information governance

A metal cattle brand with the word brand as the marking areaThe “business case” for information governance often focuses solely on quantifying specific costs for data management and exposures for data security and ediscovery.  Number crunching is of course important, but it misses something bigger, more strategic, and ultimately more crucial to the organization – its brand.  Companies, regardless of industry, are fundamentally in the information business.  It follows that how an organization manages its information assets reveals how the organization manages itself.  And that matters, a lot, because companies that align themselves with their brand, achieving brand discipline, are more successful.

In their seminal 1993 Harvard Business Review article, Customer Intimacy and Other Value Disciplines, Michael Treacy and Fred Wiersema made the case for how highly successful companies (1) understand and redefine value for their customers, (2) build “powerful, cohesive business systems” to deliver more of that value than their competitors, and (3) raise their customers’ expectations beyond what the competition can deliver.  The most successful companies do this work within at least one of three disciplines: operational excellence, product leadership, or customer intimacy.

Treacy and Wiersema based their insights on an intensive study of 40 companies that achieved breakout success in their markets.  They followed the article with their quintessential business strategy book The Discipline of Market Leaders.  Twenty years later, this book is likely still on your CEO’s bookshelf.

What’s the point for information governance?  It’s this – a successful company brand cannot be lipstick on a pig.  It must be organic, a discipline that pervades the organization from the bottom to the top, inward and outward, in its core processes, business structure, management systems, and culture.  And how your organization manages information value, cost, compliance, and risk is no exception.  Simply put, stronger information governance yields a stronger brand for your business.  And this is true for each of the three disciplines of highly successful companies: Continue Reading Why govern our information? Reason #8: It can build – or bust – your brand

One Bullet in Gun BarrelHaving too much data causes problems beyond needless storage costs, workplace inefficiencies, and uncontrolled litigation expenses.  Keeping data without a legal or business reason also exacerbates data security exposures.  To put it bluntly, businesses that tolerate troves of unnecessary data are playing cybersecurity roulette … with even larger caliber ammunition.

Surprisingly few U.S. data security laws and standards expressly require that protected data be compliantly disposed of once legal and business-driven retention periods expire.   PCI DSS v3.2.1, Requirement 3.1, provides “[k]eep cardholder data storage to a minimum by implementing data retention and disposal policies ….”  HIPAA regulations  mandate that business associate agreements require service providers, upon contract termination, to return or destroy all PHI received or created on the covered entity’s behalf, if feasible.  Alabama and Colorado require that records containing state-level PII be disposed of when such records are no longer needed.  And biometric data privacy laws in Illinois, Texas, and Washington generally require that biometric data be disposed of once it has served its authorized purpose.

Instead, most such laws and standards focus on securely sanitizing or destroying storage media.  For example, the NIST Cybersecurity Framework v. 1.1 includes as a security control (PR.IP-6) that “[d]ata is destroyed according to policy,” and ISO 27002 (§ 8.3.2) provides that “[m]edia should be disposed of securely when no longer required, using formal procedures.”

But data security is not achieved by simply running through a checklist of explicit compliance requirements – it instead requires assessing risks and establishing effective security controls.  And one of the most powerful security controls is to not keep too much data, for too long. Continue Reading Why govern our information? Reason #9: Unnecessary business data multiplies data security exposures

Hands pointing towards businessman holding head in hands Being a CISO is a tough gig.  The perpetual deluge of news items on hack after hack, breach after breach, has finally conveyed that data security is an imperative for all companies, large and small.  But the perception still lingers that the Chief Information Security Officer (or her InfoSec team) will single-handedly prevent breaches at “our” company – and if one should occur, will take care of the response.  For some CISOs, it may feel like High Noon, all over again.

This is unfair to the CISO, and wrong on at least two counts.  First, regardless of the CISO’s job description, the full range of cyber risk exceeds the scope of the CISO’s practical control.  Second, effective breach response requires up to ten channels of coordinated activity, and nine of the ten fall outside of the CISO’s authority. Continue Reading Why govern our information? Reason #10: It’s a when, not if, world for data breaches

3d blue cubes come together from different directions.Dr. Stephen Covey reminded us that “important” is not the same thing as “urgent.”  Records retention reminds us that important is not the same thing as exciting.  I get it – records retention schedules are boring.  But the fact remains that literally thousands of records retention requirements apply to your organization’s information.  I know, because my firm finds and tracks these laws as part of our decades of retention schedule work for clients across industries.  And your regulators expect you to know them too.

Records retention requirements generally apply to information’s content, regardless of the information’s medium – electronic data, paper, you name it.  The requirements are scattered across the federal and 50 states’ statutory and regulatory codes, often with unusual retention mandates.  Here are just a few: Continue Reading Why govern our information? Reason #11: Thousands of federal and state records retention laws apply to your company

Image of one hundred bill burning “If your clients don’t have a records management system, they may as well take their money out into the parking lot and set it on fire.”

– Former U.S. District Court Magistrate Judge John Facciola

We all know that ediscovery is expensive, and various research reports have so confirmed. The definitive Rand study, Where the Money Goes: Understanding Litigant Expenditures for Producing Electronic Discovery, found that median costs for collection, processing, and review are $17,507 per gigabyte (roughly 3,500 documents or 10,000 e-mails).  The math is not pretty – a case involving 482 GBs of source data could exceed $8 million in ediscovery costs.

And on top of that are preservation costs. The  Preservation Costs Survey demonstrated that large companies incur significant fixed costs for preservation (for in-house ediscovery personnel and also for procurement and maintenance of legal hold management and data preservation technology systems), averaging $2.5 million annually.  More significant is the cost of employee time lost in complying with legal holds.  While companies with up to 10,000 employees incur the average time cost of over $428,000 per year, costs for the largest companies exceed $38 million per year.

There is indeed great complexity in how to cost-effectively process huge amounts of data through the ediscovery funnel. Tighter management of ediscovery processes continues to be important.

But as we ponder how to cut costs, let’s not confuse symptoms with causes: Continue Reading Why govern our information? Reason #12: Unnecessary business data causes unnecessary litigation costs

ChecklistWould you take a deposition by solely following a template of standard questions, without assessing the unique issues and circumstances of the case?  Or conduct transaction due diligence by simply marching though a generic punch list, without assessing the unique aspects of the company, the deal, and the industry?  Of course not.  Your law firm’s data security posture is no different – you need a security risk assessment to understand your firm’s unique vulnerabilities to security threats, and to identify which security controls are already adequate for your firm and which other safeguards are needed.

But assessing security risks is more than merely a good idea.  Conducting a security risk assessment is also a compliance requirement under virtually every U.S. regulatory data security regime and security standard.  Some of these risk assessment requirements apply directly to lawyers and firms, such as rules of professional conduct and, for firms that are business associates of HIPAA covered entities, the HIPAA Security Standards.  Other such laws directly govern the firm’s clients, which in turn increasingly require them of their law firms as service providers.  And taken together, these statutes, regulations, and standards requiring security risk assessments have coalesced into general expectations for what constitutes reasonable data security.

Continue Reading Security risk assessment is not just a good idea – it’s a compliance requirement

Bear Chasing MenAs explored in last week’s posts, the bad news for law firms is their challenging data security threat environment.   On the other hand, law firms that meaningfully elevate their security posture, thereby outrunning less-secure firms, can enjoy good news, including increased revenue, better-controlled expenses, and stronger client relationships.

Security risks flow from threats coupled with vulnerabilities – and when it comes to data security, law firms are uniquely vulnerable.  Understanding and countering these vulnerabilities is the key to transforming data security bad news into good news.

Why are law firms so vulnerable?

Law firms have highly valuable information.

Like any other business, firms have employee personal data, including SSNs, payroll data, and health plan data, along with financial and tax information for the firm itself and its owners.  Yet law firms also have something far more attractive than other businesses – a concentrated trove of client data, such as nonpublic issuer information; client trade secrets; confidential information on client business strategies, controversial matters and transactions, and litigation; sensitive information with reputational impact for public and private individuals and institutions; and on and on.  In addition, law firms have information and credentials that can serve as gateways to clients’ systems, through hacking or social engineering.

Many firms are behind the curve on data security safeguards. 

Despite their valuable information, many law firms are demonstrably lax in their data security posture.  Consider results of the 2017 ABA Legal Technology Survey regarding law firm data security controls:

  • Less than half of the responding firms have the following policies or plans that are important facets of the firm’s security posture:  computer acceptable use policy (48%); remote access policy (45%); personal technology use/BYOD policy (24%); incident response plan (26%); disaster recovery / business continuity plan (42%).
  • Only 60% of the firms have a formal policy or process to manage retention of data held by the firm, and only 40% have an official records retention schedule.
  • 28% of the firms allow personal mobile devices (tablets, laptops, smartphones) to access the firm’s network without any restrictions.
  • Only 45% of the firms have file encryption tools, only 36% have email encryption capabilities, and only 21% have full disk encryption.
  • Among the responding firms that utilize cloud IT services, fewer than than half report using basic security precautions such as evaluating the provider company’s history (27%); reviewing the provider’s privacy policy (38%) or terms of use (34%); using only web-based software with encryption features (36%); or making regular local data backups (41%).

Why are so many firms behind the curve in their data security safeguards?  Here are ten factors to consider (warning – some of the below is not sugar-coated): Continue Reading Understanding law firms’ unique security vulnerabilities – the key to turning bad news into good news

Sunshine Breaking Through the CloudsLaw firms face significant data security threats.  But there’s good news for law firms on data security.  When firms are serious about their data safeguards and take concrete steps to strengthen their security profile, they better position themselves for higher revenue, lower and better-controlled expenses, and stronger client relationships.

As always, context matters.  The legal services industry has changed dramatically in the last decade, with private practice law firms facing (a) increased competition from nontraditional providers and technology-driven service models; (b) the Internet-driven dissolving of historic barriers to remote service delivery; (c) the post-recession tightening in companies’ outside legal spend; (d) the shift of work to in-house legal staff; (e) the ongoing consolidation of client work in fewer, preferred law firms with geographic bench-strength or industry/specialty focus; and (f) the resulting pressure on mid-sized firms to scale/merge up or specialize/boutique down.  There’s no viable “let’s simply wait it out” option in the face of these trends.  In short, it’s now a far more competitive world for attracting and retaining clients.  There will continue to be winners and losers, but now the margin of difference is more slim.

And this is the “there must be a pony in here somewhere” epiphany – in this highly competitive environment, strategic improvement in a law firm’s data security posture can, more than ever before, make a huge difference.

Here are three examples of how better data security is a strategic win for law firms: Continue Reading Good news on law firm data security

Threatening dark clouds covering the skyIt all seemed so routine, so straightforward.  The case was settled, with a $500,000 payment to be made to the approved settlement administrator.  The law firm received an email from the administrator with wire transfer directions, and the settlement funds were sent per the instructions.  Just one problem – the email didn’t come from the administrator, the receiving bank was not the right bank, and the half million dollars evaporated.  Poof – gone in an instant.

Sure, it would’ve been prudent for the law firm to have picked up the phone and independently verified the email sender and instructions.  But how did the bad guys know precisely when and to whom to send the phony email, and exactly what to say?  Was it from publicly available information in the court file?  Was there a rogue insider at the firm, or at one of the other litigant’s firms, or at the court, or with the settlement administrator?  Or was someone’s email account illicitly monitored after being compromised by malware or through phished access credentials? Continue Reading Bad news on law firm data security

Magnifier On Computer KeyboardSometimes one needs to zoom in to understand the big picture.  This year we’ll continue to explore Information Governance, but through the lens of a particular industry segment – law firms – and a particular focus – data security.

Why law firms?  Well, for a couple reasons.  First, a weak link for many companies is applying Information Governance to their service providers, and private practice law firms are key service providers to companies across all industries.  Second, many law firms have a ways to go in fully embracing Information Governance for themselves, and on their clients’ behalf.

And why law firm data security?  Law firms have highly valuable information, and they are especially vulnerable to security exploits and incidents.  Many firms are behind the curve in their security posture.  The resulting risks and exposures are significant, both to the firms themselves and to the clients they serve.  Also, law firms that take the steps needed for improved data security find themselves far down the road toward more effective Information Governance generally, which is a boon to the firms themselves and also to their clients.

So, here goes.  We’ll first look at the current realities of data security in law firms, touching upon both the bad news and the good news.  Next, we’ll focus on why security risk assessment is absolutely crucial for understanding the data security risks (threats, vulnerabilities, repercussions, and likelihoods) for law firms and their clients, and for prioritizing what must be done.  From there, we’ll take up essential components of law firm security, including security policies; data retention and disposal; technical, physical, and administrative controls; monitoring and testing; training and awareness; incident response preparedness; and cyber insurance.

Along the way we’ll explore key considerations for both on-premises IT configurations and cloud environments; the unrelenting rise in connectivity and remote work; and the explosion of new apps and tools, coupled with the increasingly consumerized expectations of law firm lawyers and staff.

Lots to cover, for the benefit of law firms themselves and also the clients they serve.  Stay tuned.