Building Your Information Governance Framework

Transcription

1 Building Your Information Governance Framework Wisconsin Law & Technology Conference 2015 Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL

2 Learning Objectives What is Information Governance? Information Governance Organization Scope and Guiding Principles Steps in Implementing an IG Program Sample Initiatives Resources

3 Offices UNITED STATES BOSTON, MA CHICAGO, IL DETROIT, MI JACKSONVILLE, FL LOS ANGELES, CA MADISON, WI MIAMI, FL MILWAUKEE, WI NEW YORK, NY ORLANDO, FL SACRAMENTO, CA SAN DIEGO, CA SAN FRANCISCO, CA SILICON VALLEY, CA TALLAHASSEE, FL TAMPA, FL WASHINGTON, D.C. EUROPE BRUSSELS ASIA SHANGHAI TOKYO 900 Attorneys Practice Areas BUSINESS LAW IP Litigation Government 3

4 What is Information Governance? Definition: Enterprise-wide approach to the management and protection of a law firm s client and business information assets. An effective IG program: Enables lawyers to meet their professional responsibility regarding client information; Recognizes an expanding set of regulatory and privacy requirements that apply to firm and client information; Relies upon a culture of participation and collaboration within the entire firm. Firms are better able to mitigate risk, improve client service and reduce cost.

5 What is Information Governance?

6 Foley & Lardner LLP Initial IG Framework in 2010 Triggers: The financial downturn The need to move beyond physical recordkeeping Compliance requirements Client Security Requirements

7 What Is The IG Framework? 1. Leadership The foundation of the IG program It gives the IG team Structure A benchmark It gives the firm A platform for awareness and change 2. Buy-In 3. Team 4. Plans 5. Policies 6. Change Management 7. Continuous Improvement 7

8 1. The IG Framework Requires A Leader An information management professional Generally at the C- or Director- Level A member of management COO General Counsel Member of management committee A partner or senior staff leader appointed by management Influence Leadership Strategic Planning Analytics Subject Matter Project Management Change Management 8

9 2. The IG Framework Requires Buy-In The key to successful leadership is influence, not authority Kenneth Blanchard You may not have the authority to mandate IG in your firm, but you can influence leaders to adopt it You can influence other influencers I Understand the Benefits of IG I Influence You You Influence Management Management Supports IG We Can Build the Framework Also see the article: How to Influence When You Don t Have Authority Forbes, 1/3/

10 3. The IG Framework Requires A Team Structure Formal or informal Components Governance Operations Governance Engaged Leadership Or Advisory? Considerations Maturity of programs Stakeholders Operations Active Builder Or Leader and Builder? 10

11 Information Governance Structure Organizational unit that bridges the gap across information silos and systems throughout the firm. Brings constituents together: Technology Litigation Support Information Security Records Management Knowledge Management Information Governance Advisory Board Operational Leaders

12 The Foley IG Structure Reports to the COO and General Counsel Led by Director, IG (DIG) Dotted line to CIO Governance = IG Advisory Board Operations = RIM + Security CIO COO Security DIG RIM GC IGAB Local Records 12

13 Members of Foley IG Advisory Board Executive sponsors GC and COO Leader Director of IG Members CIO CAO, CHRO, CFO, CMO Deputy GC Privacy partner 13

14 4. The IG Framework Requires A Plan A plan is A benchmark A roadmap Planning requires Strategic and tactical skills Think big and long Think components and now Definition Of IG Vision, Mission, Values Strategies Initiatives Roadmap Charter 14

15 At Foley Vision Foley IG promotes a culture in which all Personnel: Value information as a critical asset of the Firm and its clients. Understand the risks, responsibilities and legal requirements related to law firm client and business information. Manage information in ways that protect our clients, our colleagues and the Firm. Mission Protecting Critical Client And Firm Information Assets Values Stewardship Compliance Access Security 15

16 The Roadmap Supports The Strategies And the Initiatives Priorities Which strategies are most important Which initiatives in the top strategies are most important Timelines Project phasing and timing Funding Budgeting Resources Skills and personnel needed 16

17 5. The IG Framework Requires Policies And Principles Policies Align with IG scope, vision, mission and values Document desired behaviors Provide guidance for the development of IG systems and programs Principles Guidelines that derive from the policies Make it easy for users to understand IG goals and objectives 17

18 Foley IG Policies RIM Policies Management of Records Retention Policies & Schedules Mobility Policies Document Holds and Destruction Obligation Governing Policies Policy on Information Governance Policy on Confidentiality Security Policies Acceptable Use Information Security Access, Use & Disclosure of PII and PHI Third Party Access Policies Responding to Third Party Information Security Requests 18

19 Driving Change - Understand Your Firm Is it a Top Down organization? Can you mandate change? Or, is it a Grass Roots organization? Do you have to slowly grow change? 19

20 Branding Communications are recognizable and consistent 20

21 6. The IG Framework Requires A Strategy For Continuous Improvement Scanning and awareness Measure results Add and improve 21

22 Scanning And Industry Awareness What s happening in your firm? Expansion Added practice areas What s happening in the industry? New requirements for lawyers? What s happening in society New norms (i.e., social networking)? New laws 22

23 Measure Audit for compliance Gather data, indicators, ROI to demonstrate the impact of IG Examples Lowered storage cost Quicker access Better security Quicker response to client security questionnaires Coordinated response to a potential breach More efficient lateral integration processes 23

24 Increasing Concern about Law Firm Information Security Clients Demand Law Firm Cyber Audits (ABA, 2013) Law Firms Face Pressure From Clients on Data Security (Legal Intelligencer, Mar 2014) Citigroup Report Chides Law Firms for Silence on Hackings (NY Times, Mar 2015) Law Firms are Pressed on Security for Data (NY Times, Mar 2014) Clients Eye Law Firms as Security Weak Link (Recorder Feb, 2015 Law Firms to Form Cybersecurity Alliance (Am. Lawyer Mar, 2015)

25 The Quote Everyone is Using Essentially, data thieves consider law firms the soft underbelly [emph. added] of [security] as they attempt to illegally obtain information. Sharon D. Nelson & John W. Simek, Your Law Firm Has Been Breached! Now What? LAW PRAC., Sept./Oct. 2012, at 22

26 And The FBI Says We have hundreds of law firms that we see increasingly being targeted by hackers, said Mary Galligan, special agent in charge of cyber and special operations. LegalTech News 2013

27 Terabytes of Electronic Information This Includes: >Millions of Records in the DMS (>25% Documents) (>75% ) But that s only what we know about

28 And We Have Specific Requirements to Protect It Confidentiality The core requirement for lawyers and law firm staff Privacy Personally Identifiable Information (PII) A variety of federal and state regulations that apply to all business that store PII Personal Health Information (PHI) HIPAA We are Business Associates and are fully subject to HIPAA requirements and penalties

29 Our Data?

30 What s Our Risk? What can go wrong? How can our clients be harmed? How can our employees be harmed? How can the Firm be harmed?

31 Real Risks and Challenges These Have Really Happened to Us Crypto Wall Virus Pay us $ or we won t decrypt your hard drive CEO spoof To: CFO From: CEO (lolarichards2000@yahoo.com) Re: Procedures to wire funds Departing attorney removes 1,000 s of documents from Firm systems Laptop left at the airport Unencrypted, no password and STILL RUNNING Records stolen from car Laptop, ipad, written records

32 Biggest Pressure is Coming From Clients Gramm-Leach-Bliley Requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data Multiple Client Security Requests Banks and financial institutions Address perceived gaps We expect these from pharm and healthcare clients soon (i.e., HIPAA)

33 What Clients Are Demanding Risk Area Implement Cost Culture 2 factor authentication LOW LOW LOW External Media (USB, Flash Drive, HDD) LOW LOW MED Disaster Recovery MED MED HIGH Access to Webmail, Social Media, Cloud Storage LOW LOW HIGH Data Loss Prevention (DLP) MED HIGH HIGH BYOD Controls (Mobile Device Management) MED MED HIGH Appropriate Access to Information MED MED HIGH Information Classification HIGH MED HIGH

34 Things We Are Doing Trying to balance Assessing client demands Raising security awareness Cyber Insurance and ISO Certification Information Governance program Ease of Use Protection of Information Assets

35 Security Awareness Distributing alerts, articles, news Social engineering test We sent three phony s to about 1,800 users They looked legitimate Intent was to see how many people would click on a malicious link How many clicked? 10% of the targets (180 individuals)

36 Information Governance Program Seeks to treat client and firm information as a valuable business asset Compliance Training & Awareness Information Security Information Management

37 IG Strategies Security Information Management Compliance Awareness Data Loss Protection Mobile Device Mgmt Access Mgmt E-Records Dark Data Info. Storage Audit Continual Improvement Public Awareness Training Third Party Access Industry Scanning Vulnerability Monitoring

38 WIIFM? ( What s In It For Me? ) Client retention Competitive advantage We could lead Or at least we could keep pace Better access to information for matter teams Adherence to ethical and legal responsibilities

39 10 Guiding IG Principles 1. Manage confidential, sensitive or Personal Information as required by law, agreement or Firm Policy 2. Understand third party access requirements 3. Respond promptly to IG Compliance notices 4. File records regularly 5. Maintain the Firm s Official Records in electronic form, unless hard copy is required 6. Store Official Records in an approved records repository 7. Organize Official Records by correct client/matter number 8. Retain and destroy records as permitted by Firm Policy 9. Avoid making multiple copies of records 10. Don t handle file transfers (in or out) on your own

40 Questions?

41 Resources Iron Mountain - Storage/Iron-Mountain-Connect.aspx IGI Initative - AIIM ARMA - NIST -

42 Building Your IG Framework Law and Technology Conference 2015 Randy Oppenborn Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients 321 N. Clark Street, Suite 2800, Chicago, IL