Wisconsin Law & Technology Conference 2015...Vision, Mission , Values Strategies Initiatives Roadmap Charter ©2015 Foley & Lardner LLP At Foley 15 Vision Foley IG promotes a culture

©2015 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500

Wisconsin Law & Technology Conference 2015

Building Your InformationGovernance Framework

©2015 Foley & Lardner LLP

Learning Objectives

■ What is Information Governance?

■ Information Governance Organization

■ Scope and Guiding Principles

■ Steps in Implementing an IG Program

■ Sample Initiatives

■ Resources

©2015 Foley & Lardner LLP 3

UNITED STATESBOSTON, MA

CHICAGO, IL

DETROIT, MI

JACKSONVILLE, FL

LOS ANGELES, CA

MADISON, WI

MIAMI, FL

MILWAUKEE, WI

NEW YORK, NY

ORLANDO, FL

SACRAMENTO, CA

SAN DIEGO, CA

SAN FRANCISCO, CA

SILICON VALLEY, CA

TALLAHASSEE, FLTAMPA, FL

WASHINGTON, D.C.

EUROPEBRUSSELS

ASIASHANGHAI

TOKYO

Offices

900 Attorneys

Practice AreasBUSINESS LAW

IP

Litigation

Government


What is Information Governance?

Definition:Enterprise-wide approach to the management and protectionof a law firm’s client and business information assets. Aneffective IG program:• Enables lawyers to meet their professional responsibility

regarding client information;• Recognizes an expanding set of regulatory and privacy

requirements that apply to firm and client information;• Relies upon a culture of participation and collaboration

within the entire firm.Firms are better able to mitigate risk, improve client serviceand reduce cost.


What is Information Governance?


Foley & Lardner LLP

■ Initial IG Framework in 2010

■ Triggers:

− The financial downturn

− The need to move beyond physical recordkeeping

− Compliance requirements

− Client Security Requirements


What Is The IG Framework?

■ The foundation of the IGprogram

■ It gives the IG team

− Structure

− A benchmark

■ It gives the firm

− A platform for awarenessand change

7

1. Leadership

2. Buy-In

3. Team

4. Plans

5. Policies

6. ChangeManagement

7. ContinuousImprovement


1. The IG Framework Requires ALeader

■ An information managementprofessional− Generally at the C- or Director-

Level

■ A member of management− COO

− General Counsel

− Member of managementcommittee

− A partner or senior staff leaderappointed by management

8

Influence

Leadership

Strategic Planning

Analytics

Subject Matter

Project Management

Change Management


2. The IG Framework Requires Buy-In

“The key to successful leadership is influence,not authority” – Kenneth Blanchard

■ You may not have theauthority to mandate IG inyour firm, but you caninfluence leaders to adoptit

− You can influence otherinfluencers

9

I Understand theBenefits of IG

I Influence You

You InfluenceManagement

ManagementSupports IG

We Can Buildthe Framework

Also see the article: ”How to Influence When You Don’t Have Authority” Forbes,1/3/2011. http://www.forbes.com/2011/01/03/influence-persuasion-cooperation-leadership-managing-ccl.html


3. The IG Framework Requires ATeam

■ Structure

− Formal or informal

■ Components

− Governance

− Operations

■ Considerations

− Maturity of programs

− Stakeholders

10

Governance

EngagedLeadership Or

Advisory?

Operations

Active BuilderOr Leader and

Builder?


Information Governance Structure

Organizational unit that bridgesthe gap across information silosand systems throughout the firm.

Brings constituents together: Technology Litigation Support Information Security Records Management Knowledge Management

Information Governance AdvisoryBoard

Operational Leaders


The Foley IG Structure

■ Reports to the COOand General Counsel

■ Led by Director, IG(DIG)− Dotted line to CIO

■ Governance = IGAdvisory Board

■ Operations = RIM +Security

12

COO

CIO DIG

RIM

LocalRecords

Security

GC

IGAB


Members of Foley IG Advisory Board

■ Executive sponsors− GC and COO

■ Leader− Director of IG

■ Members− CIO− CAO, CHRO, CFO, CMO− Deputy GC− Privacy partner

13


4. The IG Framework Requires A Plan

■ A plan is− A benchmark

− A roadmap

■ Planning requires− Strategic and tactical

skills

− Think “big” and “long”

− Think “components”and “now”

14

Definition Of IG

Vision, Mission , Values

Strategies

Initiatives

Roadmap

Charter


At Foley

15

Vision

Foley IG promotes a culture in which all Personnel:

• Value information as a critical asset of the Firm and itsclients.

• Understand the risks, responsibilities and legal requirementsrelated to law firm client and business information.

• Manage information in ways that protect our clients, ourcolleagues and the Firm.

Mission

Protecting Critical Client And Firm Information Assets

Values

• Stewardship• Compliance

• Access• Security


The Roadmap Supports The StrategiesAnd the Initiatives

■ Priorities− Which strategies are most important

− Which initiatives in the top strategies are mostimportant

■ Timelines− Project phasing and timing

■ Funding− Budgeting

■ Resources− Skills and personnel needed

16


5. The IG Framework Requires PoliciesAnd Principles

■ Policies

− Align with IG scope, vision, mission and values

− Document desired behaviors

− Provide guidance for the development of IGsystems and programs

■ Principles

− Guidelines that derive from the policies

− Make it easy for users to understand IG goals andobjectives

17


Foley IG Policies

■ RIM Policies− Management of

Records− Retention Policies

& Schedules− Mobility Policies− Document Holds

and DestructionObligation

■ Security Policies− Acceptable Use− Information Security− Access, Use & Disclosure

of PII and PHI− Third Party Access

Policies− Responding to Third

Party InformationSecurity Requests

18

Governing PoliciesPolicy on Information Governance

Policy on Confidentiality


Driving Change - Understand Your Firm

■ Is it a “Top Down”organization?

− Can you mandatechange?

■ Or, is it a “GrassRoots”organization?

− Do you have toslowly “grow”change?

19


Branding

■ Communicationsare recognizableand consistent

20


6. The IG Framework Requires AStrategy For Continuous Improvement

■ Scanning and awareness

■ Measure results

■ Add and improve

21


Scanning And Industry Awareness

■ What’s happening in your firm?

− Expansion

− Added practice areas

■ What’s happening in the industry?

− New requirements for lawyers?

■ What’s happening in society

− New norms (i.e., social networking)?

− New laws

22


Measure

■ Audit for compliance

■ Gather data, indicators, ROI to demonstratethe impact of IG− Examples

Lowered storage cost

Quicker access

Better security

Quicker response to client security questionnaires

Coordinated response to a potential breach

More efficient lateral integration processes

23


Increasing Concern about Law FirmInformation Security

“Clients DemandLaw Firm Cyber

Audits” (ABA, 2013)

“Law Firms arePressed on

Security for Data”(NY Times, Mar

2014)

“Law Firms FacePressure FromClients on DataSecurity” (LegalIntelligencer, Mar

2014)

“Clients Eye LawFirms as Security

Weak Link”(Recorder Feb, 2015

“Citigroup ReportChides Law Firms forSilence on Hackings”(NY Times, Mar 2015)

“Law Firms to FormCybersecurity

Alliance” (Am. Lawyer

Mar, 2015)


The Quote Everyone is Using…

■ “Essentially, data thieves consider law firmsthe ‘soft underbelly’ [emph. added] of[security] …as they attempt to illegally obtaininformation.”− Sharon D. Nelson & John W. Simek, Your Law Firm Has Been

Breached! Now What? LAW PRAC., Sept./Oct. 2012, at 22


And The FBI Says…

■ “’We have hundreds of law firms that we seeincreasingly being targeted by hackers,’ saidMary Galligan, special agent in charge ofcyber and special operations.”− LegalTech News 2013


Terabytes of Electronic Information

>Millions ofRecords inthe DMS

(>25%Documents)

(>75%Email)

This Includes:

But that’s only what we know about…


And We Have Specific Requirementsto Protect It

■ Confidentiality− The core requirement for lawyers and law firm

staff

■ Privacy− Personally Identifiable Information (PII)

A variety of federal and state regulations that apply toall business that store PII

− Personal Health Information (PHI) HIPAA

We are Business Associates and are fully subject toHIPAA requirements and penalties


OurData?


What’s Our Risk?

■ What can go wrong?

■ How can our clientsbe harmed?

■ How can ouremployees beharmed?

■ How can the Firm beharmed?


Real Risks and ChallengesThese Have Really Happened to Us

■ Crypto Wall Virus− Pay us $____ or we won’t decrypt your hard drive

■ CEO spoof− To: CFO− From: CEO ([email protected])− Re: Procedures to wire funds

■ Departing attorney removes 1,000’s of documentsfrom Firm systems

■ Laptop left at the airport− Unencrypted, no password and STILL RUNNING

■ Records stolen from car− Laptop, iPad, written records

mailto:[email protected]


Biggest Pressure is Coming FromClients

■ Gramm-Leach-Bliley

− Requires financial institutions to explain theirinformation-sharing practices to their customersand to safeguard sensitive data

■ Multiple Client Security Requests

− Banks and financial institutions

− Address perceived gaps

− We expect these from pharm and healthcareclients soon (i.e., HIPAA)


Risk Area Implement Cost Culture

2 factor authentication LOW LOW LOW

External Media (USB, Flash Drive, HDD) LOW LOW MED

Disaster Recovery MED MED HIGH

Access to Webmail, Social Media, Cloud Storage LOW LOW HIGH

Data Loss Prevention (DLP) MED HIGH HIGH

BYOD Controls (Mobile Device Management) MED MED HIGH

Appropriate Access to Information MED MED HIGH

Information Classification HIGH MED HIGH

What Clients Are Demanding


Things We Are Doing

■ Trying to balance

■ Assessing client demands

■ Raising security awareness

■ Cyber Insurance and ISO Certification

■ Information Governance program

Protection ofInformation

Assets

Ease of Use


Security Awareness

■ Distributing alerts, articles, news

■ Social engineering test

− We sent three phony emails to about 1,800 users

− They looked legitimate

− Intent was to see how many people would click ona malicious link

− How many clicked?

10% of the targets (180 individuals)


Information Governance Program

■ Seeks to treat clientand firm informationas a valuablebusiness asset Compliance

InformationSecurity

Training &Awareness

InformationManagement


IG Strategies

Security

Data LossProtectionData LossProtection

MobileDeviceMgmt

MobileDeviceMgmt

AccessMgmtAccessMgmt

ThirdParty

Access

ThirdParty

Access

VulnerabilityMonitoring

VulnerabilityMonitoring

Information

Management

E-RecordsE-Records

Dark DataDark Data

Info.Storage

Info.Storage

Compliance

AuditAudit

ContinualImprovement

ContinualImprovement

IndustryScanningIndustry

Scanning

Awareness

PublicAwareness

PublicAwareness

TrainingTraining


WIIFM?(“What’s In It For Me?”)

■ Client retention

■ Competitive advantage

− We could lead

− Or at least we could keep pace

■ Better access to information for matter teams

■ Adherence to ethical and legal responsibilities


10 Guiding IG Principles

1. Manage confidential,sensitive or PersonalInformation as requiredby law, agreement orFirm Policy

2. Understand third partyaccess requirements

3. Respond promptly to IGCompliance notices

4. File email recordsregularly

5. Maintain the Firm’sOfficial Records inelectronic form, unlesshard copy is required

6. Store Official Records inan approved recordsrepository

7. Organize Official Recordsby correct client/matternumber

8. Retain and destroyrecords as permitted byFirm Policy

9. Avoid making multiplecopies of records

10. Don’t handle filetransfers (in or out) onyour own


Questions?


Resources

■ Iron Mountain -http://www.ironmountain.com/Services/Records-Management-And-Storage/Iron-Mountain-Connect.aspx

■ IGI Initative - http://iginitiative.com/

■ AIIM – http://www.aiim.org/

■ ARMA - http://www.arma.org/

■ NIST - http://www.nist.gov/index.html

http://iginitiative.com/

http://www.arma.org/

©2015 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500 42

Building Your IG FrameworkLaw and Technology Conference

2015

Randy Oppenborn

[email protected]

mailto:[email protected]