It appears to have become the new norm. Not a week seems to go by without a report about a data breach. America’s largest bank, JP Morgan Chase, is the latest high-profile victim, and it is still reeling from this summer’s cyber attack that compromised the accounts of 76 million households — the equivalent of 65% of all U.S. households — and seven million businesses. Law firms are far from immune. An American multi-state criminal firm discreetly filed a report in late June with California authorities, the first U.S. state to adopt data breach notification legislation, after a hard drive containing backup files for one of the firm’s servers was stolen from the locked trunk of an employee’s vehicle.
Closer to home, hackers three years ago compromised the security of seven major Canadian law firms involved in BHP Billiton’s proposed takeover of Saskatchewan’s Potash Corp. All told, 15 per cent of U.S. law firms experienced a security breach in 2012, either through hackers, a break-in, a website exploit, or a lost or stolen computer or smartphone, according to the 2013 American Bar Association Legal Technology Survey Report. In Canada it’s likely more of the same. Thousands of attempts to breach Ontario law firm systems were likely attempted last year, and most probably, some succeeded. “But we will likely never hear about them because firms that experience breaches usually try to keep their names out of the news,” points out Dan Pinnington, vice president, claims prevention and stakeholder relations at LawPRO.
Almost overnight, cyber security has gone from a niche information technology issue to an explosive consumer issue to a top-of-mind business issue that is increasingly becoming a boardroom priority. None of which is surprising. Information is the lifeblood of modern business, and data is its new currency. Indeed, a report by World Economic Forum goes further and describes data as a new asset class and personal data as “the new oil.” “It’s an asset that has value and therefore it needs to be governed in the same way that we look at our assets like our people, our equipment, and our money,” says Martin Felsky, the national e-discovery counsel at Borden Ladner Gervais LLP in Toronto. But the mounting spate of high-profile data security breaches, along with rampant identity theft and a general lack of transparency in how personal data is monetized, is threatening to undermine the digital economy, adds the international think-tank.
Information security and risk management, however, are complicated by the staggering amount of data generated by the average business today. Indeed, the digital universe is doubling in size every two years, according to global market intelligence firm International Data Corp. What’s more, 90 per cent of the data in the world today was created in the last two years alone, and it has been estimated that more information is being generated now every two days than was from the dawn of civilization until 2003. With law firms, it’s even more problematic because they have to deal with their own business information and the client’s information, which is of course subject to confidentiality and solicitor-client privilege provisions. “There is no doubt that law firms are huge repositories of information,” says Barry Sookman, a senior partner and former chair of the technology law group with McCarthy Tétrault LLP in Toronto. “Depending on the areas of practice, they are collecting information, they are generating information, they are storing information. So in a sense information is our critical resource, and it necessarily has to be managed.”
Thanks to the alarming surge of breaches and the inconceivable reams of data, clients are increasingly putting pressure – and in many cases demanding – higher standards on how outside counsel secure their data and manage access to it. A growing number of law firms determined to keep pace with the new challenges created by mounting security requirements and the data deluge are tackling the issues through a different prism, and turning their attention towards becoming shepherds of all the information in their hands by embracing a relatively new approach — information governance.
Up until recently known generally within narrow technical circles, the enterprise-wide approach to the management and protection of a law firm’s client and business information assets has gained increasing attention, especially over the past year. It is a business process that covers the management of all facets of information during its lifecycle, from its creation, use, processing, protection, management, all the way to its disposition.
Information governance is much more than electronic records management on steroids. It encompasses data security, electronic discovery requirements, storage optimization, and privacy — and tries to foster efficient and appropriate data management that enables defensible disposal by effectively aligning information value to information cost. “Information governance basically describes how organizations can better manage their information, their data, their knowledge, all of the things that in the world today are really how we work in the business world,” says Kathryn Manning, legal counsel at Wortzmans, a Toronto law firm that provides legal advice to law firms, corporations and government regarding e-discovery, litigation readiness, information governance and privacy law.
Proponents maintain that it can mitigate law firms’ risk of security breaches, add efficiencies to search and retrieval processes, and lead to operational efficiencies through cost savings in areas ranging from discovery to litigation to human resources. “Absolutely no question data security and privacy compliance and litigation readiness are all improved as you improve information governance because the specialists who concern themselves with information are all assessing what information you have, where and how it is kept, who has access to it, and how are you going to try and protect it, and ensure that you have continuity so disaster recovery,” asserts Kelly Friedman, a partner with Davis LLP who has an expertise in electronic information issues.
Many law offices typically maintain a number of departments, such as information technology (IT), data security, records and management (RIM), and privacy, all of which play a role in managing the organization’s information. But the siloed approach is inefficient and fraught with limitations. Often, each department has its own policies and procedures, disparate data systems and applications, and even its own vocabulary even though they may share the same words. It’s far from unusual to end up with cases where the IT department puts its foot down and establishes email account volume limits to relieve stress on the organization’s email system only for personnel to move email to local drives and devices, which in turn can increase data security exposure and make it difficult to find and preserve emails for litigation. Or the organization allows the use of laptops and smart phones under a Bring-Your-Own-Device program to increase convenience and efficiency, without establishing clear parameters – a situation that again can lead to the same headaches in addition to making it more challenging to apply records retention policies. “What I hear when I have gone in law firms is different people do things in different ways so it’s tough on the staff because one department stores their documents one way, and a different department in a different way,” says Susan Nickle, general counsel at London Health Sciences Centre and former partner at Wortzmans.
What’s more, those within particular silos are constrained by the culture, knowledge, and short-term goals of their business unit, administrative function, or discipline, notes a report by The Sedona Conference Working Group on information governance. Under the siloed approach, there is an absence of overall governance or coordination for managing information as an asset, and no roadmap for the current and future use of information technology, adds the Sedona report. “We started down the road of electronic files kind of almost an ad hoc basis, without any planning and without thinking about the future and without thinking about the importance that these systems would eventually have,” notes Felsky, whose practice is dedicated to information governance. “We have completely moved away from our traditional records management processes and we have been in a new world for some time, and it’s a world of chaos.”
Information governance sets out to put some order to the disarray. It emphasizes a culture of collaboration between different departments of information-focused disciplines to make coordinated decisions about governing information for the benefit of the overall organization as opposed to a particular department or discipline. “You need all of these people – IT, RMI, security and privacy – at the table to make decisions that align everyone’s interests and everyone’s own agenda to be able to achieve anything,” says Dominic Jaar, national practice leader of information management services with KPMG LLP (Canada).
Senior leadership and oversight is key, otherwise the whole exercise is bound to fail. Senior management not only has to endorse the importance of information governance to the entire organization, it has to adopt the strategic objectives of the program, provide appropriate resources, and establish accountability for meeting program expectations and for establishing the organization’s strategic objectives for information governance. “Senior management really do have to believe in what will be done, why it will be done, and how it will be done,” says Sheila Taylor, CEO of Ergo Information Management Consulting. “Sometimes management is not as enlightened as they ideally should be or they view this as something that just employees have to do. They all have to buy it, otherwise why would the average employee pay attention to it.”
The path to information governance is laden with even more awkward and complex challenges for law firms. To begin with, the legal profession is still paper-intensive, due to a large extent to the court system’s reliance on paper. “Some businesses can say we’re going to go all digital, and law firms might wish to do that and should in terms of information governance and make the transition by saying that the electronic record is going to be the official record and the paper secondary but it’s hard for law firms to do that because the paper in many cases is the primary record and continues to be as you go to court,” says Felsky.
Some judges are not happy with the situation. Last September, Ontario Superior Court Justice D.M. Brown criticized in DBDC Spadina Ltd. v. Walton,  O.J. No. 4009 the requirement that parties file paper copies of materials in court as an “unnecessary cost,” and chastised the Ontario Court for its “failure to move into the digital age” and “the continued insistence that litigants deal with this Court through the dated and expensive medium of paper.” Many times, though, the culprit lays with law firms themselves. At times technologically savvy law firms want to forge ahead and do an entire case electronically but cannot because opposing counsel may not be set up to receive documents electronically or may feel that they are not sophisticated enough to manage the case that way.
More fundamentally, the nature of data still befuddles many law firms. Gone are the days when lawyers largely relied on manila folders and file cabinets to store documents, and protected sensitive information with a simple lock and a key, all of which was anchored by records management. Digital is an altogether different beast: it is interactive, programmable, and machine-readable only. Its sources are wide-ranging, and include electronic documents, social media, videos, voicemail, websites, and the Internet.
And in this era of BYOD, the number of sources continue to proliferate and can now include cell phones, smart phones, laptops, and tablets. The principles then behind records management, which are paper-based, simply cannot be applied to digital. Yet there are still many organizations that can boast of having very well-defined paper-based records management rules who do not have any rules that apply to their electronic records, says Felsky. That can lead to dire consequences, and transform what ought to be an asset into a liability. It can lead to the “very serious practical problem” of being unable to find records, or keeping records forever instead of destroying them when they should be destroyed, or destroying records when they should be kept, or mingling records that should be segregated, or segregating records that should be mingled. Keeping too much information, as far too many law firms do, can be decidedly impractical, expensive, and potentially embarrassing if there is information that can be harmful to the case. “It is a liability if it is not governed, if it’s not managed, and if it’s not recognized as an asset and treated as such,” says Felsky.
Legal observers are nevertheless convinced that law firms — large and small and solo practioners – are at the very least starting paying closer attention to information governance. Ironically, more and more law firms are advising clients over the merits of information governance. “Litigators within firms are very well versed with what can happen when client’s records are a big mess,” says Manning. “Whether or not that translates into law firms themselves have their records in good order is probably hit and miss.”
Some law firms, especially the bigger ones, no longer seem to have a choice. Major requests for proposals now on the street are taking into consideration whether law firms have in place information governance methodologies. Clients who anticipate they will be handing especially sensitive information to law firms “want a higher degree of assurance that it will be handled the right way” and are coming to the lawyer relationship with their own set of terms around privacy, encryption standards and technical safeguards, says a lawyer familiar with the information governance scene. “Increasingly, a law firm’s information management and governance obligations are based on demands passed down by clients,” says Sookman. “Clients now are becoming much more focused on ensuring that lawyers themselves live up to certain standards.” Friedman put it even more bluntly: “Law firms got to act first, or they are going to lose business as corporations get more sophisticated in what they need to protect their own customer data and proprietary information.”
It remains though that some firms and partners are resisting, some because they are set in their ways and refuse to let go of paper while others simply do not want to invest the time, energy, and resources needed to implement information governance. “It really depends on the firm’s culture, the practice area, and how technologically savvy the lawyers themselves are,” says Nickle. “But that is a big challenge to a firm when some want to and others don’t because it makes it very difficult to develop consistent policies across the firm.”
There is no doubt however that growing numbers of law firms have taken the plunge but few boast about it, if only because it is largely perceived to provide a competitive edge over its rivals. But because of cultural, financial and technological impediments, the information governance programs in place at some law firms are not nearly as effective as they should be, says Jaar. He maintains that there are “so many lawyers” who refuse to pool their know-how in a document or knowledge management system and have no interest in pooling their contacts in a contact relationships management system because they feel it is their expertise and their clients. These law firms have “real good technology that they could leverage a lot more,” says Jaar. “So the IT investment has been made but the culture change has not yet happened, and the processes do not support a full information governance program. So it’s been fairly tough for them to move to an information-driven or data-driven organization.”
The other culprit is the billable hour model. A number of lawyers are reluctant to use technology to its full extent because it takes time to learn, and time spent absorbing the ins-and-outs of technology are not billable, which in turn means lower productivity and lower revenues. “That prevents law firms from truly engaging in information governance projects,” adds Jaar. He also holds that some law firms who have invested in the technology to support information governance fail to take into consideration that an effective information governance program requires an investment in setting up a structure and education and training. Technology represents about one-third of any investment in information governance, another third needs to be allocated to developing the governance to put in place policies and procedures, and the remaining third should go to changing the culture inside the firm through a communications strategy, and education and training. “Often, they are under the impression that if we buy this piece of software, we’re done when, in fact, it’s far from true,” says Jaar.
Yet through it all Jaar is optimistic that law firms will eventually embrace information governance. He shares the view espoused by others that information governance will be embedded into the firm’s business. Or as Taylor puts it, “We are going to continue to see it on the radar screen, and eventually having good control of your information will become sort of one of the givens of an organization just like the way organizations manage its finances, its human resources, and its capital assets.”
This story was originally published in the magazine Canadian Lawyer.