Building Your Information Governance Framework

(1)

©2015 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500

Wisconsin Law & Technology Conference 2015

Building Your Information

Governance Framework

(2)

Learning Objectives

■

What is Information Governance?

■

Information Governance Organization

■

Scope and Guiding Principles

■

Steps in Implementing an IG Program

■

Sample Initiatives

(3)

3 UNITED STATES

BOSTON, MA

CHICAGO, IL

DETROIT, MI

JACKSONVILLE, FL

LOS ANGELES, CA

MADISON, WI

MIAMI, FL

MILWAUKEE, WI

NEW YORK, NY

ORLANDO, FL

SACRAMENTO, CA

SAN DIEGO, CA

SAN FRANCISCO, CA

SILICON VALLEY, CA

TALLAHASSEE, FL

TAMPA, FL

WASHINGTON, D.C.

EUROPE

BRUSSELS

ASIA

SHANGHAI

TOKYO

Offices

900 Attorneys

Practice Areas

BUSINESS LAW

IP

Litigation

Government

(4)

What is Information Governance?

Definition:

Enterprise-wide approach to the

management

and

protection

of a law firm’s client and business information

assets

. An

effective IG program:

• Enables lawyers to meet their

professional responsibility

regarding client information;

• Recognizes an expanding set of

regulatory

and privacy

requirements that apply to firm and client information;

• Relies upon a

culture

of participation and collaboration

within the entire firm.

(5)

(6)

Foley & Lardner LLP

■

Initial IG Framework in 2010

■

Triggers:

−

The financial downturn

−

The need to move beyond physical recordkeeping

−

Compliance requirements

(7)

What Is The IG Framework?

■

The foundation of the IG

program

■

It gives the IG team

−

Structure

−

A benchmark

■

It gives the firm

−

A platform for awareness

and change

7 1. Leadership

2. Buy-In

3. Team

4. Plans

5. Policies

6. Change

Management

7. Continuous

Improvement

(8)

1. The IG Framework Requires A

Leader

■

An information management

professional

−

Generally at the C- or

Director-Level

■

A member of management

−

COO

−

General Counsel

−

Member of management

committee

−

A partner or senior staff leader

appointed by management

Influence

Leadership

Strategic Planning

Analytics

Subject Matter

Project Management

(9)

2. The IG Framework Requires Buy-In

“The key to successful leadership is influence,

not authority” – Kenneth Blanchard

■

You may not have the

authority to mandate IG in

your firm, but you can

influence leaders to adopt

it

−

You can influence other

influencers

9 I Understand the

Benefits of IG

I Influence You

You Influence

Management

Supports IG

We Can Build

the Framework

Also see the article: ”How to Influence When You Don’t Have Authority” Forbes,

1/3/2011.

(10)

3. The IG Framework Requires A

Team

■

Structure

−

Formal or informal

■

Components

−

Governance

−

Operations

■

Considerations

−

Maturity of programs

−

Stakeholders

Governance

Engaged

Leadership Or

Advisory?

Operations

Active Builder

Or Leader and

Builder?

(11)

Information Governance Structure



Organizational unit that bridges

the gap across information silos

and systems throughout the firm.



Brings constituents together:



Technology



Litigation Support



Information Security



Records Management



Knowledge Management



Information Governance Advisory

Board

(12)

The Foley IG Structure

■

Reports to the COO

and General Counsel

■

Led by Director, IG

(DIG)

−

Dotted line to CIO

■

Governance = IG

Advisory Board

■

Operations = RIM +

Security

COO

CIO

DIG

RIM

Local

Records

Security

GC

IGAB

(13)

Members of Foley IG Advisory Board

■

Executive sponsors

−

GC and COO

■

Leader

−

Director of IG

■

Members

−

CIO

−

CAO, CHRO, CFO, CMO

−

Deputy GC

−

Privacy partner

(14)

4. The IG Framework Requires A Plan

■

A plan is

−

A benchmark

−

A roadmap

■

Planning requires

−

Strategic and tactical

skills

−

Think “big” and “long”

−

Think “components”

and “now”

Definition Of IG

Vision, Mission , Values

Strategies

Initiatives

Roadmap

(15)

At Foley

15 Vision

Foley IG promotes a culture in which all Personnel:

• Value information as a critical asset of the Firm and its

clients.

• Understand the risks, responsibilities and legal requirements

related to law firm client and business information.

• Manage information in ways that protect our clients, our

colleagues and the Firm.

Mission

Protecting Critical Client And Firm Information Assets

Values

• Stewardship

• Compliance

• Access

• Security

(16)

The Roadmap Supports The Strategies

And the Initiatives

■

Priorities

−

Which strategies are most important

−

Which initiatives in the top strategies are most

important

■

Timelines

−

Project phasing and timing

■

Funding

−

Budgeting

■

Resources

(17)

5. The IG Framework Requires Policies

And Principles

■

Policies

−

Align with IG scope, vision, mission and values

−

Document desired behaviors

−

Provide guidance for the development of IG

systems and programs

■

Principles

−

Guidelines that derive from the policies

−

Make it easy for users to understand IG goals and

objectives

(18)

Foley IG Policies

■

RIM Policies

−

Management of

Records

−

Retention Policies

& Schedules

−

Mobility Policies

−

Document Holds

and Destruction

Obligation

■

Security Policies

−

Acceptable Use

−

Information Security

−

Access, Use & Disclosure

of PII and PHI

−

Third Party Access

Policies

−

Responding to Third

Party Information

Governing Policies

Policy on Information Governance

Policy on Confidentiality

(19)

Driving Change - Understand Your Firm

■

Is it a “Top Down”

organization?

−

Can you mandate

change?

■

Or, is it a “Grass

Roots”

organization?

−

Do you have to

slowly “grow”

change?

19

(20)

Branding

■

Communications

are recognizable

and consistent

(21)

6. The IG Framework Requires A

Strategy For Continuous Improvement

■

Scanning and awareness

■

Measure results

■

Add and improve

(22)

Scanning And Industry Awareness

■

What’s happening in your firm?

−

Expansion

−

Added practice areas

■

What’s happening in the industry?

−

New requirements for lawyers?

■

What’s happening in society

−

New norms (i.e., social networking)?

(23)

Measure

■

Audit for compliance

■

Gather data, indicators, ROI to demonstrate

the impact of IG

−

Examples



Lowered storage cost



Quicker access



Better security



Quicker response to client security questionnaires



Coordinated response to a potential breach



More efficient lateral integration processes

(24)

Increasing Concern about Law Firm

Information Security

“Clients Demand

Law Firm Cyber

Audits”

(ABA, 2013)

“Law Firms are

Pressed on

Security for Data”

(NY Times, Mar

2014)

“Law Firms Face

Pressure From

Clients on Data

Security”

(Legal

Intelligencer, Mar

2014)

“Clients Eye Law

Firms as Security

Weak Link”

(Recorder Feb, 2015

“Citigroup Report

Chides Law Firms for

“Law Firms to Form

Cybersecurity

Alliance” (

Am. Lawyer

(25)

The Quote Everyone is Using…

■

“Essentially, data thieves consider law firms

the

‘soft underbelly’

[emph. added] of

[security] …as they attempt to illegally obtain

information.”

−

Sharon D. Nelson & John W. Simek, Your Law Firm Has Been

(26)

And The FBI Says…

■

“

’We have

hundreds of law firms that we see

increasingly being targeted by hackers,’

said

Mary Galligan, special agent in charge of

cyber and special operations.”

(27)

Terabytes of Electronic Information

>Millions of

Records in

the DMS

(>25%

Documents)

(>75%

Email)

This Includes:

(28)

And We Have Specific Requirements

to Protect It

■

Confidentiality

−

The core requirement for lawyers and law firm

staff

■

Privacy

−

Personally Identifiable Information (PII)



A variety of federal and state regulations that apply to

all business that store PII

−

Personal Health Information (PHI)



HIPAA

(29)

Our

Data?

(30)

What’s Our Risk?

■

What can go wrong?

■

How can our clients

be harmed?

■

How can our

employees be

harmed?

■

How can the Firm be

harmed?

(31)

Real Risks and Challenges

These Have Really Happened to Us

■

Crypto Wall Virus

−

Pay us $____ or we won’t decrypt your hard drive

■

CEO spoof

−

To: CFO

−

From: CEO (

[email protected]

)

−

Re: Procedures to wire funds

■

Departing attorney removes 1,000’s of documents

from Firm systems

■

Laptop left at the airport

−

Unencrypted, no password and STILL RUNNING

■

Records stolen from car

(32)

Biggest Pressure is Coming From

Clients

■

Gramm-Leach-Bliley

−

Requires financial institutions to explain their

information-sharing practices to their customers

and to safeguard sensitive data

■

Multiple Client Security Requests

−

Banks and financial institutions

−

Address perceived gaps

−

We expect these from pharm and healthcare

clients soon (i.e., HIPAA)

(33)

Risk Area

Implement

_Cost

_Culture

2 factor authentication

LOW

External Media (USB, Flash Drive, HDD)

LOW

MED

Disaster Recovery

MED

HIGH

Access to Webmail, Social Media, Cloud Storage

LOW

HIGH

Data Loss Prevention (DLP)

MED

HIGH

BYOD Controls (Mobile Device Management)

MED

HIGH

Appropriate Access to Information

MED

HIGH

Information Classification

HIGH

MED

HIGH

(34)

Things We Are Doing

■

Trying to balance

■

Assessing client demands

■

Raising security awareness

■

Cyber Insurance and ISO Certification

■

Information Governance program

Protection of

Information

Assets

(35)

Security Awareness

■

Distributing alerts, articles, news

■

Social engineering test

−

We sent three phony emails to about 1,800 users

−

They looked legitimate

−

Intent was to see how many people would click on

a malicious link

−

How many clicked?

(36)

Information Governance Program

■

Seeks to treat client

and firm information

as a valuable

business asset

Compliance

Information

Training &

Awareness

(37)

IG Strategies

Security

Data Loss

Protection

Data Loss

Protection

Mobile

Device

Mgmt

Mobile

Device

Mgmt

Access

Mgmt

Access

Mgmt

Third

Party

Access

Third

Party

Access

Vulnerability

Monitoring

Vulnerability

Monitoring

Information

Management

E-Records

Dark Data

Info.

Storage

Info.

Storage

Compliance

Audit

Continual

Improvement

Continual

Improvement

Industry

Scanning

Industry

Scanning

Awareness

Public

Awareness

Public

Awareness

Training

(38)

WIIFM?

(“What’s In It For Me?”)

■

Client retention

■

Competitive advantage

−

We could lead

−

Or at least we could keep pace

■

Better access to information for matter teams

(39)

10 Guiding IG Principles

1. Manage confidential,

sensitive or Personal

Information as required

by law, agreement or

Firm Policy

2. Understand third party

access requirements

3. Respond promptly to IG

Compliance notices

4. File email records

regularly

5. Maintain the Firm’s

Official Records in

electronic form, unless

hard copy is required

6. Store Official Records in

an approved records

repository

7. Organize Official Records

by correct client/matter

number

8. Retain and destroy

records as permitted by

Firm Policy

9. Avoid making multiple

copies of records

10. Don’t handle file

transfers (in or out) on

your own

(40)

(41)

Resources

■

Iron Mountain

-

http://www.ironmountain.com/Services/Records-Management-And-Storage/Iron-Mountain-Connect.aspx