Insights

‍

Information Governance: The Umbrella Every Organization Needs (Rain or Shine) for Its Data and Records Management

Increased news coverage and public awareness of data collection and data breaches has led to increased discussions within the legal profession about data management and data retention practices; however, the attorney’s responsibilities regarding proper data handling are nothing new.

Data is the organization's currency and protection of that data is one of the most basic organizational's duties. To fulfill this basic – yet broad – duty, the importance of information governance becomes self-evident:
‍

• Organizations must understand what they have (data mapping), how it is handled, and what the disposition or retention duties are with respect to data;
• Organizations must be able to use and deploy data to further their clients' interests or organizational duties;
• Organizations must act efficiently in the handling of information (i.e., templates) for repetitive tasks;
• Organizations must safe-guard information from or related to their client's; and
• Organizations must communicate with clients regarding data security to ensure a mutual understanding.

In the past, handling data has been lax. Locking the filing cabinets and doors - perhaps adding a "Privileged and Confidential" stamp on some files - was "high security." To the extent written guidelines discussed document handling or security, these were put in a drawer, under the mistaken belief that someone else was in charge or that "of course, everything is safe here." True, those were simpler times, when a client's documents may be put in boxes, locked in a file cabinet. Even with the initial advent of computers and email, things didn't initially change that much

Such attitudes belong to a by-gone era and continuing to treat information governance as anything less than a critical business function is living in a fantasy land that will imperil your client's interests and could expose your firm to malpractice claims and civil suits. In this modern age, the competent attorneys and organizations need to follow at a bare minimum the following set of rules - on both their client's data as well as that they consider their own.

WHERE DO WE START?

1- Know & Follow Your Obligations

Due to the special nature of the attorney-client relationship, attorneys are faced with a variety of obligations arising from various sources. The Rules of Professional Conduct, laws regarding fiduciary duties, judicial orders (e.g., protective orders), contractual agreements, and internal firm policies and procedures, all impose obligations on a organization's management of data.

Complexities:

1. Requirements of various obligations may appear in conflict with each other or may be so vague as to leave one in doubt as to the proper course of action
2. Data may fall under multiple categories giving rise to questions on how to handle
3. For example, a court filing with exhibits is work product, but if the exhibits are documents from the client then can the firm retain the full file, or would it need to dispose of the exhibits?

Keep in mind:

• Increased security always comes at a tradeoff with ease of accessibility and cost.
• While some obligations are stated vaguely, such as the rules of professional conduct which require "competency," whatever that may mean to some, other obligations are spelled out clearly, like in policy manuals which may explicitly lay out specific terms - such as particular software.
• If security requirements imposed by a client are outside a firm's capabilities or different, but equivalent to the firm's current practices, then communicate with the client to let them know and receive sign-off.
• IT security is constantly evolving, driven by a need to stay in front of determined bad-actors trying to exploit data.
• Setting up a secure system is not enough, it must be regularly updated to ensure newly uncovered threats are remediated.
• IT security training for employees must be done at least annually. We recommend bi-annually. Your employees are the weakest link in many cyberattacks, and they must be constantly trained and reminded of their duties so that user error does not lead to a breach.

2- Know What & Where Your Information Is

Data mapping requires an in-depth analysis of the sources and types of information an organization handles, the various places that information resides, the life-cycle of the information, and the ways data is sent out of the firm or inside the firm promulgating, and hiding, in various silos. The process of data mapping:

• Must be a truly comprehensive analysis of all the data you have, within and outside your organization.
• Includes personal devices or unofficial file transfer tools (e.g., Dropbox) that users may have downloaded to complete a project. In that regard, we recommend blocking access to employees, from within the enterprise's environment, to personal email and data sharing/content sites, such as Google Drive and Dropbox.
• Includes an examination of back-up and disaster recovery data.
• Includes training your people on the what, where and why of data

Complexities:

*Duplicative data can be replicated to multiple places and can be sent outside of a firm with little effort.

*In theory data mapping is a simple task, but with data capable of being stored in multiple locations and the ability of users to attach any file to an email outside the firm, the map can get messy due to a lack of appropriate governance practices.

*Additionally, with modern technology, data can be maintained in unexpected and hard-to identify locations. For instance, most organizations now use Voice-over-Internet-Protocol for their phone networks, which means voicemails are recorded not to a reusable tape but to an electronic server - sometimes being auto forwarded to the users’ emails; without identifying that server and determining any back-up procedures or retention policies in place, it may be impossible to say how long voicemails could remain retrievable.
‍

*Data becomes outdated, but outdated data doesn't disappear

*Versioning drafts of documents or data sets are hugely important (recovering from mistake in a later version or to reutilize a stricken clause in a different document)

*Multiple versions in an unstructured environment (outside a DMS), can lead to wasted time integrating changes from multiple reviewers, using the wrong version, or lost work.

*Depending on IT competency/security, the various tools individual firm employees are using might not be known to the people creating the data map.

3- Appropriately Organize Your Information (& Make It Searchable)

As law libraries across the country epitomize, having all the information amassed in one place doesn't do a lot of good without an efficient means of finding the few pieces of data when you need them. For most organizations, this means implementing a Document Management System and corresponding policies to centralize, categorize, and index (i.e., make searchable) all the documents in a firm.

It is important to note that while the best method of applying each rule - and some of the benefits/risks may vary depending on a firm's size and the type of practice - each rule is applicable and will benefit everyone in your organization.

‍

Source

1 https://www.moundcotton.com/newsletters/summer-2018/a-brave-new-world-cybersecurity-and-the-potential-for-legal-malpractice-claims/ - Refers to case Millard v. Doran, No. 153262/2016 (Sup. Ct. N.Y. Cty.).

‍