BESTPRACTICES

Legal Information Risk — Action Plan and RoadmapA law firm has only a few principal assets: its reputation, its people, its relationships and the collective information for which it

is responsible. Ensuring the quality of this information and protecting it from risk is critical to a firm’s viability. While many share

responsibility for the quality of information, the CIO has the central role in handling risks that threaten its existence, accessibility,

and security. IT’s hardware, software and services, while complex and expensive, are simply the tools that help IT deliver on

these responsibilities. We have assembled an action plan for some of the considerations when addressing nine risks to law firm

information and a roadmap to outline key aspects of the expected future state. While not exhaustive, it is a useful guide for CIOs,

COOs and security directors when considering their firm’s priorities and risk tolerance.

Risk: Theft by External

Parties

Security firms have conveyed that law firms are easy

targets for obtaining information on law firm clients;

hackers might not even bring their varsity team to break

in. Whether this situation drives law firms to third-party

providers of infrastructure and security services or

improves internal procedures is yet to be seen; in any

case, security know-how is an IT responsibility that is

growing in importance. Considerations include:

Annual audit by third-party security specialist, including

penetration testing

Expert (third-party or in-house) monitoring of WAN and

firewall security incidents

Mature (consistent and fresh) software patch

management procedures

Secure client software for iPhone/iPad and other PDAs

Two-factor authentication (something you know,

something you have) for network logon

Password policies to ensure appropriate complexity and

occasional change

Clear information security design and incident response

responsibilities, including appropriate training

action plan

Risk: Theft by Internal Parties

For collaboration, law firms trust their own employees and provide wide access once logged onto the IT systems. Headline events of associates selling firm information for profit have not yet driven most firms to change this model (although a small number of firms have done so). Firms can take more prudent steps and better protect sensitive information by moving to a “trust but verify” model. Considerations include:

Consistent, automated ethical walls across major information systems (online accounting, business intelligence reports, time entry, document management, file shares, intranet and search results)

Private folders and need-to-know project code names for sensitive matters not subjected to an ethical wall

Rights management and/or encryption applied to very sensitive client and firm documents

Expiration dates on information, e.g., the information is purged or access is denied after a defined period of time

Automated monitoring for extraordinary events (e.g., mass export or printing)

Secured screen savers and daily log-out policies

Risk: loss by firm vendors

Breaches and losses of information by the firm’s third-party providers are, unfortunately, frequent headline-makers. Considerations include:

Up-to-date inventory of vendors who hold the firm’s information and the information each vendor holds

Assure vendor data privacy obligations comply with firm policies and client obligations

Verify actual scope and applicability of vendor security claims, such as ISO 27001 or SAS 70

Risk: Completeness of Record

To provide legal advice competently, lawyers rely on the complete

and up-to-date record of the matter; hence, the driving need

for processes and tools that support access to and life cycle

management of information. From the moment a matter is opened:

Repositories must be in place to store, organize, protect materials

as created or received

Materials must be classified by client-matter number

24/7 access must be available via firm and personal resources

Information-use policies must be in place to prevent the

proliferation of unclassified information, ensure the protection of

confidential information, and govern the appropriate destruction

of obsolete information

Alas, there is no “silver bullet” system for information life

cycle management; today it comprises automated new business

intake to establish client-matter IDs associated with the electronic

repositories; document management, which when broadly focused,

is the repository that houses all matter-related information

(including email and attachments and transacted/filed documents);

records management, which tracks information retention periods

and disposition events; and email archives, which house aged,

unclassified email.

Risk: Retention and disposalThe corollary to the need for a complete record is that

the value of information also expires and that overlong

retention is costly to store, manage, and protect; interferes

with efficient access to relevant information; and adds to

the risk that it will be subject to legal hold and production.

To be defensible, the rules governing the retention and

disposition of information must be reasonable and the

actions taken must be consistent, done in good faith, and

without a duty to preserve at the time of the disposition.

Considerations include: Records policy that establishes the accountabilities for

records and information management Retention schedules based on laws, regulations and bar

opinions

Records management system to apply retention periods

and disposition triggers consistently Legal hold system to prevent the disposition of information while there is a duty to preserve Destruction processes that preserve confidentiality and

document the action

Risk: loss by firm

employees

Inadvertent data losses by firm employees are believed

to be the most common actual breaches of data

confidentiality. Considerations include:

Encryption of firm-provided portable PC hard drives

and USB thumb drives (and detection of non-standard

devices)

Capability to encrypt email from Outlook before

sending

Policy prohibiting use of personal email accounts to

transmit firm information (and subsequent blocking)

Passwords and remote deletion/wipe capabilities for all

PDAs

BESTPRACTICES

Risk: Breach of Ethical

Obligations

Lawyers have duties of loyalty and confidentiality to their

clients. In today’s volatile market, lawyers are moving

from firm to firm with increasing rapidity. While the 2009

changes to ABA Model Rule of Professional Conduct

1.10, Imputation of Conflicts of Interest: General Rule,

makes it easier ethically for lawyers to change firms, it

heightens the requirements for conflicts clearance, ethical

screens, client notification and explicit client consent.

All have implications for IT: ingestion of unauthorized

information from laterals, ethical screens over client-

matter information and tracking of client instructions.

Considerations include:

Lateral transfer processes

Conflicts clearance processes to identify ethical (and

business) conflicts and databases to track them

Matter screens (inclusive and exclusive)

Risk: Regulatory Non-ComplianceLaw firms are relatively new to regulatory controls, so

the roles, education and processes are still developing.

Considerations include: C-level knowledge of the firm’s obligations under

HIPAA/HITECH, state privacy laws, EU Data Protective

and ITAR, as well as regulations affecting the firm’s

clients, such as the Graham-Leach-Bliley Act Inventory of the firm’s data subject to the above obligations and the data it holds on behalf of clients, as

well as an understanding of the flow of this data across

geographic boundaries Designation of a data privacy officer Registration with non-U.S. data protection authorities Regular communications to firm lawyers and staff on

their obligations and how to react if a risk or breach

occurs

Intranet site that serves as a compliance educational

source for the firm’s lawyers and staff

Risk: loss of access

When lawyers and firm leadership lose access to firm information (i.e., system downtime or disasters), it is among the highest profile incidents for a CIO. Considerations include:

Ability to recover key business systems in less than an hour, even if certain key staff are not available

99.98 percent uptime for core systems (equivalent to less than two hours downtime per year)

No or minimal data loss (e.g., email and document edits) when failures do occur

Recovery exercises at least twice a year (tabletop exercises — verbal rather than actual tests — are practical complements to actual recovery exercises)

While this action plan only focuses on a few key issues in each area, it highlights the multidisciplinary nature of protecting information from risk.

Meg Block has over 25 years of experience consulting to the legal community. A Managing Director, she is a senior leader in Hildebrandt Baker Robbins’ information management service line. Her specialties are business process reviews and the design and implementation of enterprise-wide information programs in the areas records management, new business intake, conflicts of interest, IP and litigation calendar-docket. She also teams with email and document management experts to develop practical and defendable digital records management strategies. She can be reached at mblock@hbrconsulting.com.

David Cunningham is one of the original consultants of Baker Robbins & Company, helping it grow from 12 to 120 consultants and now part of Hildebrandt Baker Robbins. David leads strategic technology assessments, cost reduction and outsourcing analysis, and risk management assessments. He established the Law Firm Technology Scorecard and co-leads the risk management practice. He can be reached at dcunningham@hbrconsulting.com.

roadmap

GovernanceCIOs cannot act in isolation when making decisions about or taking action to address information risks. Law firms are best served by creating a risk management team to address information risks in the broader context of the legal and operational risks. This team should include roles responsible for information risk and data breaches (not likely to be the same person). Such a team provides a check-and-balance by making information risk decisions separate from the IT personnel tasked with implementing them. Despite good intentions, a busy and cost-conscious IT department often compromises good risk management protocol; a risk management team provides a forum for determining the firm’s tolerance for risk in the context of its business priorities.

Risk Management Through ContractThe maturity of IT vendors and the proliferation of “as-a-service” options will drive the evolution of risk management skill sets from technical to legal competencies. COOs and lawyers, who are often uncomfortable navigating technical risks, are already warming to managing risks through contract negotiations, agreed formal procedures and incident responsibilities. IT will be best positioned when it can address both technical and legal aspects of information risk.

Self-AuditMany regulated companies already employ monitoring tools, data scanning software and governance risk compliance (GRC) dashboards to understand their current state in real time and manage their progress in relation to risk initiatives. Law firms are just beginning to keep

basic, manual risk registers (inventories of risk issues and actions to be taken to address them). Over time, they will be expected to dynamically inventory, monitor, assess and address information risk issues. IT departments need to develop the risk-savvy skill sets to use these tools.

Physical Disaggregation of InformationIn opposition to the ongoing trend to consolidate systems into primary datacenters, the physical locations of information will grow as firms turn to vendors for infrastructure or software as a service. Risk management policies and audit capabilities will need to extend across organizational and geographic boundaries, especially as virtualized systems make data flowing in and out of vendors more straightforward and dynamic.

Risk StandardsOver the past two years, law departments have increased the depth and complexity of their risk-related questions markedly. This trend is expected to continue accelerating, with multiple departments standardizing on similar risk expectations. As a response to these expectations, over a dozen law firms have achieved the ISO 27001 information security certification in response to now-common RFP requirements. Accordingly, expect growth in certifications and standardization.

This action plan and roadmap should provide a starting point to ensure good risk governance is in place. Without it, IT is inappropriately taking all the risk on its own shoulders. ILTA

Attributes that will define the maturity of information risk management in the next few years include:

This article was first published in ILTA’s June 2011 issue of Peer to Peer titled “Law2020TM: One Year In” and is reprinted here with permission. For more information about ILTA, visit their website at www.iltanet.org.