This document discusses information governance and the transition to digital information assets. It summarizes that information governance encompasses more traditional records management while focusing on minimizing risk and maximizing value. It also notes the large volume of digital records organizations now store and discusses challenges around file intake, release, destruction and establishing repositories for different file types. The document provides guidance on securely transferring files both in transit and to the cloud, including working with service providers and ensuring compliance with various data regulations.
2. What is Information Governance?
Rethinking how to manage, organize, and store files
Information Governance encompasses more than traditional
records management and focuses on minimizing risk and
maximizing value
It incorporates: information security and protection, compliance,
data governance, electronic discovery, risk management, privacy,
data storage and archiving, knowledge management, business
operations and management, audit, analytics, IT management,
master data management, enterprise architecture, business
intelligence, big data, data science, and finance
4. Then and Now:
Storing Paper vs. Digital Records
Physical Files Digital Files
Correspondence file (not in RMS) Folders in a mailbox
Correspondence file (in RMS) Emails/documents in Document
Management System
Folders in drawers/on shelves in an
office
Folders and files on the network drive
Files in a case room or records room Files on a client-matter drive
Files in a cabinet in the hall Files on others drives
Files at the offsite storage vendor Files in the cloud
4
5. Volume of Digital Records
1 Terabyte =
86 million pages of Word Documents
60 piles of stacked paper as tall as
the Eiffel Tower
Around 600 Terabytes =
Around 20 million boxes
36,000 stacks of paper as tall as the Eiffel Tower
6. It’s all digital
“Of all the paper formally filed in a law firm, 57 percent is a
printout from the firm’s electronic file in the document
management system (DMS). And that bloated paper matter file
would grow another 39 percent if you gathered up all the other
DMS-printed paper that is scattered around the firm, on lawyers’
desks, in secretaries’ workstations, and in hallway boxes.”
Legal Management Magazine, “How to Solve the Paper Records
Workflow That’s Killing Your Firm” (April 2017)
6
8. File Intake, Release, and Destruction
How are you handling requests to receive, transfer, or delete electronic files?
File Intake
Does your organization have policies and procedures for receiving files from customers/clients?
How are you tracking files that your organization receives from customers/clients?
File Release
Do you have a process for determining what files you might provide to a customer/client?
How are you transferring files outside of your organization?
How are you protecting outbound email communications?
How do you determine which files you would disclose in response to a subpoena?
File Destruction
Who is deleting electronic files on your systems?
For deletions resulting from agreements with other parties:
Are you properly attesting that you purged files from systems? What about echo and cache files?
Carve out what you will not destroy upfront so you will not be obligated to do so later
8
9. Establishing Repositories Based on File Type
Sample Organizational Structure for Discussion Purposes
Determine which repositories your organization should use to store certain files, thus ensuring easy
Preservation, Destruction, or Release when requests are submitted, including subpoenas
Document Management System (Move Toward Least Privilege Access)
Email only from an employee’s mailbox, and employee generated files
Not client or third party files or any email they provide for review
Email Accounts
An employee’s mailbox should only contain email that the employee sends and receives
Not email provided by a client or third party for review, or email pulled from another employee’s
mailbox
Network Volume (Move Toward Least Privilege Access)
Client and third party files
Not email from an employee’s mailbox, or employee generated work that should be in the document
management system
Network Drives
Temporary files that should be moved to the correct repository as soon as possible
Develop Standard Naming Conventions and Guidelines for each Electronic Repository
For example, filing guidelines and best practices for saving email to the document management system
Utilize improved electronic records management to decrease the amount of paper retained
11. General Ethical Rules
Is the information is sensitive? How will you transfer the data? What security measures are
available for that method of transfer?
Assess the sensitivity of the information and whether to avoid the use of technology
Mergers and Acquisitions
Trade Secrets
Healthcare
Banking
Defense
In-House and Outside Counsel - Duty of Competence, Duty of Confidentiality, Duty of
Diligence, Reasonable Care Standard
If your organization is or works with a law firm, consider reviewing the rules set forth in the
American Bar Association Cloud Ethics Opinions
ABA Formal Opinion 477, Securing Communication of Protected Client Information (11 May 2017)
12. Guidance re: Cloud Computing
Does your organization have…
a cloud computing policy?
policies blocking access to personal email to limit data leakage
and ensure confidentiality?
policies blocking access to social media sites to limit data
leakage?
policies blocking access to download to media?
limits on where data can be processed and stored, which takes
risk into account?
a plan if your data is unavailable?
13. Cyber Liability Insurance
Cyber liability insurance has been around for about 20 years, although
many believe it is new
Organizations in certain industries should have cyber liability insurance,
especially if your business stores PII and/or sensitive data
Breaches have occurred in numerous industries (banking,
retail/department stores, film/entertainment, government, and more).
Even if your organization has cyber liability insurance, you still need to
be diligent and exercise care to mitigate and manage cyber risks
13
14. Guidance re: Encryption
Establish an encryption policy.
Establish an encryption exceptions process.
Carve out exceptions to the policy in advance.
Encourage other parties to send data to your organization in an
encrypted format.
Determine if you have obligations to handle others’ data in a
particular way.
Minimize Risk - maintain confidentiality, avoid loss of reputation,
comply with contractual terms in agreements.
15. How are vendors handling your files?
How long does your data remain on a vendor’s system?
Do you require vendors to return or destroy your data?
How do your vendors destroy/delete media or data?
Who else may have access to a vendor’s systems?
Do you store removable media at offsite storage facilities? Is that
media encrypted? Who holds they key?
If you provide data to another party or law firm; do you know where
that data and/or copies of that data might be stored?
16. Service Providers & Vendors – Access to Data
When you store, send, or receive content with certain service
providers or vendors, you may give them the right to use,
reproduce, modify, publish, or distribute your content.
What are you sharing and with whom?
17.
18. Access and Transfer of Data
What jurisdictional restrictions or data transfer rules might apply
and what can you do to ensure compliance?
General Data Protection Regulation (GDPR)
International Traffic in Arms Regulations (ITAR)
Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley Act (GLBA)
Department of Justice (DOJ)
Blocking statutes
Where should data be stored?
Who can access the data?