wisconsin law & technology conference 2015...vision, mission , values strategies initiatives...
TRANSCRIPT
©2015 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500
Wisconsin Law & Technology Conference 2015
Building Your InformationGovernance Framework
©2015 Foley & Lardner LLP
Learning Objectives
■ What is Information Governance?
■ Information Governance Organization
■ Scope and Guiding Principles
■ Steps in Implementing an IG Program
■ Sample Initiatives
■ Resources
©2015 Foley & Lardner LLP 3
UNITED STATESBOSTON, MA
CHICAGO, IL
DETROIT, MI
JACKSONVILLE, FL
LOS ANGELES, CA
MADISON, WI
MIAMI, FL
MILWAUKEE, WI
NEW YORK, NY
ORLANDO, FL
SACRAMENTO, CA
SAN DIEGO, CA
SAN FRANCISCO, CA
SILICON VALLEY, CA
TALLAHASSEE, FLTAMPA, FL
WASHINGTON, D.C.
EUROPEBRUSSELS
ASIASHANGHAI
TOKYO
Offices
900 Attorneys
Practice AreasBUSINESS LAW
IP
Litigation
Government
©2015 Foley & Lardner LLP
What is Information Governance?
Definition:Enterprise-wide approach to the management and protectionof a law firm’s client and business information assets. Aneffective IG program:• Enables lawyers to meet their professional responsibility
regarding client information;• Recognizes an expanding set of regulatory and privacy
requirements that apply to firm and client information;• Relies upon a culture of participation and collaboration
within the entire firm.Firms are better able to mitigate risk, improve client serviceand reduce cost.
©2015 Foley & Lardner LLP
What is Information Governance?
©2015 Foley & Lardner LLP
Foley & Lardner LLP
■ Initial IG Framework in 2010
■ Triggers:
− The financial downturn
− The need to move beyond physical recordkeeping
− Compliance requirements
− Client Security Requirements
©2015 Foley & Lardner LLP
What Is The IG Framework?
■ The foundation of the IGprogram
■ It gives the IG team
− Structure
− A benchmark
■ It gives the firm
− A platform for awarenessand change
7
1. Leadership
2. Buy-In
3. Team
4. Plans
5. Policies
6. ChangeManagement
7. ContinuousImprovement
©2015 Foley & Lardner LLP
1. The IG Framework Requires ALeader
■ An information managementprofessional− Generally at the C- or Director-
Level
■ A member of management− COO
− General Counsel
− Member of managementcommittee
− A partner or senior staff leaderappointed by management
8
Influence
Leadership
Strategic Planning
Analytics
Subject Matter
Project Management
Change Management
©2015 Foley & Lardner LLP
2. The IG Framework Requires Buy-In
“The key to successful leadership is influence,not authority” – Kenneth Blanchard
■ You may not have theauthority to mandate IG inyour firm, but you caninfluence leaders to adoptit
− You can influence otherinfluencers
9
I Understand theBenefits of IG
I Influence You
You InfluenceManagement
ManagementSupports IG
We Can Buildthe Framework
Also see the article: ”How to Influence When You Don’t Have Authority” Forbes,1/3/2011. http://www.forbes.com/2011/01/03/influence-persuasion-cooperation-leadership-managing-ccl.html
©2015 Foley & Lardner LLP
3. The IG Framework Requires ATeam
■ Structure
− Formal or informal
■ Components
− Governance
− Operations
■ Considerations
− Maturity of programs
− Stakeholders
10
Governance
EngagedLeadership Or
Advisory?
Operations
Active BuilderOr Leader and
Builder?
©2015 Foley & Lardner LLP
Information Governance Structure
Organizational unit that bridgesthe gap across information silosand systems throughout the firm.
Brings constituents together: Technology Litigation Support Information Security Records Management Knowledge Management
Information Governance AdvisoryBoard
Operational Leaders
©2015 Foley & Lardner LLP
The Foley IG Structure
■ Reports to the COOand General Counsel
■ Led by Director, IG(DIG)− Dotted line to CIO
■ Governance = IGAdvisory Board
■ Operations = RIM +Security
12
COO
CIO DIG
RIM
LocalRecords
Security
GC
IGAB
©2015 Foley & Lardner LLP
Members of Foley IG Advisory Board
■ Executive sponsors− GC and COO
■ Leader− Director of IG
■ Members− CIO− CAO, CHRO, CFO, CMO− Deputy GC− Privacy partner
13
©2015 Foley & Lardner LLP
4. The IG Framework Requires A Plan
■ A plan is− A benchmark
− A roadmap
■ Planning requires− Strategic and tactical
skills
− Think “big” and “long”
− Think “components”and “now”
14
Definition Of IG
Vision, Mission , Values
Strategies
Initiatives
Roadmap
Charter
©2015 Foley & Lardner LLP
At Foley
15
Vision
Foley IG promotes a culture in which all Personnel:
• Value information as a critical asset of the Firm and itsclients.
• Understand the risks, responsibilities and legal requirementsrelated to law firm client and business information.
• Manage information in ways that protect our clients, ourcolleagues and the Firm.
Mission
Protecting Critical Client And Firm Information Assets
Values
• Stewardship• Compliance
• Access• Security
©2015 Foley & Lardner LLP
The Roadmap Supports The StrategiesAnd the Initiatives
■ Priorities− Which strategies are most important
− Which initiatives in the top strategies are mostimportant
■ Timelines− Project phasing and timing
■ Funding− Budgeting
■ Resources− Skills and personnel needed
16
©2015 Foley & Lardner LLP
5. The IG Framework Requires PoliciesAnd Principles
■ Policies
− Align with IG scope, vision, mission and values
− Document desired behaviors
− Provide guidance for the development of IGsystems and programs
■ Principles
− Guidelines that derive from the policies
− Make it easy for users to understand IG goals andobjectives
17
©2015 Foley & Lardner LLP
Foley IG Policies
■ RIM Policies− Management of
Records− Retention Policies
& Schedules− Mobility Policies− Document Holds
and DestructionObligation
■ Security Policies− Acceptable Use− Information Security− Access, Use & Disclosure
of PII and PHI− Third Party Access
Policies− Responding to Third
Party InformationSecurity Requests
18
Governing PoliciesPolicy on Information Governance
Policy on Confidentiality
©2015 Foley & Lardner LLP
Driving Change - Understand Your Firm
■ Is it a “Top Down”organization?
− Can you mandatechange?
■ Or, is it a “GrassRoots”organization?
− Do you have toslowly “grow”change?
19
©2015 Foley & Lardner LLP
Branding
■ Communicationsare recognizableand consistent
20
©2015 Foley & Lardner LLP
6. The IG Framework Requires AStrategy For Continuous Improvement
■ Scanning and awareness
■ Measure results
■ Add and improve
21
©2015 Foley & Lardner LLP
Scanning And Industry Awareness
■ What’s happening in your firm?
− Expansion
− Added practice areas
■ What’s happening in the industry?
− New requirements for lawyers?
■ What’s happening in society
− New norms (i.e., social networking)?
− New laws
22
©2015 Foley & Lardner LLP
Measure
■ Audit for compliance
■ Gather data, indicators, ROI to demonstratethe impact of IG− Examples
Lowered storage cost
Quicker access
Better security
Quicker response to client security questionnaires
Coordinated response to a potential breach
More efficient lateral integration processes
23
©2015 Foley & Lardner LLP
Increasing Concern about Law FirmInformation Security
“Clients DemandLaw Firm Cyber
Audits” (ABA, 2013)
“Law Firms arePressed on
Security for Data”(NY Times, Mar
2014)
“Law Firms FacePressure FromClients on DataSecurity” (LegalIntelligencer, Mar
2014)
“Clients Eye LawFirms as Security
Weak Link”(Recorder Feb, 2015
“Citigroup ReportChides Law Firms forSilence on Hackings”(NY Times, Mar 2015)
“Law Firms to FormCybersecurity
Alliance” (Am. Lawyer
Mar, 2015)
©2015 Foley & Lardner LLP
The Quote Everyone is Using…
■ “Essentially, data thieves consider law firmsthe ‘soft underbelly’ [emph. added] of[security] …as they attempt to illegally obtaininformation.”− Sharon D. Nelson & John W. Simek, Your Law Firm Has Been
Breached! Now What? LAW PRAC., Sept./Oct. 2012, at 22
©2015 Foley & Lardner LLP
And The FBI Says…
■ “’We have hundreds of law firms that we seeincreasingly being targeted by hackers,’ saidMary Galligan, special agent in charge ofcyber and special operations.”− LegalTech News 2013
©2015 Foley & Lardner LLP
Terabytes of Electronic Information
>Millions ofRecords inthe DMS
(>25%Documents)
(>75%Email)
This Includes:
But that’s only what we know about…
©2015 Foley & Lardner LLP
And We Have Specific Requirementsto Protect It
■ Confidentiality− The core requirement for lawyers and law firm
staff
■ Privacy− Personally Identifiable Information (PII)
A variety of federal and state regulations that apply toall business that store PII
− Personal Health Information (PHI) HIPAA
We are Business Associates and are fully subject toHIPAA requirements and penalties
©2015 Foley & Lardner LLP
OurData?
©2015 Foley & Lardner LLP
What’s Our Risk?
■ What can go wrong?
■ How can our clientsbe harmed?
■ How can ouremployees beharmed?
■ How can the Firm beharmed?
©2015 Foley & Lardner LLP
Real Risks and ChallengesThese Have Really Happened to Us
■ Crypto Wall Virus− Pay us $____ or we won’t decrypt your hard drive
■ CEO spoof− To: CFO− From: CEO ([email protected])− Re: Procedures to wire funds
■ Departing attorney removes 1,000’s of documentsfrom Firm systems
■ Laptop left at the airport− Unencrypted, no password and STILL RUNNING
■ Records stolen from car− Laptop, iPad, written records
©2015 Foley & Lardner LLP
Biggest Pressure is Coming FromClients
■ Gramm-Leach-Bliley
− Requires financial institutions to explain theirinformation-sharing practices to their customersand to safeguard sensitive data
■ Multiple Client Security Requests
− Banks and financial institutions
− Address perceived gaps
− We expect these from pharm and healthcareclients soon (i.e., HIPAA)
©2015 Foley & Lardner LLP
Risk Area Implement Cost Culture
2 factor authentication LOW LOW LOW
External Media (USB, Flash Drive, HDD) LOW LOW MED
Disaster Recovery MED MED HIGH
Access to Webmail, Social Media, Cloud Storage LOW LOW HIGH
Data Loss Prevention (DLP) MED HIGH HIGH
BYOD Controls (Mobile Device Management) MED MED HIGH
Appropriate Access to Information MED MED HIGH
Information Classification HIGH MED HIGH
What Clients Are Demanding
©2015 Foley & Lardner LLP
Things We Are Doing
■ Trying to balance
■ Assessing client demands
■ Raising security awareness
■ Cyber Insurance and ISO Certification
■ Information Governance program
Protection ofInformation
Assets
Ease of Use
©2015 Foley & Lardner LLP
Security Awareness
■ Distributing alerts, articles, news
■ Social engineering test
− We sent three phony emails to about 1,800 users
− They looked legitimate
− Intent was to see how many people would click ona malicious link
− How many clicked?
10% of the targets (180 individuals)
©2015 Foley & Lardner LLP
Information Governance Program
■ Seeks to treat clientand firm informationas a valuablebusiness asset Compliance
InformationSecurity
Training &Awareness
InformationManagement
©2015 Foley & Lardner LLP
IG Strategies
Security
Data LossProtectionData LossProtection
MobileDeviceMgmt
MobileDeviceMgmt
AccessMgmtAccessMgmt
ThirdParty
Access
ThirdParty
Access
VulnerabilityMonitoring
VulnerabilityMonitoring
Information
Management
E-RecordsE-Records
Dark DataDark Data
Info.Storage
Info.Storage
Compliance
AuditAudit
ContinualImprovement
ContinualImprovement
IndustryScanningIndustry
Scanning
Awareness
PublicAwareness
PublicAwareness
TrainingTraining
©2015 Foley & Lardner LLP
WIIFM?(“What’s In It For Me?”)
■ Client retention
■ Competitive advantage
− We could lead
− Or at least we could keep pace
■ Better access to information for matter teams
■ Adherence to ethical and legal responsibilities
©2015 Foley & Lardner LLP
10 Guiding IG Principles
1. Manage confidential,sensitive or PersonalInformation as requiredby law, agreement orFirm Policy
2. Understand third partyaccess requirements
3. Respond promptly to IGCompliance notices
4. File email recordsregularly
5. Maintain the Firm’sOfficial Records inelectronic form, unlesshard copy is required
6. Store Official Records inan approved recordsrepository
7. Organize Official Recordsby correct client/matternumber
8. Retain and destroyrecords as permitted byFirm Policy
9. Avoid making multiplecopies of records
10. Don’t handle filetransfers (in or out) onyour own
©2015 Foley & Lardner LLP
Questions?
©2015 Foley & Lardner LLP
Resources
■ Iron Mountain -http://www.ironmountain.com/Services/Records-Management-And-Storage/Iron-Mountain-Connect.aspx
■ IGI Initative - http://iginitiative.com/
■ AIIM – http://www.aiim.org/
■ ARMA - http://www.arma.org/
■ NIST - http://www.nist.gov/index.html
©2015 Foley & Lardner LLP • Attorney Advertising • Prior results do not guarantee a similar outcome • Models used are not clients but may be representative of clients • 321 N. Clark Street, Suite 2800, Chicago, IL 60654 • 312.832.4500 42
Building Your IG FrameworkLaw and Technology Conference
2015
Randy Oppenborn