All told, 15 per cent of U.S. law firms experienced a security breach in 2012, either through hackers, a break-in, a web site exploit, or a lost or stolen computer or smartphone, according to the 2013 American Bar Association “Legal Technology Survey Report.” In Canada it’s likely more of the same. Thousands of attempts to breach Ontario law firm systems were likely attempted last year, and most probably succeeded. “But we will likely never hear about them because firms that experience breaches usually try to keep their names out of the news,” points out Dan Pinnington, vice president of claims prevention and stakeholder relations at LawPRO.
Almost overnight, cyber security has gone from a niche information technology issue to an explosive consumer issue to a top-of-mind business concern that is increasingly becoming a boardroom priority. None of which is surprising.
Information is the lifeblood of modern business, and data is its new currency. Indeed, a report by the World Economic Forum goes further and describes data as a new asset class and personal data as “the new oil.” “It’s an asset that has value and therefore it needs to be governed in the same way that we look at our assets like our people, our equipment, and our money,” says Martin Felsky, the national e-discovery counsel at Borden Ladner Gervais LLP in Toronto. But the mounting spate of high-profile data security breaches, along with rampant identity theft and a general lack of transparency in how personal data is monetized, is threatening to undermine the digital economy, notes the World Economic Forum.
Information security and risk management, however, are complicated by the staggering amount of data generated by the average business today. Indeed, the digital universe is doubling in size every two years, according to global market intelligence firm International Data Corp. What’s more, 90 per cent of the data in the world today was created in the last two years alone, and it has been estimated that more information is being generated now every two days than was from the dawn of civilization until 2003.
With law firms, it’s even more problematic because they have to deal with their own business information and clients’ information, which is of course subject to confidentiality and solicitor-client privilege provisions. “There is no doubt that law firms are huge repositories of information,” says Barry Sookman, a senior partner and former chairman of the technology law group at McCarthy Tétrault LLP in Toronto. “Depending on the areas of practice, they are collecting information, they are generating information, they are storing information. So in a sense information is our critical resource, and it necessarily has to be managed.”
Thanks to the alarming surge of breaches and the inconceivable reams of data, clients are increasingly putting pressure — and in many cases, such as with financial institutions, demanding — higher standards on how outside counsel secure their data and manage access to it. A growing number of law firms determined to keep pace with the new challenges created by mounting security requirements and the data deluge are tackling the issues through a different prism, and turning their attention towards becoming shepherds of all the information in their hands by embracing a relatively new approach — information governance.
Until recently information governance was only dealt with within narrow technical circles, but the enterprise-wide approach to the management and protection of a law firm’s client and business information assets has gained increasing attention, especially over the past year. It is a business process that covers the management of all facets of information during its lifecycle, from its creation, use, processing, protection, management, all the way to its disposition.
Information governance is much more than electronic records management on steroids. It encompasses data security, electronic discovery requirements, storage optimization, and privacy — and tries to foster efficient and appropriate data management that enables defensible disposal by effectively aligning information value to information cost. “Information governance basically describes how organizations can better manage their information, their data, their knowledge, all of the things that in the world today are really how we work in the business world,” says Kathryn Manning, legal counsel at Wortzmans, a Toronto law firm that provides legal advice regarding e-discovery, litigation readiness, information governance, and privacy law.
Proponents maintain it can mitigate law firms’ risk of security breaches, add efficiencies to search and retrieval processes, and lead to operational efficiencies through cost savings in areas ranging from discovery to litigation to human resources. “Absolutely no question data security and privacy compliance and litigation readiness are all improved as you improve information governance because the specialists who concern themselves with information are all assessing what information you have, where and how it is kept, who has access to it, and how are you going to try and protect it, and ensure that you have continuity for disaster recovery,” asserts Kelly Friedman, a partner with Davis LLP who has an expertise in electronic information issues.
Many law offices typically maintain a number of departments, such as information technology, data security, records and management (RMI), and privacy, all of which play a role in managing the organization’s information. But the siloed approach is inefficient and fraught with limitations. Often, each department has its own policies and procedures, disparate data systems and applications, and even its own vocabulary even though they may share the same words. It’s far from unusual to end up with cases where the IT department puts its foot down and establishes e-mail account volume limits to relieve stress on the organization’s e-mail system only for personnel to move e-mail to local drives and devices, which in turn can increase data security exposure and make it difficult to find and preserve e-mails for litigation. Or the organization allows the use of laptops and smartphones under a bring-your-own-device program to increase convenience and efficiency, without establishing clear parameters — a situation that again can lead to the same headaches in addition to making it more challenging to apply records retention policies. “What I hear when I have gone into law firms is different people do things in different ways so it’s tough on the staff because one department stores their documents one way, and a different department in a different way,” says Susan Nickle, general counsel at London Health Sciences Centre and former partner at Wortzmans.
What’s more, those within particular silos are constrained by the culture, knowledge, and short-term goals of their business unit, administrative function, or discipline, notes a report by The Sedona Conference Working Group on information governance. Under the siloed approach, there is an absence of overall governance or co-ordination for managing information as an asset, and no road map for the current and future use of information technology, adds the Sedona report. “We started down the road of electronic files kind of almost an ad hoc basis, without any planning and without thinking about the future and without thinking about the importance that these systems would eventually have,” says Felsky, whose practice is dedicated to information governance. “We have completely moved away from our traditional records management processes and we have been in a new world for some time, and it’s a world of chaos.”
Information governance sets out to put some order to the disarray. It emphasizes a culture of collaboration between different departments of information-focused disciplines to make co-ordinated decisions about governing information for the benefit of the overall organization as opposed to a particular department or discipline. “You need all of these people — IT, RMI, security, and privacy — at the table to make decisions that align everyone’s interests and everyone’s own agenda to be able to achieve anything,” says Dominic Jaar, national practice leader of information management services with KPMG LLP (Canada).
Senior leadership and oversight is key, otherwise the whole exercise is bound to fail. Senior management not only has to endorse the importance of information governance to the entire organization, it has to adopt the strategic objectives of the program, provide appropriate resources, and establish accountability for meeting program expectations and for establishing the organization’s strategic objectives for information governance. “Senior management really do have to believe in what will be done, why it will be done, and how it will be done,” says Sheila Taylor, CEO of Ergo Information Management Consulting. “Sometimes management is not as enlightened as they ideally should be or they view this as something that just employees have to do. They all have to buy in, otherwise why would the average employee pay attention to it.”
The path to information governance is laden with even more awkward and complex challenges for law firms. To begin with, the legal profession is still paper-intensive, due in large part to court systems’ reliance on paper. “Some businesses can say we’re going to go all digital, and law firms might wish to do that and should in terms of information governance and make the transition by saying that the electronic record is going to be the official record and the paper secondary but it’s hard for law firms to do that because the paper in many cases is the primary record and continues to be as you go to court,” says Felsky. Some judges are not happy with the situation. This September, in DBDC Spadina Ltd. v. Walton, Ontario Superior Court Justice David M. Brown criticized the requirement that parties file paper copies of materials in court as an “unnecessary cost,” and chastised the Ontario Court for the “failure of this Court to move into the digital age” and “the continued insistence that litigants deal with this Court through the dated and expensive medium of paper.”
Many times, though, the problem lies within law firms themselves. When technologically savvy law firms want to forge ahead and do an entire case electronically, they are often stymied because opposing counsel may not be set up to receive documents electronically or may feel that they are not sophisticated enough to entirely manage the case that way.
More fundamentally, the nature of data still befuddles many law firms. Gone are the days when lawyers largely relied on manila folders and file cabinets to store documents, and protected sensitive information with a simple lock and a key, all of which was anchored by records management. Digital is an altogether different beast: it is interactive, programmable, and machine-readable only. Its sources are wide-ranging, and include electronic documents, social media, videos, voice mail, web sites, and the Internet. And in this era of BYOD, the number of sources continue to proliferate and can now include cellphones, smartphones, laptops, and tablets. The principles then behind records management, which are paper-based, simply cannot be applied to digital. Yet there are still many organizations that boast of having very well-defined paper-based records management rules but do not have any rules that apply to their electronic records, says Felsky. That can lead to dire consequences, and transform what ought to be an asset into a liability. It can lead to the “very serious practical problem” of being unable to find records, or keeping records forever instead of destroying them when they should be destroyed, or destroying records when they should be kept, or mingling records that should be segregated, or segregating records that should be mingled.
Keeping too much information, as far too many law firms do, can be decidedly impractical, expensive, and potentially embarrassing if there is information that can be harmful to a case. “It is a liability if it is not governed, if it’s not managed, and if it’s not recognized as an asset and treated as such,” says Felsky.
Legal observers are nevertheless convinced that law firms — large, small, and solo practitioners — are at the very least starting to pay closer attention to information governance. Ironically, more and more law firms are advising clients over the merits of information governance. “Litigators within firms are very well versed with what can happen when client’s records are a big mess,” says Manning. “Whether or not that translates into law firms themselves having their records in good order is probably hit and miss.” Some law firms, especially the bigger ones, no longer seem to have a choice. Requests for proposals that firms rely on for getting new work are taking into consideration whether law firms have in place information governance methodologies.
Clients, like banks, that anticipate they will be handing especially sensitive information to law firms “want a higher degree of assurance that it will be handled the right way” and are coming to the lawyer relationship with their own set of terms around privacy, encryption standards, and technical safeguards, says a lawyer familiar with the information governance scene. “Increasingly, a law firm’s information management and governance obligations are based on demands passed down by clients,” says Sookman. “Clients now are becoming much more focused on ensuring that lawyers themselves live up to certain standards.” Friedman put it even more bluntly: “Law firms have got to act first, or they are going to lose business as corporations get more sophisticated in what they need to protect their own customer data and proprietary information.”
It remains clear though that some firms and partners are resisting, some because they are set in their ways and refuse to let go of paper while others simply do not want to invest the time, energy, and resources needed to implement information governance. “It really depends on the firm’s culture, the practice area, and how technologically savvy the lawyers themselves are,” says Nickle. “But that is a big challenge to a firm when some want to and others don’t because it makes it very difficult to develop consistent policies across the firm.”
There is no doubt, however, that growing numbers of law firms have taken the plunge but few boast about it, if only because it is largely perceived to provide a competitive edge over its rivals. But because of cultural, financial, and technological impediments, the information governance programs in place at some law firms are not nearly as effective as they should be, says Jaar. He maintains there are “so many lawyers” who refuse to pool their know-how in a document or knowledge management system and have no interest in pooling their contacts in a contact relationships management system because they feel it is their expertise and their clients.
These law firms have “real good technology that they could leverage a lot more,” says Jaar. “So the IT investment has been made but the culture change has not yet happened, and the processes do not support a full information governance program. So it’s been fairly tough for them to move to an information-driven or data-driven organization.”
The other culprit is the billable-hour model. A number of lawyers are reluctant to use technology to its full extent because it takes time to learn, and time spent absorbing the ins-and-outs of technology are not billable, which in turn means lower productivity and lower revenues. “That prevents law firms from truly engaging in information governance projects,” adds Jaar.
He also holds that some law firms that have invested in the technology to support information governance fail to take into consideration that an effective information governance program requires an investment in setting up a structure and education and training. Technology represents about one-third of any investment in information governance, another third needs to be allocated to developing the governance to put in place policies and procedures, and the remaining third should go to changing the culture inside the firm through a communications strategy, and education and training. “Often, they are under the impression that if we buy this piece of software, we’re done when, in fact, it’s far from true,” says Jaar.
Yet through it all Jaar is optimistic that law firms will eventually embrace information governance. He shares the view espoused by others that information governance must be embedded into the firm’s business. Or, as Taylor puts it, “We are going to continue to see it on the radar screen, and eventually having good control of your information will become sort of one of the givens of an organization just like the way organizations manage its finances, its human resources, and its capital assets.”
There is no doubt technology has increased ease and efficiency. But it has also created new challenges, and many law firms are struggling to keep pace with the deluge of electronically stored information they have to deal with.
Information governance can help. Strategic co-ordination between various departments — information technology, records and information management, security, and privacy — is critical.
This is, of course, easier said than done. “You are asking, in many cases, employees to think about information in a way that they have never done,” points out Sheila Taylor, CEO of Ergo Information Management Consulting.
Here are some pointers from experts:
Senior management buy-in and oversight is essential
They should endorse and support information governance initiatives. Many organizations have established an advisory board, composed of key stakeholders of information, to guide and build governance policies and processes.
Build a business case
Information governance requires commitment and resources. A cost-benefits analysis can go a long way to convince naysayers. “What matters to partners is ease of access and costs,” notes Kathryn Manning of Wortzmans. “If you can show through the cost-benefit analysis that they are going to be a more profitable partnership, they are going to want to do it.”
Identify gaps in current practices
Assess risks to the organization, based on the biggest gaps. Determine whether additional information and analysis is necessary. Develop priorities and assign accountability for further development of the program. Ideally, establish a baseline to understand where you are now so you can figure out if you achieve any benefits by implementing the policy. “A lot of organizations have established a policy, have these lofty goals but really don’t know if they have achieved it because they never established their baseline, and checked to see whether that baseline is improving or not,” says Taylor
Management/information governance advisory board must consult
Find out from employees who work in IT, records and information management, security, and privacy what they want to see improved. Often what employees want to improve is not necessarily what management had in mind. Use a sounding board when drafting policies, processes, and procedures. Ask them whether it makes sense, if it’s practical, and if it’s workable. “Find out how they are working now, and find the way that will sort of compliment all of the different areas to the greatest extent possible,” advises Susan Nickle, general counsel at London Health Sciences Centre. “If you have a handle on how people are doing things now, the less you have to change the way they are working, the more likely the new system will be adopted.”
A pilot project is a good idea, ideally with a group that would like to be part of the exercise. A pilot project gives you an opportunity to find out what works and what doesn’t so you can make improvements before you start rolling it out across the organization, and “hopefully save any embarrassment that otherwise might have occurred,” says Taylor.
Implementing information governance requires time, effort, and resources. Expect roadblocks at the implementation stage because “that’s where you start asking them to make changes in their behavior,” says Manning. Depending on the size and needs of an organization, it can take anywhere from four to six months from start to finish.
Don’t skimp on education and training
“Law firms often under evaluate the change management resources they need to put in place to train people,” says Dominic Jaar of KPMG LLP (Canada). “Develop a communications strategy and systematically remind people and support people through that change.” Tailor training to the audience. Publish “Top 10” guidelines on information governance policy via cheat sheets, employee newsletter articles, and posters. Configure systems with information guidance alerts.
Monitor and audit
Firms should monitor and evaluate key information governance processes on a regular basis to ensure the organization meets the goals of the program. “When all of those areas of specialty work together you can have a system,” says Kelly Friedman of Davis LLP. “It won’t be 100-per-cent safe because you can never eliminate risk. But you will make everything easier — privacy compliance, e-discovery, finding things when you need them — because you have practices in place that are co-ordinated.”
Law firms have often been described as the “soft underbelly” of cyber security or the “path of least resistance to steal sensitive client information,” as one Canadian forensic expert put it. Down south, the U.S. Federal Bureau of Investigation went so far as to warn law firms that they are not doing enough to guard against cybercrime.
Here, the situation is more of the same. “A lot of people in the legal community are coming around to cyber risk but there definitely needs to be increased awareness regarding cyber threats that law offices face,” says Kevvie Fowler, a partner with KPMG LLP (Canada) and one of Canada’s leading forensic experts.
Data breaches have become expensive. American companies hit by data breaches spent an average of $5.5 million last year to cope with the after-effects, up nine per cent from the year before, according to a study published by Ponemon Institute, a U.S.-based research centre dedicated to privacy, data protection, and information security policy.
On average, it cost $201 per record lost, up from $188 the year before, mainly because “the loss of customers following the data breach due to additional expenses required to preserve the organization’s brand and reputation,” according to the “2014 Cost of Data Breach Study: United States.”
Keeping data safe is increasingly becoming an ongoing business priority for law firms. Data security is a combination of four elements: people, policies, practices, and technology, points out Kelly Friedman, an expert in electronic information issues with Davis LLP. Here are some tips from the experts.
• It’s a management issue, not just an IT issue. Technology is important: A good anti-virus software program is a must as is continuously updating software programs and having technological mechanisms to monitor and detect unusual network behaviour.
But management have to be on top of things. “This has to come from the top-level of the organization,” says Fowler. “Ultimately, they are accountable.”
Indeed, executives are now beginning to pay the price for data breaches. Take Gregg Steinhafel. Earlier this year, Target’s CEO resigned after the widespread data breach that saw hackers steal personal data and credit card information from millions of customers.
• Create a culture of security. Astonishingly, passwords written on sticky notes posted by the computer are all over law firms. That’s why awareness and training are key.
“Make sure that everyone understands that what we do at a law firm is confidential in the same way we train people not to talk in elevators about clients matters,” says Ryan Black, IT co-chairman at McMillan LLP.
• Establish a good security team. It is misguided to believe the IT department can deal with security issues all on its own.
“It’s simply not fair to them because that was not what they were trained to do or hired to do,” notes Friedman. Consider hiring security professionals.
• Conduct a security assessment. In order to protect sensitive data, you need to have an understanding of what is considered to be sensitive data and where it resides. What’s more, a growing number of clients are demanding that law firms be up to snuff in terms of security.
“Clients are asking us to commit to certain things when we submit a proposal to work for them or when they retain us as clients,” says Black.
• Implement solid security policies. Finding the balance between ease of use and security is a struggle and can be daunting. There are many industry, national, and international IT security standards that have been developed to give guidance on information systems management and security. The Payment Card Industry Data Security Standard is worth considering, as is the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC).
• Test, test, and test. The technological landscape is continuously in a state of flux. Test policies and procedures. If a solid culture of security has been implemented, then “as the new technologies arise, you can quickly adapt to it,” says Black.