Please enjoy this blog post authored by Megan Larkins, Information Security Consultant Manager, FRSecure. 

Description: Managing an Information Governance (IG) committee can be difficult enough, but the process is elevated to another level if you’re tasked with assembling one from the ground up. Member selection, building support across practice groups, keeping the group focused on the impact on the firm’s business, and finding educational materials for the committee consumable by members who may have no background in IG are only a few of the challenges faced by IG leaders. While we can’t provide all the answers, this blog post will attempt to provide some practical direction on the selection, scoping, and education of a nascent IG committee.

Building an Information Governance Committee from the Ground Up

Information Governance (IG) programs are increasingly recognized as a critical component of law firms’ ability to comply with a variety of external rules and regulations—including confidently complying with clients’ outside counsel guidelines (OCG). 

Forward-thinking law firms understand that IG ultimately plays a role in managing risk and can provide more efficient client services but assembling an IG committee requires ownership and accountability.

Unfortunately, gaining interest and participation can be particularly challenging. Many attorneys do not understand IG and have historically expected other staff within the firm to manage or handle it.  

So, where do we begin when establishing an IG program or committee knowing this? 

Practical direction in selection, scoping, and education are good places to start.

Practical Direction

Selection

Attorney leadership involvement is critical. Partnering with your firm’s GC or Of Counsel is where I’d begin. They can provide insight and support in committee member selection and assist in securing interest and participation.  

Scoping

Develop and provide an IG committee charter early. Establishing “the mission” and clearly defining roles and responsibilities is critical. While there are sample charters and resources available, it is imperative that you make the charter fits your firm’s culture. Utilize your GC to understand what components are the most critical—recognizing that the most successful law firms have strong cultures, but that no two are the same.       

Education

Providing educational resources early and with some regularity is vital to sustaining an IG committee. IG user groups are becoming more prevalent. ILTA even has an IG homepage and monthly meetings.  Designating a resource to attend user meetings and provide educational information to the IG committee provides continued engagement. 

Start a Subcommittee

Another building block to consider when assembling an IG committee is a working group or subcommittee to provide information and recommendations. A group in this role can be tasked with providing the necessary content to the IG committee as well as implementing and executing on decisions made at the committee level.

Key Elements to an IG Committee

The goal of an IG program is to manage information in a way that provides value to the firm while also complying with legal and ethical obligations. As you can imagine, this is not a problem that a technology director or even CIO can solve alone.

For this reason, it is essential to involve the right people with the right skill sets and authority in the design, implementation, and ongoing management of an IG program for it to be successufl. Having an effective IG program can help your firm convert the tidal wave of information processed by the firm into a hydroelectric force of knowledge—enabling your staff to efficiently and effectively receive, process, create, and protect information related to your clients’ matters.

With information being such a key element for law firms you would think that we would have mastered it. Still, though, many are struggling (and failing) to keep up. A lack of understanding of key principles and elements to these programs is often the cause.

Key elements of IG:

• Identification - What types of information do we have?
• Ownership - Who is responsible for the information?
• Custodian - Who cares for the information?
• Access - Who needs access to the information, and how will they access it?

Identification

Our founder, Evan Francen, has a common phrase:

 “You can’t manage/protect what you don’t know you have.”

The same rule applies for information and technology systems. Until you know the type, value, and sensitivity of the information managed by the firm, you will not be able to manage it effectively. This discussion starts with meeting with each department and partner of the firm to better understand the types of information they receive, process, and create.

Group the information according to its type, value, and sensitivity, and then work to assign an owner to each information group.

Owner vs. Custodian

To aid in those conversations, you’ll first need to make sure that everyone in the room understands their role and responsibilities for managing the information in question. If your firm tends to confuse the role of the paralegal/attorneys as the owner/decision-maker for the information versus IT’s role as custodian, the following definitions may help.

Information Owner 

• The person responsible for (or dependent upon) the business process associated with an information resource.   
• Is knowledgeable about how the information is acquired, transmitted, stored, deleted, and otherwise processed.   
• Determines the appropriate value and classification of information generated by the owner or department. 
• Must communicate the information classification when the information is released outside of the department and/or company. 
• Controls access to their information and must be consulted when access is extended or modified. 
• Must communicate the information classification to the information custodian so that the information custodian may provide the appropriate levels of protection. 
• Must periodically review their information to ensure the proper classification is applied.   

Information Custodian 

• Maintains the protection of information according to the information classification associated to it by the information owner. 
• Delegated by the information owner and is usually Information Technology (IT) personnel.

If you’re still struggling with this conversation and identifying the appropriate owner for a particular set of information, here are some questions to ask your internal teams:

• Who uses the information?
• Who knows how the information should be used?
• Who knows how the information should be protected?
• Who understands the value of the information?
• Who can answer questions about whether the information should be retained or destroyed?

The person or group assigned to the responsibilities above is the owner of the information.

Access

Access is all about getting the needed information to the people who need it. These are the information “users.”

Information User 

• The person, organization, or entity that interacts with information for the purpose of performing an authorized task.   
• Have a responsibility to use information in a manner that is consistent with the purpose intended and in compliance with policy. 

When it comes to access, only the owner should answer questions about “who” needs and is allowed access to a particular information group. “How” it is accessed is another matter and should be a collaborative effort between the owner, custodian, and user.

The owner and custodian should collaborate to ensure the information is provided to users in a manner that aligns with the type, value, and sensitivity of the information. And the users should be involved in determining the methods that work best for them in efficiently and effectively accessing and working with the identified information group.

Putting IG to work

As technology professionals, you have a critical role to play as custodian of your firm’s information—which is quite literally the backbone of the firm. So, how do the principles outlined above apply to the work you do and the services you provide to the staff at your firm?

First and foremost, a clear understanding of key areas outlined below are critical to IG and what to address with your committee:

Retention

A formal retention policy is key in information governance. Retention is how long you keep data. 

Queuing this discussion up early will be important. What is the firm’s philosophy—keep everything or limit liability?

This is truly a foundational component of your overall IG and IG program, so determining retention is the first step. Once a retention policy is in place, you can tackle other questions relating to whether data is truly needed or necessary, if the data live where it should, and if are you accessing it as efficiently as you could. 

Some important categories:

• Backups: Modern backup platforms often provide best practices based upon storage parameters and can help dictate appropriate retention. Documenting the current backup retention is the first step. A firm’s ability or inability to respond to production requests is defended with a formally documented retention policy.
• Unstructured data: Provide examples of what this data is to help committee members understand what you are tackling. What could be discovered or produced?  
• Desktop/My Documents: More and more firms are applying retention to this area. Some have opted to migrate to cloud storage, which provides insight and the ability to apply retention more efficiently.
• Terminated account data: This is often forgotten or overlooked data and consequently can become problematic. If data is reviewed, refiled if necessary and/or destroyed in accordance with the retention policy, the firm can mitigate risk.  
• Email: While email is considered partially structured data, it does not provide efficient access to data. What are the firm’s expectations about proper filing of necessary email data?

Understanding how retention relates to these data categories is key to tackling policy.

Data Oversight Obligations

The ABA Formal Opinion 483 and the (more recent) Formal Opinion 493 are a few good resources in underscoring the need for information governance. Attorneys are being held to a higher standard in understanding, embracing, and overseeing data and information.

As you assemble your IG committee, here are some of the areas you will want to review and understand the impact IG can have on them:

• Ethics model rules: Attorneys are expected to be bound to and understand these rules and how they and their firms are expected to protect client confidential data.
• Ethical walls: Review and clear understanding of how this is achieved and or what rules are in place to govern.
• Litigation hold: Review internal rules and understand what is expected.
• Matter mobility and file transfers: Ability to transfer files and matters securely and efficiently.
• Privacy regulations: A firm must understand what data it has, where it lives, and have rules around the storage and handling to comply with many of the required privacy regulations.

Controls 

While technical controls, platforms, and technologies exist to help protect your firm’s data, the firm management and attorneys need to take ownership, be engaged, and provide parameters for their technical teams to carry out. 

Some good discussion topics to touch on and/or have information on when considering technical controls are:

• Removable media: What is the policy? Do you require encryption and/or disable users’ ability to use?
• Print at home: What is the policy? With so many people working from home over the last year, firms have either seen much more printing at home or much less. More at-home printing obviously introduces additional risk. Firms who have seen less are further along in the shifting mindset to “paper-less” work.
• Electronic Rights Management: As your committee begins to work through the process of setting policy, the introduction of technologies to assist in electronic rights management will gain traction.
• Data Loss Prevention (DLP): Depending upon your firm’s maturity level, it will be important to introduce and discuss DLP possibilities. Many firms are frequently asked in client security assessments or questions if they use DLP. If you have not been asked this in the past, you will be in the future. A practical approach may be to begin with DLP components of technology you already own.

Conclusion

Information Governance (IG) programs are increasingly recognized as a critical component of law firms’ ability to comply with a variety of external rules and regulations.

Ideally, information security policies exist in your organization and can help guide many of the above discussions.

Each firm has its own culture, and it is important to remember that your committee and program will look different from others.

Despite that, if you are tasked with building and assembling an IG Committee, you are not alone.

#InformationGovernanceorCompliance
#Security
#SecurityProfessionals
#Firm