IT Roles in Loss Prevention Presented by: Ann Ostrander, Director of Loss Prevention Kirkland & Ellis LLP
What is Loss Prevention (Risk Management)? Mitigate risk Protect the Firm s assets Departments can include: Records Management Conflicts Docket Audit Letters ARDC Registration IRS Reporting for Corporate Transactions Coordination of Lobbying Activity Reporting
What does this have to do with IT? We are protecting the I in IT The I is a primary Firm asset Improperly managing the I can create risk events IT is often the control point for the I
Types of Risk Wrongdoing - deliberate negligence Mistakes Bad policies Bad procedures Lack of knowledge Mismanagement Risk against the lawyer s duty to protect clients confidential information
Areas of IT Strategy Infrastructure/Networking Help Desk/User Support Desktop Applications Enterprise Applications Litigation Support Development
Strategy Risk must be assessed at every level of the overall strategic technology plan How information is captured/created/received? How it is accessed and by whom? How information is used and transmitted? How information is disposed of? How will systems integrate to reduce proliferation? Classification, retention and access
Risk vs. Impact (or Firm vs. User) High Risk Firm Low Risk Negative Business Impact User Positive Business Impact
Infrastructure/Networking/IT Security Data protection and security Decommissioning servers, laptops, desktops Backup tapes Disaster Recovery Removable Media Password change frequency Encryption Website traffic
Help Desk/User Support The belly of the beast Access to information Activity of information Adding Deleting Printing Copying/Transferring Often the warning system for risk events Business risk events Records risk events Using controls to manage the risk
Information Management Lifecycle (source: KPMG) Phase 2 Storage Access Control Structured v. Unstructured Integrity/Confidentiality ti Availability Phase 1 Generation Ownership Classification Governance Phase 3 Use Internal v. External Third Party Appropriateness Phase 7 Compliance Compliance & Audit Monitoring Process & Controls Phase 4 Transmission Public v. Private Networks Encryption Requirements Access Control Phase 5 Archival Legal & Compliance Offsite Considerations Media Concerns Phase 6 Destruction Secure Destruction Record Retention
Desktop Applications Lifecycle of information Capture/Create/Receive Use/Circulation/Transmission Short Term storage Long Term storage Disposition Locking down the desktop Applying ethical walls and protecting confidentiality
Enterprise Applications Determine personal control vs. Firm control Establish matter information owners Establish proper access controls Establish consistent, repeatable procedures for incoming/departing personnel and transferring information to the client Two biggies Email (automatic addresses, reply all, metadata, spam, retention periods) DMS (classification, retention, access)
Litigation Support Are you using internal staff to handle Firm discovery requests? The devil is in the details Consider outsourcing internal discovery Consider conflicts checks on lit support staff
Development Don t develop in a vacuum; requires coordinated effort to reduce proliferation of information Consider Lifecycle Access Classification Preservation Retention/Destruction Back-up
Key Issues Classification (structured vs. unstructured data) Retention, Preservation, Destruction (develop an exit strategy, how will you preserve, how will you securely destroy) Security, Protection, Access (ethical walls, confidential matters)
What if I don t have a Loss Prevention Department? General Counsel Litigation Partner Records Manager Malpractice insurance carrier ABA Model Rules of Professional Conduct Ethics Opinions BNA Lawyers Manual on Professional Conduct
Great resources Information Nation: Seven Keys to Information Management (author Randolph Kahn, Esq.) www.aiim.org www.arma.org Thank you!