Hildebrandt baker robbins presentation for coo roundtable 2010 by dave cunningham and nathan bowie may 2010
•Download as PPT, PDF•
0 likes•488 views
Recommended
Recommended
More Related Content
What's hot
What's hot (18)
Viewers also liked
Viewers also liked (10)
Similar to Hildebrandt baker robbins presentation for coo roundtable 2010 by dave cunningham and nathan bowie may 2010
Similar to Hildebrandt baker robbins presentation for coo roundtable 2010 by dave cunningham and nathan bowie may 2010 (20)
More from David Cunningham
More from David Cunningham (20)
Recently uploaded
Recently uploaded (20)
Hildebrandt baker robbins presentation for coo roundtable 2010 by dave cunningham and nathan bowie may 2010
- 1. Using Technology to Reduce the Costs and Hassle of Key Legal Business Issues Presented by David Cunningham Managing Director, Strategic Technology and Risk Practices Hildebrandt Baker Robbins Nathan Bowie Managing Director, Alternative Fee Arrangement Practice Hildebrandt Baker Robbins May 20, 2010
- 2. Challenge for Technology The key challenge for law firms in 2010 and beyond is to “shift gears” from a model premised on growth and expansion to one premised on the more efficient and cost effective delivery of legal services. The IT community must take this into consideration in planning and project delivery. You must enable lawyers to become an “enhanced practitioner” (Susskind) that blend legal skills with deal/project delivery. They need different tools for different times.
- 3. Value from Technology Efficiency Costs Risks Data Privacy
- 5. Data Privacy HITECH / HIPAA Protected Health Information (PHI) Data Privacy Regulations State Privacy Laws Personally Identifiable Information (PII) EU Data Protection Directive / Safe Harbor Personally Identifiable Information (PII) Red Flag Personally Identifiable Information (PII) ITAR Classified Defense Information Personal information about a resident of the Commonwealth of Massachusetts Sensitive Data State of Massachusetts (example state) Governing Body $5,000 per incident plus costs of investigation, litigation and legal fees, plus potential civil penalties Penalty March 1, 2010 Compliance Date
- 6. Data Privacy HITECH / HIPAA Protected Health Information (PHI) Data Privacy Regulations State Privacy Laws Personally Identifiable Information (PII) EU Data Protection Directive / Safe Harbor Red Flag Personally Identifiable Information (PII) ITAR Classified Defense Information Personal information transferred to or from 27 Members States of the European Union Sensitive Data US Dept of Commerce / Federal Trade Commission Governing Body Up to $12,000 per day for violations Penalty Voluntary (replaces Data Transfer Agreements) Compliance Date
- 8. Data Privacy HITECH / HIPAA Protected Health Information (PHI) State Privacy Laws Personally Identifiable Information (PII) EU Data Protection Directive / Safe Harbor Personally Identifiable Information (PII) Red Flag Personally Identifiable Information (PII) ITAR Classified Defense Information Data Privacy Regulations “ Export of technical data and classified defense articles”, as defined by the US Munitions List Sensitive Data US Department of State Governing Body Per violation, civil fines up to $500K; criminal penalties up to $1M and 10 years imprisonment Penalty 60 days in advance of any intended sale or transfer to a foreign person of ownership or control Compliance Date
- 9. Data Privacy HITECH / HIPAA Protected Health Information (PHI) Data Privacy Regulations State Privacy Laws Personally Identifiable Information (PII) EU Data Protection Directive / Safe Harbor Personally Identifiable Information (PII) Red Flag Personally Identifiable Information (PII) ITAR Classified Defense Information Client Data Leaks Client and Case / Transaction Data Firm Data Leaks Firm and Partner Confidential Data Protection of Sensitive Data
- 10. Data Privacy HITECH / HIPAA Protected Health Information (PHI) Data Privacy Regulations State Privacy Laws Personally Identifiable Information (PII) EU Data Protection Directive / Safe Harbor Personally Identifiable Information (PII) Red Flag Personally Identifiable Information (PII) ITAR Classified Defense Information Client Data Leaks Client and Case / Transaction Data Protection of Sensitive Data Firm Data Leaks Firm and Partner Confidential Data Preservation Orders Litigation, Subpoena or Client Requests Confidential Walls - Inclusionary Walls for Privacy and Subpoenas - Exclusionary Walls for Conflicts
- 11. Data Privacy HITECH / HIPAA Protected Health Information (PHI) Data Privacy Regulations State Privacy Laws Personally Identifiable Information (PII) EU Data Protection Directive / Safe Harbor Personally Identifiable Information (PII) Red Flag Personally Identifiable Information (PII) ITAR Classified Defense Information Client Data Leaks Client and Case / Transaction Data Protection of Sensitive Data Firm Data Leaks Firm and Partner Confidential Data Preservation Orders Litigation, Subpoena or Client Requests Confidential Walls - Inclusionary Walls for Privacy and Subpoenas - Exclusionary Walls for Conflicts Data Standards ISO 27001 Competence in Addressing Data Confidentiality
- 13. Value from Technology Efficiency Costs Risks E-Mail Management
- 16. Email Lifecycle Management This workflow is realistic and easy to implement 1 2 3 File in <= 60 Days Store in personal folder or Inbox Deleted or Sent items Email created or received Purged by law firm >= 6 Months Life cycle retention managed via Records Management System Non-Record Limited Usefulness Convenience Materials Useful for some period Official Record Preserve Purged by law firm >= 2 Years Move to official client/matter Correspondence folder (DMS)
- 17. Auto filing - Decisiv auto files the email based on system applied rankings Outlook Inbox Context sensitive search suggestions
- 18. Connecting Email Policy to Change
- 19. Value from Technology Efficiency Costs Risks Alternative Fee Arrangements
- 23. Client Analysis (Relationships, Budget, Expectations, etc.) Client/Matter Risk Analysis Matter Planning for Known Matters Determine AFA Model (based on above and financial prerequisites) Determine AFA Management Approach and Costs Knowledge & Process Capability/Readiness RFP Response Development Acceptable Margin Analysis Risk Acceptance Analysis Cost Analysis Develop Predictive Pricing/ Profitability Models Analyze and Develop Target Client List Firm-wide AFA Guideline Development Develop Strategy for Winning Profitable AFA Work Analyze AFA Strategy and Target Client Development Strategize Client-Specific AFA Development Dedicated AFA Administrator (Billing, Compliance w/AFA, Analysis) Billing/eBilling Determine and apply revenue recognition policies in line w/AFA Client-Facing Financial Portal Client Matter Management System Interface Granular Matter Tagging Matter Planning for New Matters (Budget, Staffing, Timing) Matter Inception Process (client communications and scope acceptance) Matter Onboarding Project Management Budget/Scope Management Project and Scope Management Provide Up-to-Date Financial Measurements Implement Matter Status Process Client Communications Client Portfolio Review and Analysis (Proactive Review of Matters/ Risks on Behalf of Client) Leveraging Knowledge Base Leveraging Staff Delivering Legal Services Achieving Client Results Deliver Meeting Client Expectations and Profitability Goals Administer AFA Administration Measure Measuring Results Analyze profitability of total AFA arrangement to-date (and comparison to standard billing approach) Incorporate AFA pricing into published dashboards/reports Communicate total profitability to partnership/ management (separate from billable hour view) Analyze need for adjustments to AFA structure After Matter Review / Refinement
- 25. Screenshot
- 28. PM slides
- 29. Alternative Fee Arrangements: Example - Eversheds and Tyco
- 30. Value from Technology Efficiency Costs Risks Cloud Computing
- 33. Cloud Computing Comparison Moderate Low Low High Hassle Moderate (privacy) High (downtime, privacy, WAN High (downtime, privacy, WAN) High (staff, IT design, downtime, disasters, privacy) Risks Moderate Low to High Moderate Moderate ($4,000/user for infrastructure, $5,000 per user for IT staff) Cost High High High Moderate Scalability Aspect Traditional In-House Cloud Infrastructure (IAAS) Cloud Software (SAAS) Hybrid
- 34. Closing Comments The IT community must plan and delivery projects differently. You must enable lawyers to become an “enhanced practitioner” (Susskind) that blend legal skills with deal/project delivery. They need different tools for different times.
Editor's Notes
- Thank you and introductions
- As I am sure you have already been discussing, we believe there is a shift in delivery models emerging, including customized project pricing for major transactions, “unbundling” legal services, pushing work to offices where it can be most efficiently performed and developing serious project management skills. The objective is to b lend Legal Services with effective project delivery. The IT community must take this into consideration in planning and project delivery. You must enable lawyers to become an “enhanced practitioner” (Susskind) that blend legal skills with deal/project delivery. They need different tools for different times. While some of this may seem leading edge, we are generally simply following in the footsteps of large accounting and consulting firms who remain over 10 years ahead of law firms in many of the areas we’ll be addressing today. We worked with Bill to select technology topics for this session. We focused on four areas that have the most potential impact to the business and practice of law. So, I am pleased to be talking about real business issues technology can address, rather than bits and bytes. We’ll talk about data privacy, e-mail management, and alternative fee arrangements and cloud computing. Information as of Q3 2009 Contact Peter Buck | pbuck@brco.com about this presentation
- For each of our topics, we’ll provide a perspective of the efficiencies, cost savings, and risk reduction it offers. Our first topic is data privacy. Data privacy is simple in concept – ensuring sensitive data is seen by only the correct people. It can also be called Data Security or Data Loss Prevention. For our discussion today, we’re not going to focus on related topics of perimeter security (firewalls, etc.) or protection from viruses. Specifically, we’ll focus on data privacy regulations and the protection of firm and client confidential data. First, I will outline the issues and obligations for law firms in these areas, then provide a perspective of what we see as an emerging solution to tackle most of the needs for law firms. Information as of Q3 2009 Contact Peter Buck | pbuck@brco.com about this presentation
- There are three areas of focus for law firms, and a relatively new set of regulations is the first. While each regulation is unique, there are important similarities as well. The first is HIPAA which is concerned with the protection of health care information when it can be identified with a particular person. While HIPAA has been in place for a while, the more recent HITECH Act has made the protection of health information applicable to law firms and other business associates of health care organizations. All law firms have some health care information about their own employees, although the hot button is how a firm handles health information its receives from its clients and from discovery. With HITECH and others, you can see that the penalties are stiff and the compliance date has recently passed.
- The next three areas I’ll address are all concerned with what they call “personally identifiable information” or PII. Examples include a person’s name associated with their bank account, driver’s license (address?). Many states have created obligations to protect this information and I use Massachusetts as an example because it has set the highest bar so far. It requires protection of Massachusetts’ residents’ information whether or not you are doing business in their state, and it specifically mentions that such data should be encrypted. Other states are expected to follow Massachusetts’ lead and there is an expectation of federal law at some point in the future.
- Also concerned with personally identifiable information and perhaps most well known to international firms, is the EU Data Protection Directive which is applicable when transferring data to or from the 27 countries in the EU. The FTC has also established a more simple approach to be compliant with EU expectations, called the Safe Harbor. There are implications with either approach and the last time I checked Shearman & Sterling was the only firm that has completed its Safe Harbor certification.
- The FTC’s Red Flag rule has similar concerns, with a focus on preventing identity theft. At this point, the ABA has successfully exempted law firms from this obligation but we keep it on the radar as this may change again.
- The final regulation is less well known but more critical to some firms. ITAR is focused on classified defense information, and requires the filing of information 60 days in advance of transfers to people who are not U.S. citizens (even if they are in the U.S.). Firms with large aviation and government clients find this very relevant. Fines are very heavy, including imprisonment in severe cases.
- While regulatory compliance is important on many levels, the protection of a firm’s sensitive data is more often what makes headlines and causes lawsuits and embarrassment. From law firms, there have been high profile leaks of both client data and of confidential firm data over the past year. While you’ve heard people warn that your e-mails may get published on the Wall Street Journal, now some firms are now also asking “Could someone send this information to abovethelaw.com or sell it to a third party?
- Preservation orders and confidential walls are more traditional areas of data privacy, so I won’t expand on these as much. The technologies to address these issues (such as those from IntApp and The Frayman Group) are relatively mature for what they do. Firms are still mixed, but there’s no reason a firm shouldn’t be able to execute preservations orders simultaneously across all its key information sources (document management, time entry, e-mail, intranet, deal rooms, etc.).
- Before we look at how best to address these expectations, I want to mention that there is actually a standard for those who address data confidentiality well. There is what may be a bonus for you in that, if you address the expectations and obligations I’ve raised well, you will pretty be ready to be certified on the ISO 27001 standard. It is completely optional for law firms, and I know of two law firms that made the business decision to do so and have indeed been certified for a few years now. Since many government entities are required to meet ISO 27001 standards, there is a clear benefit for those firms that pitch work to government entities and, frankly, any corporation is apt to be impressed as well. Now that I’ve created a wall of issues, let me start to describe how we can effectively break them down.
- This illustration shows the three aspects of tackling data privacy -- a focus on policies and procedures plus addressing the data itself (analysis plus remediation). So, no doubt this has complexities. Law firms addressing data privacy are tending to focus solely on policies and manual data cleanup or are hiring expensive corporate (non-law firm) consultants to conduct large numbers of interviews and custom develop reports and policies. We have determined that there is a better way. Our goals in framing a solution are to: Not simply address one regulation at a time, but to create a broad, professional approach that satisfies criteria across all of the regulations while also protecting the firm’s sensitive data. Creating an environment where a firm can verify its compliance with policies it creates. Reducing the effort, costs and specialists data privacy skills to do this. I won’t dwell on the policies since technology won’t diminish the real effort and attention that need to go into these. Each of the necessary procedures, however, are well suited to a straightforward workflow process. For example, users must be made aware of what data you have of theirs that is sensitive and they need to be able to opt-in or opt-out of sharing it. While the procedure is straightforward, no firm can reliably determine and manage its sensitive data to this degree. That’s where an other type of technology comes in that is largely unused by law firms today. While a traditional compliance approach has been based on annual interviews with those possibly affecte Technology called Data Loss Prevention systems can be used to seriously streamline and improve your data privacy actions. It minimizes the According to Gartner, the two leading vendors in this space are RSA and Symantec (we have focused on RSA for a number of reasons, notably its long term roadmap with Microsoft). The tools from these vendors already understand the regulatory requirements and can also be configured to address your own needs to control confidentiality. They are capable of analyzing a firm’s system to find sensitive data and to take action upon it. They can merely alert you or the user, or they can block it, encrypt it, or seek approval from a designated person. They can determine when sensitive data is going to be printed, copied or sent to a USB device. Rather than periodic and expensive interviews, the software does this analysis behind the scenes and in real time. So, the drawbacks of this approach are a firm’s need to license the software, use it properly, and monitor compliance events. Beyond the explicit costs, this tends to require skills and time that don’t exist in most firms. As we’ll also discuss in the ‘cloud computing’ section, the emerging answer to such issues is to buy Data Privacy as a service rather than for each firm to create it from scratch. Some vendors, such as Smarsh, offer aspects of this although with a focus on e-mail and not addressing the non-technical elements on this chart. We’re currently working with a group of firms to establish a more end-to-end approach that would reduce the costs and effort by sharing some of the investments. Beyond creating a library of policy examples and issues, this service would automate the necessary procedures and provide a tool like RSA on a reduced costs basis, pre-configured to meet a law firm’s specific needs. This is only one option for a firm, but is an example of taking a complex, expensive issue and making it more of a commodity that can be consumed by many. Regardless of the approach, the key message is that firms cannot continue to ignore their risks and responsibilities in this area, and this is an area where a good firm doesn’t want to be trailing the changes in the market.
- Information as of Q3 2009 Contact Peter Buck | pbuck@brco.com about this presentation
- Electronic client file is fragmented Failure to satisfy professional responsibility to maintain the client file Matter team collaboration is more difficult Operating costs mushroom to handle e-mail’s exponential growth 12% of annual technology budget spent on email Lawyer and staff productivity is undermined and forests are killed Secretaries and staff spend up to 20% of their time filing, printing or organizing e-mail, often duplicatively Lawyers file e-mail personally in Outlook (so they can find it)—again duplicatively Knowledge is trapped in personally stored e-mail Litigation hold is challenging Some firms worry… What if clients may waive privilege and require email production in response to regulatory inquiry? What if clients demand that we to conform with their e-mail retention and destruction schedules? MetaGroup : Knowledge workers spend over 50% of their day in email. IDC : Approximately 60% of business critical information is stored in messaging systems. Gartner Group : Knowledge workers send/receive an average of 130 emails daily. As much as 75% of a company’s total knowledge exchange occurs via email; often, sole source of information Hildebrandt Baker Robbins : Personal email boxes average 1.5Gb, median is 4–5Gb, and the upper fringe is in excess of 20Gb.
- The volume of business email is huge. section of the presentation is about what an organization can do today to address what we call the 20-million problem. Each year large firms will have to respond, process or discard up to 20 million email items. If done incorrectly or not at all, the results can be devastating. We recommend two things: Concise email policy. Practical, simple and must be achievable in the normal course of business. Lawyers cannot effectively delegate classification of business records to intermediaries. Less than 15% of law firms today have a policy that covers electronic communication; over 90% have policy governing paper. This lack of Guidance increases risk, increases potential cost of discovery, increases cost of email storage. Policy elements must address: Filing and retention guidelines Accommodate compliance obligations, privacy and confidentiality concerns, litigation readiness Reflect employee workflow and work habits Maximize the use of technology Minimize the use of manual classifications File substantive emails; they belong to the official file for client-representation and firm management correspondence File emails and attachments as a unit to preserve context File a separate copy of an attachment for drafting Implement Email Lifecycle Management (illustrated on the next slide) What needs to be filed and where E-Mail Etiquette Age-based deletion Filing and retention guidelines Accommodate compliance obligations, privacy and confidentiality concerns, litigation readiness Reflect employee workflow and work habits Maximize the use of technology Minimize the use of manual classifications File substantive emails; they belong to the official file for client-representation and firm management correspondence File emails and attachments as a unit to preserve context File a separate copy of an attachment for drafting
- The challenge is to provide reasonable and realistic workflows – intuitive and promote adoption key. The user community is told “You file the email in a folder, we keep it. You file the email in the client file, we keep it longer.” We recommend iManage WorkSite controls the client file. The lifecycle addresses: Classification of email as non-records, convenience records or official records Filing emails that are useful for some period of time but should not be part of the official client record into personal email folders where they’ll be purged after a period of time (typically 2 years) Emails that are not filed are purged after some period of time (typically 60 days) Filing substantive emails that belong to the official file to WorkSite We recommend filing email into WorkSite to co-exist with all other client work product. Productivity can also be improved by creating a single official record; filing effectiveness is improved using WorkSmart tools to shave milliseconds off a processes that are repeated constantly… Our recommended lifecycle management workflow has three branches: Non records. Purged if not filed based on time. Convenience records. Foldered by client or client-matter and available for archiving and future deletion Official records. Foldered for filed directly into the official repository. Information as of Q3 2009 Contact Peter Buck | pbuck@brco.com about this presentation
- Information as of Q3 2009 Contact Peter Buck | pbuck@brco.com about this presentation
- Information as of Q3 2009 Contact Peter Buck | pbuck@brco.com about this presentation
- Information as of Q3 2009 Contact Peter Buck | pbuck@brco.com about this presentation