly defined approved repository, naming conventions, and protocols to organize and access files – the need for straightforward, concise data retention standards grows exponentially.
Successful law firms know the importance of implementing formal programs to collect, categorize and protect sensitive data. Doing so helps address the potential conflict between knowledge management, document security and information governance initiatives.
From a knowledge management perspective, many firms' inclination is to hold onto data for as long as possible. For example, information from a 15 year-old closed case could be repurposed or referenced for a comparable case down the road. Within the context of document management, however, maintaining records (electronic or manual) is a burdensome operating expense. Costs aside, maintaining outdated, superfluous data makes it more difficult for staff to find what they need when they need it – an inefficiency that undermines due diligence, research and discovery efforts. It’s also a security issue. The more client data a firm keeps on-hand, the more data is at risk should the firm experience a data breach.
For law firms, overcoming this internal friction continues to be the biggest hurdle to developing and enforcing information governance programs.
Several factors are encouraging law firms to implement robust information governance programs:
- Growing client demand: More than ever, clients are requesting – if not outright demanding - enhanced security before turning over sensitive information to their law firm partners. From corporations as large and high profile as JPMorgan Chase to mid-sized regional businesses, clients are increasingly cautious about what data their law firms retain, and who can access the data, and weather or not the data can be shared. Especially when a merger or acquisition is involved, clients will impose strict, intricate Outside Counsel Guidelines detailing how firms may handle data conflicts, matter-mobility, records retention and disposition.
- Confidentiality risks: The volume of information that law firms have to keep confidential – be it for contractual, ethical or business reasons – is immense. Defending sensitive records from disclosure or compromise is a core tenant of law firms' client relationships, trust and ethical obligations. As massive consumer data breaches at Target, Home Depot and U.S. government agencies have shown, all organizations are susceptible to data attacks – underscoring the need for governance even more. Additionally, new regulations (such as the HIPAA Omnibus Rule) subject law firms to more rigorous personal information security standards.
- Upholding the ethical wall: Along with confidentiality, law firms must have controls in place that prevent internal conflicts of interest. More tangibly, firms must limit the sharing and portability of information between certain attorneys or legal teams, creating a metaphorical "wall" between employees working on cases that may be fundamentally opposed. Especially as law firms experience an uptick in M&A activity, maintaining this divide is critical to protecting staff and clients.
How to develop a successful information governance program
As long as a law firm stores and manages information on behalf of its clients, it needs a robust governance initiative in place. Consider these recommendations for establishing comprehensive, scalable governance policies that serve to demonstrate how firms are adding value for corporate clients:
- Create a central governance advisory board: Successful governance programs start with cross-firm collaboration and buy-in from senior management. From the get go, law firms should appoint advisory boards to create, communicate and ultimately enforce governance policies across the organization, and be able to make tough decisions when necessary. These boards should include key stakeholders such as the CIO, security director, administrative leadership and representatives from the firm's key practice areas.
- Extend policies beyond records management: Broad, unstructured information management and governance programs quickly become ineffective and unenforceable. Governance leaders must construct their efforts around a series of thoughtful, specific policies that touch a number of risk and compliance issues, including information security, business continuity, incident response plans, HIPAA compliance and electronic facilities acceptable use.
- Follow industry-wide frameworks: Every law firm's governance needs are different, but that doesn't mean advisory boards need to start with a blank slate when drafting their strategy. Industry groups have developed basic governance frameworks that individual firms can pull from when outlining their own policies. The Law Firm Information Governance Symposium, a think tank formed in 2012, publishes regular reports detailing best practices and emerging trends to note when launching governance initiatives. The group's 2015 reports offer concrete guidance around how to manage information as firms collaborate with clients across regional borders and tackle issues around cloud-based data storage, matter mobility, employee mobile device security and data privacy.
- Make training mandatory: Perhaps the biggest obstacle to law firm governance is education. All employees must understand the policies in place, and be equipped with the knowledge and resources to follow them, for governance efforts to work. An organization's advisory board should be responsible for communicating governance protocols (and updates) to staff, and administering regular training sessions to reinforce compliance.
In today’s increasingly complex digital world, information governance strategies are no longer a law firm luxury, it's a necessity. Client trust is the foundation of any law firm, and losing client data would mean losing their trust as well as the firm’s reputation and brand equity.
Terry Coan is a senior director for HBR Consulting and leads the firm’s Information Governance and Risk Management Practice. In his engagements with over 30 Am Law 200 firms, he has developed information governance programs, conducted assessments of existing programs against professionally accepted practices, and has designed and implemented technologies to improve business process.
Jim is a Senior Director for HBR Consulting and has over twenty‐five years’ experience in technology consulting, business development, and law firm management. Prior to joining HBR, he was the Managing Director at eSentio Technologies. Jim has also held senior positions at several major law firms, including Cahill Gordon, Skadden Arps, Mintz Levin, and Choate Hall & Stewart. Jim was co-founder of Discovery Systems Inc. and an early partner in Ibis Consulting, developing software and consulting with clients on complex litigation issues. He also served as CTO for Global Risk Exchange (GRX Technologies). Jim has been a regular speaker at industry events and private venues on a broad range of topics including business continuity, IT Infrastructure design and planning, security, risk management, and strategic technology planning. Jim is a graduate of Hamilton College.