2011 ilta legal information action plan and roadmap by dave cunningham and meg block


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

2011 ilta legal information action plan and roadmap by dave cunningham and meg block

  1. 1. BESTPRACTICES Legal Information Risk — Action Plan and Roadmap A law firm has only a few principal assets: its reputation, its people, its relationships and the collective information for which it is responsible. Ensuring the quality of this information and protecting it from risk is critical to a firm’s viability. While many share responsibility for the quality of information, the CIO has the central role in handling risks that threaten its existence, accessibility, and security. IT’s hardware, software and services, while complex and expensive, are simply the tools that help IT deliver on these responsibilities. We have assembled an action plan for some of the considerations when addressing nine risks to law firm information and a roadmap to outline key aspects of the expected future state. While not exhaustive, it is a useful guide for CIOs, COOs and security directors when considering their firm’s priorities and risk tolerance. action plan Risk: Theft by External Parties Risk: Theft by Internal Security firms have conveyed that law firms are easy Parties targets for obtaining infor mation on law firm clients; varsity team to break For collaboration, law firms trust hackers might not even bring their their own employees and in. Whether this situation drives law firms to third-party provide wide access once logged onto the IT systems. rity services or Headline events of associates sellin providers of infrastructure and secu g firm information for improves internal procedur es is yet to be seen; in any profit have not yet driven most firms to change this model responsibility that is (although a small number of firms case, security know-how is an IT have done so). Firms growing in importance. Con siderations include: can take more prudent steps and better protect sensitive information by moving to a “trus t but verify” model. rity specialist, including Considerations include: Annual audit by third-party secu penetration testing Consistent, automated ethical walls across major itorin g of WAN and information systems (online acco Expert (third-party or in-house) mon unting, business intelligence reports, time entry, firewall security incidents document management, file shares, intranet and search resu lts) are patch Mature (consistent and fresh) softw ent procedures Private folders and need-to-know managem project code names for sensitive matters not subjecte d to an ethical wall ad and other PDAs Secure client software for iPhone/iP Rights management and/or encr yption applied to very g you know, sensitive client and firm documen Two-factor authentication (somethin ts logon something you have) for network Expiration dates on information, e.g., the information opriate complexity and is purged or access is denied after Password policies to ensure appr a defined period of al change time occasion and incident response Automated monitoring for extra Clear information security design ordinary events (e.g., responsibilities, including appropriate training mass export or printing) Secured screen savers and daily log-out policies
  2. 2. Risk: loss by firm vendors cord Risk: Completeness of Re Breaches and losses of informati on by the firm’s third- ntly, lawyers rely on the complete party providers are, unfortunately To provide legal advice compete , frequent headline- er; hence, the driving need makers. Considerations include: and up-to-date record of the matt cycle for processes and tool s that support access to and life the moment a matter is opened: Up-to-date inventory of vendors management of information. From who hold the firm’s information and the information each vendor holds store, organize, protect materials Repositories must be in place to Assure vendor data privacy oblig as created or received ations comply with firm policies and client obligations t-matter number Materials must be classified by clien Verify actual scope and applicab ility of vendor security firm and personal resources claims, such as ISO 27001 or SAS 24/7 access must be available via 70 in place to prevent the Information-use policies must be mation, ensure the protection of proliferation of unclassified infor destruction confidential informati on, and govern the appropriate of obsolete information m for information life Alas, there is no “silver bullet” syste business cycle management; today it comprises automated new IDs associated with the electronic intake to establish client-matter ent, which when broadly focused, repositories; document managem Risk: Re matter-related information tentio is the repository that houses all documents); n and (including email and attachments and transacted/filed The corolla disposa s information retention periods ry to the n l records management, which track the value eed for a il archives, which house aged, of inform complete and disposition events; and ema retention ation also expires an record is that is costly to d that ove unclassified email. with effici store, ma nage, and rlong ent access protect; in the risk th to relevan terferes at it will b t informati To be defe e subject on; and a nsible, th to legal h dds to dispositio e rules go old and p n of inform vern roduction actions ta ation must ing the retention a . ken must be reason nd without a be consist able and duty to p ent, done the Considera reserve at in good fa tions inclu the time o ith, and de: f the disp m osition. y fir : lo ss b Records p records a olicy that establishe Risk yees elieve d nd inform ation man s the acco untabilitie lo are b agement s for emp emplo yees ata Retention schedules rm of d s by fi l breaches opinions based on laws, regu losse t data n actua clude: lations an d bar erten mmo inInadv e most co iderations drive s Records m th ns hard rd anagemeto be ntiality. Co rtab le PC on-s tanda and dispo sition trig nt system to apply re co nfide ovid ed po ction of n gers consi tention p eriods rm-pr dete stently n of fi rives (and Legal hold yptio Encr B thumb d system to prevent th fore informatio and U ) S ok be n while th e dispositi Outlo ere is a d uty to pre on of dev ices il from serve t ema Destructio ncryp nts to n process bilit y to e accou documen t the actio es that pre serve con Capa email t blocking ) n fidentialit g nal y and s endin of perso bsequen g use nd su r all hibitin mation (a ies fo y pro r abilit Polic info e cap it firm tion/w ip transm e dele emot and r ords Passw PDAs
  3. 3. BESTPRACTICES Risk: Re gul Non-Com atory pliance Law firms are relative the roles, ly new to education regulatory Risk: Breach of Ethical Considera tions inclu and proce de: sses are st controls, ill develop so ing. Obligations C-level kn owledge confidentiality to their HIPAA/HIT of the firm Lawyers have duties of loyalty and and ITAR, ECH, state ’s obligati privacy la ons unde clients. In today’s vola tile market, lawyers are moving as well as ws, EU Da r clients, su regulation ta Protect rapidity. While the 2009 s affecting ive from firm to firm with increasing ch as the Graham-L the firm’s changes to ABA Mod el Rule of Professional Conduct each-Blile y Act est: General Rule, Inventory 1.10, Imputation of Conflicts of Inter it obligation of the firm ’s data su makes it easier ethic ally for lawyers to change firms, s and the bject to th e above icts clearance, ethical well as an data it ho lds on be heightens the requirements for confl geograph understan ding of th half of clie icit client consent. e flow of nts, as screens, client notification and expl ic bounda ries this data of unauthorized across All have implications for IT: ingestion Designati information from later als, ethical screens over client- on of a da ta privacy of client instructions. officer matter information and tracking Registrati Considerations inclu de: on with n on-U.S. d ata prote Regular co ction auth orities Lateral transfer processes their oblig mmunica tions to fi ations and rm lawyers occurs how to re and staff identify ethical (and act if a risk on Conflicts clearance processes to or breach track them busi ness) conflicts and databases to Intranet si te that se source fo rves as a usive) r the firm’s complian Matter screens (inclusive and excl lawyers a ce educati onal nd staff Risk: loss of access When lawyers and firm leadership lose access to firm information (i.e., system downtime or disasters), it is among the highest profile incidents for a CIO. Considerations include: Ability to recover key business systems in less than an hour, even if certain key staff are not available 99.98 percent uptime for core systems (equivalent to less than two hours downtime per year) While this action plan on ly No or minimal data loss (e.g., email and document edits) when focuses on a few key issue failures do occur s in each area, it highlights Recovery exercises at least twice a year (tabletop exercises — the multidisciplinary verbal rather than actual tests — are practical complements to actual recovery exercises) nature of protecting information from risk.
  4. 4. roadmap Attributes that will define the maturity of information risk management in the next few years include: Governance basic, manual risk registers (inventories of risk issues and CIOs cannot act in isolation when making decisions about actions to be taken to address them). Over time, they will or taking action to address information risks. Law firms be expected to dynamically inventory, monitor, assess and are best served by creating a risk management team to address information risk issues. IT departments need to address information risks in the broader context of the develop the risk-savvy skill sets to use these tools. legal and operational risks. This team should include roles responsible for information risk and data breaches (not Physical Disaggregation of Information likely to be the same person). Such a team provides a In opposition to the ongoing trend to consolidate check-and-balance by making information risk decisions systems into primary datacenters, the physical locations separate from the IT personnel tasked with implementing of information will grow as firms turn to vendors for them. Despite good intentions, a busy and cost-conscious infrastructure or software as a service. Risk management IT department often compromises good risk management policies and audit capabilities will need to extend across protocol; a risk management team provides a forum for organizational and geographic boundaries, especially as determining the firm’s tolerance for risk in the context of virtualized systems make data flowing in and out of vendors its business priorities. more straightforward and dynamic. Risk Management Through Contract Risk Standards The maturity of IT vendors and the proliferation of “as-a- Over the past two years, law departments have increased service” options will drive the evolution of risk management the depth and complexity of their risk-related questions skill sets from technical to legal competencies. COOs and markedly. This trend is expected to continue accelerating, lawyers, who are often uncomfortable navigating technical with multiple departments standardizing on similar risk risks, are already warming to managing risks through contract expectations. As a response to these expectations, over a negotiations, agreed formal procedures and incident dozen law firms have achieved the ISO 27001 information responsibilities. IT will be best positioned when it can security certification in response to now-common RFP address both technical and legal aspects of information risk. requirements. Accordingly, expect growth in certifications and standardization. Self-Audit Many regulated companies already employ monitoring This action plan and roadmap should provide a tools, data scanning software and governance risk starting point to ensure good risk governance is in place. compliance (GRC) dashboards to understand their current Without it, IT is inappropriately taking all the risk on its own state in real time and manage their progress in relation shoulders. ILTA to risk initiatives. Law firms are just beginning to keepThis article was first published in ILTA’s June 2011 issue of Peer to Peer titled “Law2020TM: One Year In” and is reprinted here with permission. Formore information about ILTA, visit their website at www.iltanet.org. David Cunningham is one of the original Meg Block has over 25 years of experience consultants of Baker Robbins & Company, consulting to the legal community. A helping it grow from 12 to 120 consultants and Managing Director, she is a senior leader now part of Hildebrandt Baker Robbins. David in Hildebrandt Baker Robbins’ information leads strategic technology assessments, cost management service line. Her specialties are reduction and outsourcing analysis, and risk business process reviews and the design and management assessments. He established the implementation of enterprise-wide information Law Firm Technology Scorecard and co-leads programs in the areas records management, the risk management practice. He can be new business intake, conflicts of interest, IP reached at dcunningham@hbrconsulting.com. and litigation calendar-docket. She also teams with email and document management experts to develop practical and defendable digital records management strategies. She can be reached at mblock@hbrconsulting.com.