2011 ilta legal information action plan and roadmap by dave cunningham and meg block
DESCRIPTION
TRANSCRIPT
BESTPRACTICES
Legal Information Risk — Action Plan and RoadmapA law firm has only a few principal assets: its reputation, its people, its relationships and the collective information for which it
is responsible. Ensuring the quality of this information and protecting it from risk is critical to a firm’s viability. While many share
responsibility for the quality of information, the CIO has the central role in handling risks that threaten its existence, accessibility,
and security. IT’s hardware, software and services, while complex and expensive, are simply the tools that help IT deliver on
these responsibilities. We have assembled an action plan for some of the considerations when addressing nine risks to law firm
information and a roadmap to outline key aspects of the expected future state. While not exhaustive, it is a useful guide for CIOs,
COOs and security directors when considering their firm’s priorities and risk tolerance.
Risk: Theft by External
Parties
Security firms have conveyed that law firms are easy
targets for obtaining information on law firm clients;
hackers might not even bring their varsity team to break
in. Whether this situation drives law firms to third-party
providers of infrastructure and security services or
improves internal procedures is yet to be seen; in any
case, security know-how is an IT responsibility that is
growing in importance. Considerations include:
Annual audit by third-party security specialist, including
penetration testing
Expert (third-party or in-house) monitoring of WAN and
firewall security incidents
Mature (consistent and fresh) software patch
management procedures
Secure client software for iPhone/iPad and other PDAs
Two-factor authentication (something you know,
something you have) for network logon
Password policies to ensure appropriate complexity and
occasional change
Clear information security design and incident response
responsibilities, including appropriate training
action plan
Risk: Theft by Internal Parties
For collaboration, law firms trust their own employees and provide wide access once logged onto the IT systems. Headline events of associates selling firm information for profit have not yet driven most firms to change this model (although a small number of firms have done so). Firms can take more prudent steps and better protect sensitive information by moving to a “trust but verify” model. Considerations include:
Consistent, automated ethical walls across major information systems (online accounting, business intelligence reports, time entry, document management, file shares, intranet and search results)
Private folders and need-to-know project code names for sensitive matters not subjected to an ethical wall
Rights management and/or encryption applied to very sensitive client and firm documents
Expiration dates on information, e.g., the information is purged or access is denied after a defined period of time
Automated monitoring for extraordinary events (e.g., mass export or printing)
Secured screen savers and daily log-out policies
Risk: loss by firm vendors
Breaches and losses of information by the firm’s third-party providers are, unfortunately, frequent headline-makers. Considerations include:
Up-to-date inventory of vendors who hold the firm’s information and the information each vendor holds
Assure vendor data privacy obligations comply with firm policies and client obligations
Verify actual scope and applicability of vendor security claims, such as ISO 27001 or SAS 70
Risk: Completeness of Record
To provide legal advice competently, lawyers rely on the complete
and up-to-date record of the matter; hence, the driving need
for processes and tools that support access to and life cycle
management of information. From the moment a matter is opened:
Repositories must be in place to store, organize, protect materials
as created or received
Materials must be classified by client-matter number
24/7 access must be available via firm and personal resources
Information-use policies must be in place to prevent the
proliferation of unclassified information, ensure the protection of
confidential information, and govern the appropriate destruction
of obsolete information
Alas, there is no “silver bullet” system for information life
cycle management; today it comprises automated new business
intake to establish client-matter IDs associated with the electronic
repositories; document management, which when broadly focused,
is the repository that houses all matter-related information
(including email and attachments and transacted/filed documents);
records management, which tracks information retention periods
and disposition events; and email archives, which house aged,
unclassified email.
Risk: Retention and disposalThe corollary to the need for a complete record is that
the value of information also expires and that overlong
retention is costly to store, manage, and protect; interferes
with efficient access to relevant information; and adds to
the risk that it will be subject to legal hold and production.
To be defensible, the rules governing the retention and
disposition of information must be reasonable and the
actions taken must be consistent, done in good faith, and
without a duty to preserve at the time of the disposition.
Considerations include: Records policy that establishes the accountabilities for
records and information management Retention schedules based on laws, regulations and bar
opinions
Records management system to apply retention periods
and disposition triggers consistently Legal hold system to prevent the disposition of information while there is a duty to preserve Destruction processes that preserve confidentiality and
document the action
Risk: loss by firm
employees
Inadvertent data losses by firm employees are believed
to be the most common actual breaches of data
confidentiality. Considerations include:
Encryption of firm-provided portable PC hard drives
and USB thumb drives (and detection of non-standard
devices)
Capability to encrypt email from Outlook before
sending
Policy prohibiting use of personal email accounts to
transmit firm information (and subsequent blocking)
Passwords and remote deletion/wipe capabilities for all
PDAs
BESTPRACTICES
Risk: Breach of Ethical
Obligations
Lawyers have duties of loyalty and confidentiality to their
clients. In today’s volatile market, lawyers are moving
from firm to firm with increasing rapidity. While the 2009
changes to ABA Model Rule of Professional Conduct
1.10, Imputation of Conflicts of Interest: General Rule,
makes it easier ethically for lawyers to change firms, it
heightens the requirements for conflicts clearance, ethical
screens, client notification and explicit client consent.
All have implications for IT: ingestion of unauthorized
information from laterals, ethical screens over client-
matter information and tracking of client instructions.
Considerations include:
Lateral transfer processes
Conflicts clearance processes to identify ethical (and
business) conflicts and databases to track them
Matter screens (inclusive and exclusive)
Risk: Regulatory Non-ComplianceLaw firms are relatively new to regulatory controls, so
the roles, education and processes are still developing.
Considerations include: C-level knowledge of the firm’s obligations under
HIPAA/HITECH, state privacy laws, EU Data Protective
and ITAR, as well as regulations affecting the firm’s
clients, such as the Graham-Leach-Bliley Act Inventory of the firm’s data subject to the above obligations and the data it holds on behalf of clients, as
well as an understanding of the flow of this data across
geographic boundaries Designation of a data privacy officer Registration with non-U.S. data protection authorities Regular communications to firm lawyers and staff on
their obligations and how to react if a risk or breach
occurs
Intranet site that serves as a compliance educational
source for the firm’s lawyers and staff
Risk: loss of access
When lawyers and firm leadership lose access to firm information (i.e., system downtime or disasters), it is among the highest profile incidents for a CIO. Considerations include:
Ability to recover key business systems in less than an hour, even if certain key staff are not available
99.98 percent uptime for core systems (equivalent to less than two hours downtime per year)
No or minimal data loss (e.g., email and document edits) when failures do occur
Recovery exercises at least twice a year (tabletop exercises — verbal rather than actual tests — are practical complements to actual recovery exercises)
While this action plan only focuses on a few key issues in each area, it highlights the multidisciplinary nature of protecting information from risk.
Meg Block has over 25 years of experience consulting to the legal community. A Managing Director, she is a senior leader in Hildebrandt Baker Robbins’ information management service line. Her specialties are business process reviews and the design and implementation of enterprise-wide information programs in the areas records management, new business intake, conflicts of interest, IP and litigation calendar-docket. She also teams with email and document management experts to develop practical and defendable digital records management strategies. She can be reached at [email protected].
David Cunningham is one of the original consultants of Baker Robbins & Company, helping it grow from 12 to 120 consultants and now part of Hildebrandt Baker Robbins. David leads strategic technology assessments, cost reduction and outsourcing analysis, and risk management assessments. He established the Law Firm Technology Scorecard and co-leads the risk management practice. He can be reached at [email protected].
roadmap
GovernanceCIOs cannot act in isolation when making decisions about or taking action to address information risks. Law firms are best served by creating a risk management team to address information risks in the broader context of the legal and operational risks. This team should include roles responsible for information risk and data breaches (not likely to be the same person). Such a team provides a check-and-balance by making information risk decisions separate from the IT personnel tasked with implementing them. Despite good intentions, a busy and cost-conscious IT department often compromises good risk management protocol; a risk management team provides a forum for determining the firm’s tolerance for risk in the context of its business priorities.
Risk Management Through ContractThe maturity of IT vendors and the proliferation of “as-a-service” options will drive the evolution of risk management skill sets from technical to legal competencies. COOs and lawyers, who are often uncomfortable navigating technical risks, are already warming to managing risks through contract negotiations, agreed formal procedures and incident responsibilities. IT will be best positioned when it can address both technical and legal aspects of information risk.
Self-AuditMany regulated companies already employ monitoring tools, data scanning software and governance risk compliance (GRC) dashboards to understand their current state in real time and manage their progress in relation to risk initiatives. Law firms are just beginning to keep
basic, manual risk registers (inventories of risk issues and actions to be taken to address them). Over time, they will be expected to dynamically inventory, monitor, assess and address information risk issues. IT departments need to develop the risk-savvy skill sets to use these tools.
Physical Disaggregation of InformationIn opposition to the ongoing trend to consolidate systems into primary datacenters, the physical locations of information will grow as firms turn to vendors for infrastructure or software as a service. Risk management policies and audit capabilities will need to extend across organizational and geographic boundaries, especially as virtualized systems make data flowing in and out of vendors more straightforward and dynamic.
Risk StandardsOver the past two years, law departments have increased the depth and complexity of their risk-related questions markedly. This trend is expected to continue accelerating, with multiple departments standardizing on similar risk expectations. As a response to these expectations, over a dozen law firms have achieved the ISO 27001 information security certification in response to now-common RFP requirements. Accordingly, expect growth in certifications and standardization.
This action plan and roadmap should provide a starting point to ensure good risk governance is in place. Without it, IT is inappropriately taking all the risk on its own shoulders. ILTA
Attributes that will define the maturity of information risk management in the next few years include:
This article was first published in ILTA’s June 2011 issue of Peer to Peer titled “Law2020TM: One Year In” and is reprinted here with permission. For more information about ILTA, visit their website at www.iltanet.org.