Wisconsin Law & Technology Conference 2015...Vision, Mission , Values Strategies Initiatives...

©2015 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500

Wisconsin Law & Technology Conference 2015

Building Your InformationGovernance Framework

Learning Objectives

■ What is Information Governance?

■ Information Governance Organization

■ Scope and Guiding Principles

■ Steps in Implementing an IG Program

■ Sample Initiatives

■ Resources

UNITED STATESBOSTON, MA

CHICAGO, IL

DETROIT, MI

JACKSONVILLE, FL

LOS ANGELES, CA

MADISON, WI

MIAMI, FL

MILWAUKEE, WI

NEW YORK, NY

ORLANDO, FL

SACRAMENTO, CA

SAN DIEGO, CA

SAN FRANCISCO, CA

SILICON VALLEY, CA

TALLAHASSEE, FLTAMPA, FL

WASHINGTON, D.C.

EUROPEBRUSSELS

ASIASHANGHAI

Offices

900 Attorneys

Practice AreasBUSINESS LAW

Litigation

Government

What is Information Governance?

Definition:Enterprise-wide approach to the management and protectionof a law firm’s client and business information assets. Aneffective IG program:• Enables lawyers to meet their professional responsibility

regarding client information;• Recognizes an expanding set of regulatory and privacy

requirements that apply to firm and client information;• Relies upon a culture of participation and collaboration

within the entire firm.Firms are better able to mitigate risk, improve client serviceand reduce cost.

What is Information Governance?

Foley & Lardner LLP

■ Initial IG Framework in 2010

■ Triggers:

− The financial downturn

− The need to move beyond physical recordkeeping

− Compliance requirements

− Client Security Requirements

What Is The IG Framework?

■ The foundation of the IGprogram

■ It gives the IG team

− Structure

− A benchmark

■ It gives the firm

− A platform for awarenessand change

1. Leadership

2. Buy-In

3. Team

4. Plans

5. Policies

6. ChangeManagement

7. ContinuousImprovement

1. The IG Framework Requires ALeader

■ An information managementprofessional− Generally at the C- or Director-

■ A member of management− COO

− General Counsel

− Member of managementcommittee

− A partner or senior staff leaderappointed by management

Influence

Leadership

Strategic Planning

Analytics

Subject Matter

Project Management

Change Management

2. The IG Framework Requires Buy-In

“The key to successful leadership is influence,not authority” – Kenneth Blanchard

■ You may not have theauthority to mandate IG inyour firm, but you caninfluence leaders to adoptit

− You can influence otherinfluencers

I Understand theBenefits of IG

I Influence You

You InfluenceManagement

ManagementSupports IG

We Can Buildthe Framework

Also see the article: ”How to Influence When You Don’t Have Authority” Forbes,1/3/2011. http://www.forbes.com/2011/01/03/influence-persuasion-cooperation-leadership-managing-ccl.html

3. The IG Framework Requires ATeam

■ Structure

− Formal or informal

■ Components

− Governance

− Operations

■ Considerations

− Maturity of programs

− Stakeholders

Governance

EngagedLeadership Or

Advisory?

Operations

Active BuilderOr Leader and

Builder?

Information Governance Structure

Organizational unit that bridgesthe gap across information silosand systems throughout the firm.

Brings constituents together: Technology Litigation Support Information Security Records Management Knowledge Management

Information Governance AdvisoryBoard

Operational Leaders

The Foley IG Structure

■ Reports to the COOand General Counsel

■ Led by Director, IG(DIG)− Dotted line to CIO

■ Governance = IGAdvisory Board

■ Operations = RIM +Security

CIO DIG

LocalRecords

Security

Members of Foley IG Advisory Board

■ Executive sponsors− GC and COO

■ Leader− Director of IG

■ Members− CIO− CAO, CHRO, CFO, CMO− Deputy GC− Privacy partner

4. The IG Framework Requires A Plan

■ A plan is− A benchmark

− A roadmap

■ Planning requires− Strategic and tactical

skills

− Think “big” and “long”

− Think “components”and “now”

Definition Of IG

Vision, Mission , Values

Strategies

Initiatives

Roadmap

Charter

At Foley

Vision

Foley IG promotes a culture in which all Personnel:

• Value information as a critical asset of the Firm and itsclients.

• Understand the risks, responsibilities and legal requirementsrelated to law firm client and business information.

• Manage information in ways that protect our clients, ourcolleagues and the Firm.

Mission

Protecting Critical Client And Firm Information Assets

Values

• Stewardship• Compliance

• Access• Security

The Roadmap Supports The StrategiesAnd the Initiatives

■ Priorities− Which strategies are most important

− Which initiatives in the top strategies are mostimportant

■ Timelines− Project phasing and timing

■ Funding− Budgeting

■ Resources− Skills and personnel needed

5. The IG Framework Requires PoliciesAnd Principles

■ Policies

− Align with IG scope, vision, mission and values

− Document desired behaviors

− Provide guidance for the development of IGsystems and programs

■ Principles

− Guidelines that derive from the policies

− Make it easy for users to understand IG goals andobjectives

Foley IG Policies

■ RIM Policies− Management of

Records− Retention Policies

& Schedules− Mobility Policies− Document Holds

and DestructionObligation

■ Security Policies− Acceptable Use− Information Security− Access, Use & Disclosure

of PII and PHI− Third Party Access

Policies− Responding to Third

Party InformationSecurity Requests

Governing PoliciesPolicy on Information Governance

Policy on Confidentiality

Driving Change - Understand Your Firm

■ Is it a “Top Down”organization?

− Can you mandatechange?

■ Or, is it a “GrassRoots”organization?

− Do you have toslowly “grow”change?

Branding

■ Communicationsare recognizableand consistent

6. The IG Framework Requires AStrategy For Continuous Improvement

■ Scanning and awareness

■ Measure results

■ Add and improve

Scanning And Industry Awareness

■ What’s happening in your firm?

− Expansion

− Added practice areas

■ What’s happening in the industry?

− New requirements for lawyers?

■ What’s happening in society

− New norms (i.e., social networking)?

− New laws

Measure

■ Audit for compliance

■ Gather data, indicators, ROI to demonstratethe impact of IG− Examples

Lowered storage cost

Quicker access

Better security

Quicker response to client security questionnaires

Coordinated response to a potential breach

More efficient lateral integration processes

Increasing Concern about Law FirmInformation Security

“Clients DemandLaw Firm Cyber

Audits” (ABA, 2013)

“Law Firms arePressed on

Security for Data”(NY Times, Mar

“Law Firms FacePressure FromClients on DataSecurity” (LegalIntelligencer, Mar

“Clients Eye LawFirms as Security

Weak Link”(Recorder Feb, 2015

“Citigroup ReportChides Law Firms forSilence on Hackings”(NY Times, Mar 2015)

“Law Firms to FormCybersecurity

Alliance” (Am. Lawyer

Mar, 2015)

The Quote Everyone is Using…

■ “Essentially, data thieves consider law firmsthe ‘soft underbelly’ [emph. added] of[security] …as they attempt to illegally obtaininformation.”− Sharon D. Nelson & John W. Simek, Your Law Firm Has Been

Breached! Now What? LAW PRAC., Sept./Oct. 2012, at 22

And The FBI Says…

■ “’We have hundreds of law firms that we seeincreasingly being targeted by hackers,’ saidMary Galligan, special agent in charge ofcyber and special operations.”− LegalTech News 2013

Terabytes of Electronic Information

>Millions ofRecords inthe DMS

(>25%Documents)

(>75%Email)

This Includes:

But that’s only what we know about…

And We Have Specific Requirementsto Protect It

■ Confidentiality− The core requirement for lawyers and law firm

■ Privacy− Personally Identifiable Information (PII)

A variety of federal and state regulations that apply toall business that store PII

− Personal Health Information (PHI) HIPAA

We are Business Associates and are fully subject toHIPAA requirements and penalties

OurData?

What’s Our Risk?

■ What can go wrong?

■ How can our clientsbe harmed?

■ How can ouremployees beharmed?

■ How can the Firm beharmed?

Real Risks and ChallengesThese Have Really Happened to Us

■ Crypto Wall Virus− Pay us $____ or we won’t decrypt your hard drive

■ CEO spoof− To: CFO− From: CEO (lolarichards2000@yahoo.com)− Re: Procedures to wire funds

■ Departing attorney removes 1,000’s of documentsfrom Firm systems

■ Laptop left at the airport− Unencrypted, no password and STILL RUNNING

■ Records stolen from car− Laptop, iPad, written records

Biggest Pressure is Coming FromClients

■ Gramm-Leach-Bliley

− Requires financial institutions to explain theirinformation-sharing practices to their customersand to safeguard sensitive data

■ Multiple Client Security Requests

− Banks and financial institutions

− Address perceived gaps

− We expect these from pharm and healthcareclients soon (i.e., HIPAA)

Risk Area Implement Cost Culture

2 factor authentication LOW LOW LOW

External Media (USB, Flash Drive, HDD) LOW LOW MED

Disaster Recovery MED MED HIGH

Access to Webmail, Social Media, Cloud Storage LOW LOW HIGH

Data Loss Prevention (DLP) MED HIGH HIGH

BYOD Controls (Mobile Device Management) MED MED HIGH

Appropriate Access to Information MED MED HIGH

Information Classification HIGH MED HIGH

What Clients Are Demanding

Things We Are Doing

■ Trying to balance

■ Assessing client demands

■ Raising security awareness

■ Cyber Insurance and ISO Certification

■ Information Governance program

Protection ofInformation

Assets

Ease of Use

Security Awareness

■ Distributing alerts, articles, news

■ Social engineering test

− We sent three phony emails to about 1,800 users

− They looked legitimate

− Intent was to see how many people would click ona malicious link

− How many clicked?

10% of the targets (180 individuals)

Information Governance Program

■ Seeks to treat clientand firm informationas a valuablebusiness asset Compliance

InformationSecurity

Training &Awareness

InformationManagement

IG Strategies

Security

Data LossProtectionData LossProtection

MobileDeviceMgmt

AccessMgmtAccessMgmt

ThirdParty

Access

ThirdParty

Access

VulnerabilityMonitoring

Information

Management

E-RecordsE-Records

Dark DataDark Data

Info.Storage

Compliance

AuditAudit

ContinualImprovement

IndustryScanningIndustry

Scanning

Awareness

PublicAwareness

TrainingTraining

WIIFM?(“What’s In It For Me?”)

■ Client retention

■ Competitive advantage

− We could lead

− Or at least we could keep pace

■ Better access to information for matter teams

■ Adherence to ethical and legal responsibilities

10 Guiding IG Principles

1. Manage confidential,sensitive or PersonalInformation as requiredby law, agreement orFirm Policy

2. Understand third partyaccess requirements

3. Respond promptly to IGCompliance notices

4. File email recordsregularly

5. Maintain the Firm’sOfficial Records inelectronic form, unlesshard copy is required

6. Store Official Records inan approved recordsrepository

7. Organize Official Recordsby correct client/matternumber

8. Retain and destroyrecords as permitted byFirm Policy

9. Avoid making multiplecopies of records

10. Don’t handle filetransfers (in or out) onyour own

Questions?

Resources

■ Iron Mountain -http://www.ironmountain.com/Services/Records-Management-And-Storage/Iron-Mountain-Connect.aspx

■ IGI Initative - http://iginitiative.com/

■ AIIM – http://www.aiim.org/

■ ARMA - http://www.arma.org/

■ NIST - http://www.nist.gov/index.html

©2015 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500 42

Building Your IG FrameworkLaw and Technology Conference

Randy Oppenborn

roppenborn@foley.com

Wisconsin Law & Technology Conference 2015...Vision, Mission , Values Strategies Initiatives...

Documents

Supply Chain Desk Reference - Foley & Lardner

Employee Benefits Broadcast - Foley & Lardner€¦ · Employee Benefits Broadcast Katherine A. Aizawa is the Foley attorney responsible for the content of this program. She can be

FOLEY & LARDNER LLP KIRBY McINERNEY LLP Harold L. Kaplan

Final Slide Deck - Foley & Lardner LLP · 2019-04-17 · 1/11/2017 2 ©2017 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models

©2014 Foley & Lardner LLP • Attorney Advertising • … FOLEYTech Summit - J... · ©2014 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar

Housekeeping - Foley & Lardner

Esports Survey Report - Foley & Lardner

Foley & Lardner · 2019. 4. 17. · INTER PARTES REEXAMINATION - MATTHEW A. SMITH 3 TABLE OF CONTENTS I. Introduction

“The Benefits News You Need in 60 ... - Foley & Lardner · ©2012 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used

Automotive Supplier Liquidity: Challenges & Strategies€¦ · Judy O’Neill, Foley & Lardner LLP Dave Woodward, FTI Consulting ©2009 Foley & Lardner LLP • Attorney Advertisement•

Post-COVID M&A Transactions Guidebook - Foley & Lardner

FOLEY & LARDNER LLP

Physician-hosPitaL alignment strategies - Foley & Lardner · ©2010 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used

©2012 Foley & Lardner LLP • Attorney Advertising • Prior ......©2012 Foley & Lardner LLP Panelists: QMichael Bates, Life Sciences and Biotechnology Committee, Band of Angels

Nuts & Bolts of Bid Protests - Foley & Lardner...Watch out for your remedy! – If the contract is executed and being performed your remedy may be limited. ©2013 Foley & Lardner LLP

TabTimes Tablet Strategy- Aaron Tantleff- Foley & Lardner Presentation

Foley Deloitte Presentation · This presentation focuses on swaps and the CEA derivatives regulatory framework. ©2012 Foley & Lardner LLP • Attorney Advertising • Prior results

THE 2011 PATENT LAW: Law and Practice - Foley & Lardner

UNITED STATES BANKRUPTCY COURT EASTERN ......2015/09/22 · Law PLLC (“Barber”) and Foley & Lardner LLP (“Foley”) as her general and litigation counsel. Specifically, Foley

Patent Prosecution in View of The America Invents Act · ©2011 Foley & Lardner LLP ©2011 Foley & Lardner LLP Patent Prosecution in View of The America Invents Act Courtenay C. Brinckerhoff