2011 ilta legal information action plan and roadmap by dave cunningham and meg block
BESTPRACTICES Legal Information Risk — Action Plan and Roadmap A law ﬁrm has only a few principal assets: its reputation, its people, its relationships and the collective information for which it is responsible. Ensuring the quality of this information and protecting it from risk is critical to a ﬁrm’s viability. While many share responsibility for the quality of information, the CIO has the central role in handling risks that threaten its existence, accessibility, and security. IT’s hardware, software and services, while complex and expensive, are simply the tools that help IT deliver on these responsibilities. We have assembled an action plan for some of the considerations when addressing nine risks to law ﬁrm information and a roadmap to outline key aspects of the expected future state. While not exhaustive, it is a useful guide for CIOs, COOs and security directors when considering their ﬁrm’s priorities and risk tolerance. action plan Risk: Theft by External Parties Risk: Theft by Internal Security ﬁrms have conveyed that law ﬁrms are easy Parties targets for obtaining infor mation on law ﬁrm clients; varsity team to break For collaboration, law ﬁrms trust hackers might not even bring their their own employees and in. Whether this situation drives law ﬁrms to third-party provide wide access once logged onto the IT systems. rity services or Headline events of associates sellin providers of infrastructure and secu g ﬁrm information for improves internal procedur es is yet to be seen; in any proﬁt have not yet driven most ﬁrms to change this model responsibility that is (although a small number of ﬁrms case, security know-how is an IT have done so). Firms growing in importance. Con siderations include: can take more prudent steps and better protect sensitive information by moving to a “trus t but verify” model. rity specialist, including Considerations include: Annual audit by third-party secu penetration testing Consistent, automated ethical walls across major itorin g of WAN and information systems (online acco Expert (third-party or in-house) mon unting, business intelligence reports, time entry, ﬁrewall security incidents document management, ﬁle shares, intranet and search resu lts) are patch Mature (consistent and fresh) softw ent procedures Private folders and need-to-know managem project code names for sensitive matters not subjecte d to an ethical wall ad and other PDAs Secure client software for iPhone/iP Rights management and/or encr yption applied to very g you know, sensitive client and ﬁrm documen Two-factor authentication (somethin ts logon something you have) for network Expiration dates on information, e.g., the information opriate complexity and is purged or access is denied after Password policies to ensure appr a deﬁned period of al change time occasion and incident response Automated monitoring for extra Clear information security design ordinary events (e.g., responsibilities, including appropriate training mass export or printing) Secured screen savers and daily log-out policies
Risk: loss by firm vendors cord Risk: Completeness of Re Breaches and losses of informati on by the ﬁrm’s third- ntly, lawyers rely on the complete party providers are, unfortunately To provide legal advice compete , frequent headline- er; hence, the driving need makers. Considerations include: and up-to-date record of the matt cycle for processes and tool s that support access to and life the moment a matter is opened: Up-to-date inventory of vendors management of information. From who hold the ﬁrm’s information and the information each vendor holds store, organize, protect materials Repositories must be in place to Assure vendor data privacy oblig as created or received ations comply with ﬁrm policies and client obligations t-matter number Materials must be classiﬁed by clien Verify actual scope and applicab ility of vendor security ﬁrm and personal resources claims, such as ISO 27001 or SAS 24/7 access must be available via 70 in place to prevent the Information-use policies must be mation, ensure the protection of proliferation of unclassiﬁed infor destruction conﬁdential informati on, and govern the appropriate of obsolete information m for information life Alas, there is no “silver bullet” syste business cycle management; today it comprises automated new IDs associated with the electronic intake to establish client-matter ent, which when broadly focused, repositories; document managem Risk: Re matter-related information tentio is the repository that houses all documents); n and (including email and attachments and transacted/ﬁled The corolla disposa s information retention periods ry to the n l records management, which track the value eed for a il archives, which house aged, of inform complete and disposition events; and ema retention ation also expires an record is that is costly to d that ove unclassiﬁed email. with efﬁci store, ma nage, and rlong ent access protect; in the risk th to relevan terferes at it will b t informati To be defe e subject on; and a nsible, th to legal h dds to dispositio e rules go old and p n of inform vern roduction actions ta ation must ing the retention a . ken must be reason nd without a be consist able and duty to p ent, done the Considera reserve at in good fa tions inclu the time o ith, and de: f the disp m osition. y fir : lo ss b Records p records a olicy that establishe Risk yees elieve d nd inform ation man s the acco untabilitie lo are b agement s for emp emplo yees ata Retention schedules rm of d s by ﬁ l breaches opinions based on laws, regu losse t data n actua clude: lations an d bar erten mmo inInadv e most co iderations drive s Records m th ns hard rd anagemeto be ntiality. Co rtab le PC on-s tanda and dispo sition trig nt system to apply re co nﬁde ovid ed po ction of n gers consi tention p eriods rm-pr dete stently n of ﬁ rives (and Legal hold yptio Encr B thumb d system to prevent th fore informatio and U ) S ok be n while th e dispositi Outlo ere is a d uty to pre on of dev ices il from serve t ema Destructio ncryp nts to n process bilit y to e accou documen t the actio es that pre serve con Capa email t blocking ) n ﬁdentialit g nal y and s endin of perso bsequen g use nd su r all hibitin mation (a ies fo y pro r abilit Polic info e cap it ﬁrm tion/w ip transm e dele emot and r ords Passw PDAs
BESTPRACTICES Risk: Re gul Non-Com atory pliance Law ﬁrms are relative the roles, ly new to education regulatory Risk: Breach of Ethical Considera tions inclu and proce de: sses are st controls, ill develop so ing. Obligations C-level kn owledge conﬁdentiality to their HIPAA/HIT of the ﬁrm Lawyers have duties of loyalty and and ITAR, ECH, state ’s obligati privacy la ons unde clients. In today’s vola tile market, lawyers are moving as well as ws, EU Da r clients, su regulation ta Protect rapidity. While the 2009 s affecting ive from ﬁrm to ﬁrm with increasing ch as the Graham-L the ﬁrm’s changes to ABA Mod el Rule of Professional Conduct each-Blile y Act est: General Rule, Inventory 1.10, Imputation of Conﬂicts of Inter it obligation of the ﬁrm ’s data su makes it easier ethic ally for lawyers to change ﬁrms, s and the bject to th e above icts clearance, ethical well as an data it ho lds on be heightens the requirements for conﬂ geograph understan ding of th half of clie icit client consent. e ﬂow of nts, as screens, client notiﬁcation and expl ic bounda ries this data of unauthorized across All have implications for IT: ingestion Designati information from later als, ethical screens over client- on of a da ta privacy of client instructions. ofﬁcer matter information and tracking Registrati Considerations inclu de: on with n on-U.S. d ata prote Regular co ction auth orities Lateral transfer processes their oblig mmunica tions to ﬁ ations and rm lawyers occurs how to re and staff identify ethical (and act if a risk on Conﬂicts clearance processes to or breach track them busi ness) conﬂicts and databases to Intranet si te that se source fo rves as a usive) r the ﬁrm’s complian Matter screens (inclusive and excl lawyers a ce educati onal nd staff Risk: loss of access When lawyers and ﬁrm leadership lose access to ﬁrm information (i.e., system downtime or disasters), it is among the highest proﬁle incidents for a CIO. Considerations include: Ability to recover key business systems in less than an hour, even if certain key staff are not available 99.98 percent uptime for core systems (equivalent to less than two hours downtime per year) While this action plan on ly No or minimal data loss (e.g., email and document edits) when focuses on a few key issue failures do occur s in each area, it highlights Recovery exercises at least twice a year (tabletop exercises — the multidisciplinary verbal rather than actual tests — are practical complements to actual recovery exercises) nature of protecting information from risk.
roadmap Attributes that will define the maturity of information risk management in the next few years include: Governance basic, manual risk registers (inventories of risk issues and CIOs cannot act in isolation when making decisions about actions to be taken to address them). Over time, they will or taking action to address information risks. Law ﬁrms be expected to dynamically inventory, monitor, assess and are best served by creating a risk management team to address information risk issues. IT departments need to address information risks in the broader context of the develop the risk-savvy skill sets to use these tools. legal and operational risks. This team should include roles responsible for information risk and data breaches (not Physical Disaggregation of Information likely to be the same person). Such a team provides a In opposition to the ongoing trend to consolidate check-and-balance by making information risk decisions systems into primary datacenters, the physical locations separate from the IT personnel tasked with implementing of information will grow as ﬁrms turn to vendors for them. Despite good intentions, a busy and cost-conscious infrastructure or software as a service. Risk management IT department often compromises good risk management policies and audit capabilities will need to extend across protocol; a risk management team provides a forum for organizational and geographic boundaries, especially as determining the ﬁrm’s tolerance for risk in the context of virtualized systems make data ﬂowing in and out of vendors its business priorities. more straightforward and dynamic. Risk Management Through Contract Risk Standards The maturity of IT vendors and the proliferation of “as-a- Over the past two years, law departments have increased service” options will drive the evolution of risk management the depth and complexity of their risk-related questions skill sets from technical to legal competencies. COOs and markedly. This trend is expected to continue accelerating, lawyers, who are often uncomfortable navigating technical with multiple departments standardizing on similar risk risks, are already warming to managing risks through contract expectations. As a response to these expectations, over a negotiations, agreed formal procedures and incident dozen law ﬁrms have achieved the ISO 27001 information responsibilities. IT will be best positioned when it can security certiﬁcation in response to now-common RFP address both technical and legal aspects of information risk. requirements. Accordingly, expect growth in certiﬁcations and standardization. Self-Audit Many regulated companies already employ monitoring This action plan and roadmap should provide a tools, data scanning software and governance risk starting point to ensure good risk governance is in place. compliance (GRC) dashboards to understand their current Without it, IT is inappropriately taking all the risk on its own state in real time and manage their progress in relation shoulders. ILTA to risk initiatives. Law ﬁrms are just beginning to keepThis article was ﬁrst published in ILTA’s June 2011 issue of Peer to Peer titled “Law2020TM: One Year In” and is reprinted here with permission. Formore information about ILTA, visit their website at www.iltanet.org. David Cunningham is one of the original Meg Block has over 25 years of experience consultants of Baker Robbins & Company, consulting to the legal community. A helping it grow from 12 to 120 consultants and Managing Director, she is a senior leader now part of Hildebrandt Baker Robbins. David in Hildebrandt Baker Robbins’ information leads strategic technology assessments, cost management service line. Her specialties are reduction and outsourcing analysis, and risk business process reviews and the design and management assessments. He established the implementation of enterprise-wide information Law Firm Technology Scorecard and co-leads programs in the areas records management, the risk management practice. He can be new business intake, conﬂicts of interest, IP reached at firstname.lastname@example.org. and litigation calendar-docket. She also teams with email and document management experts to develop practical and defendable digital records management strategies. She can be reached at email@example.com.