Information Governance: Taming a world of chaos

It appears to have become the new norm. Not a week seems to go by without a report about a data breach. America’s largest bank, JP Morgan Chase, is the latest high-profile victim, and it is still reeling from this summer’s cyber attack that compromised the accounts of 76 million households — the equivalent of 65% of all U.S. households — and seven million businesses. Law firms are far from immune. An American multi-state criminal firm discreetly filed a report in late June with California authorities, the first U.S. state to adopt data breach notification legislation, after a hard drive containing backup files for one of the firm’s servers was stolen from the locked trunk of an employee’s vehicle.

Closer to home, hackers three years ago compromised the security of seven major Canadian law firms involved in BHP Billiton’s proposed takeover of Saskatchewan’s Potash Corp. All told, 15 per cent of U.S. law firms experienced a security breach in 2012, either through hackers, a break-in, a website exploit, or a lost or stolen computer or smartphone, according to the 2013 American Bar Association Legal Technology Survey Report. In Canada it’s likely more of the same. Thousands of attempts to breach Ontario law firm systems were likely attempted last year, and most probably, some succeeded. “But we will likely never hear about them because firms that experience breaches usually try to keep their names out of the news,” points out Dan Pinnington, vice president, claims prevention and stakeholder relations at LawPRO.

Almost overnight, cyber security has gone from a niche information technology issue to an explosive consumer issue to a top-of-mind business issue that is increasingly becoming a boardroom priority. None of which is surprising. Information is the lifeblood of modern business, and data is its new currency. Indeed, a report by World Economic Forum goes further and describes data as a new asset class and personal data as “the new oil.” “It’s an asset that has value and therefore it needs to be governed in the same way that we look at our assets like our people, our equipment, and our money,” says Martin Felsky, the national e-discovery counsel at Borden Ladner Gervais LLP in Toronto. But the mounting spate of high-profile data security breaches, along with rampant identity theft and a general lack of transparency in how personal data is monetized, is threatening to undermine the digital economy, adds the international think-tank.

Information security and risk management, however, are complicated by the staggering amount of data generated by the average business today. Indeed, the digital universe is doubling in size every two years, according to global market intelligence firm International Data Corp. What’s more, 90 per cent of the data in the world today was created in the last two years alone, and it has been estimated that more information is being generated now every two days than was from the dawn of civilization until 2003. With law firms, it’s even more problematic because they have to deal with their own business information and the client’s information, which is of course subject to confidentiality and solicitor-client privilege provisions. “There is no doubt that law firms are huge repositories of information,” says Barry Sookman, a senior partner and former chair of the technology law group with McCarthy Tétrault LLP in Toronto. “Depending on the areas of practice, they are collecting information, they are generating information, they are storing information. So in a sense information is our critical resource, and it necessarily has to be managed.”

Thanks to the alarming surge of breaches and the inconceivable reams of data, clients are increasingly putting pressure – and in many cases demanding – higher standards on how outside counsel secure their data and manage access to it. A growing number of law firms determined to keep pace with the new challenges created by mounting security requirements and the data deluge are tackling the issues through a different prism, and turning their attention towards becoming shepherds of all the information in their hands by embracing a relatively new approach — information governance.

Up until recently known generally within narrow technical circles, the enterprise-wide approach to the management and protection of a law firm’s client and business information assets has gained increasing attention, especially over the past year. It is a business process that covers the management of all facets of information during its lifecycle, from its creation, use, processing, protection, management, all the way to its disposition.

Information governance is much more than electronic records management on steroids. It encompasses data security, electronic discovery requirements, storage optimization, and privacy — and tries to foster efficient and appropriate data management that enables defensible disposal by effectively aligning information value to information cost. “Information governance basically describes how organizations can better manage their information, their data, their knowledge, all of the things that in the world today are really how we work in the business world,” says Kathryn Manning, legal counsel at Wortzmans, a Toronto law firm that provides legal advice to law firms, corporations and government regarding e-discovery, litigation readiness, information governance and privacy law.

Proponents maintain that it can mitigate law firms’ risk of security breaches, add efficiencies to search and retrieval processes, and lead to operational efficiencies through cost savings in areas ranging from discovery to litigation to human resources. “Absolutely no question data security and privacy compliance and litigation readiness are all improved as you improve information governance because the specialists who concern themselves with information are all assessing what information you have, where and how it is kept, who has access to it, and how are you going to try and protect it, and ensure that you have continuity so disaster recovery,” asserts Kelly Friedman, a partner with Davis LLP who has an expertise in electronic information issues.

Many law offices typically maintain a number of departments, such as information technology (IT), data security, records and management (RIM), and privacy, all of which play a role in managing the organization’s information. But the siloed approach is inefficient and fraught with limitations. Often, each department has its own policies and procedures, disparate data systems and applications, and even its own vocabulary even though they may share the same words. It’s far from unusual to end up with cases where the IT department puts its foot down and establishes email account volume limits to relieve stress on the organization’s email system only for personnel to move email to local drives and devices, which in turn can increase data security exposure and make it difficult to find and preserve emails for litigation. Or the organization allows the use of laptops and smart phones under a Bring-Your-Own-Device program to increase convenience and efficiency, without establishing clear parameters – a situation that again can lead to the same headaches in addition to making it more challenging to apply records retention policies. “What I hear when I have gone in law firms is different people do things in different ways so it’s tough on the staff because one department stores their documents one way, and a different department in a different way,” says Susan Nickle, general counsel at London Health Sciences Centre and former partner at Wortzmans.

What’s more, those within particular silos are constrained by the culture, knowledge, and short-term goals of their business unit, administrative function, or discipline, notes a report by The Sedona Conference Working Group on information governance. Under the siloed approach, there is an absence of overall governance or coordination for managing information as an asset, and no roadmap for the current and future use of information technology, adds the Sedona report. “We started down the road of electronic files kind of almost an ad hoc basis, without any planning and without thinking about the future and without thinking about the importance that these systems would eventually have,” notes Felsky, whose practice is dedicated to information governance. “We have completely moved away from our traditional records management processes and we have been in a new world for some time, and it’s a world of chaos.”

Information governance sets out to put some order to the disarray. It emphasizes a culture of collaboration between different departments of information-focused disciplines to make coordinated decisions about governing information for the benefit of the overall organization as opposed to a particular department or discipline. “You need all of these people – IT, RMI, security and privacy – at the table to make decisions that align everyone’s interests and everyone’s own agenda to be able to achieve anything,” says Dominic Jaar, national practice leader of information management services with KPMG LLP (Canada).

Senior leadership and oversight is key, otherwise the whole exercise is bound to fail. Senior management not only has to endorse the importance of information governance to the entire organization, it has to adopt the strategic objectives of the program, provide appropriate resources, and establish accountability for meeting program expectations and for establishing the organization’s strategic objectives for information governance. “Senior management really do have to believe in what will be done, why it will be done, and how it will be done,” says Sheila Taylor, CEO of Ergo Information Management Consulting. “Sometimes management is not as enlightened as they ideally should be or they view this as something that just employees have to do. They all have to buy it, otherwise why would the average employee pay attention to it.”

The path to information governance is laden with even more awkward and complex challenges for law firms. To begin with, the legal profession is still paper-intensive, due to a large extent to the court system’s reliance on paper. “Some businesses can say we’re going to go all digital, and law firms might wish to do that and should in terms of information governance and make the transition by saying that the electronic record is going to be the official record and the paper secondary but it’s hard for law firms to do that because the paper in many cases is the primary record and continues to be as you go to court,” says Felsky.

Some judges are not happy with the situation. Last September, Ontario Superior Court Justice D.M. Brown criticized in DBDC Spadina Ltd. v. Walton, [2014] O.J. No. 4009 the requirement that parties file paper copies of materials in court as an “unnecessary cost,” and chastised the Ontario Court for its “failure to move into the digital age” and “the continued insistence that litigants deal with this Court through the dated and expensive medium of paper.” Many times, though, the culprit lays with law firms themselves. At times technologically savvy law firms want to forge ahead and do an entire case electronically but cannot because opposing counsel may not be set up to receive documents electronically or may feel that they are not sophisticated enough to manage the case that way.

More fundamentally, the nature of data still befuddles many law firms. Gone are the days when lawyers largely relied on manila folders and file cabinets to store documents, and protected sensitive information with a simple lock and a key, all of which was anchored by records management. Digital is an altogether different beast: it is interactive, programmable, and machine-readable only. Its sources are wide-ranging, and include electronic documents, social media, videos, voicemail, websites, and the Internet.

And in this era of BYOD, the number of sources continue to proliferate and can now include cell phones, smart phones, laptops, and tablets. The principles then behind records management, which are paper-based, simply cannot be applied to digital. Yet there are still many organizations that can boast of having very well-defined paper-based records management rules who do not have any rules that apply to their electronic records, says Felsky. That can lead to dire consequences, and transform what ought to be an asset into a liability. It can lead to the “very serious practical problem” of being unable to find records, or keeping records forever instead of destroying them when they should be destroyed, or destroying records when they should be kept, or mingling records that should be segregated, or segregating records that should be mingled. Keeping too much information, as far too many law firms do, can be decidedly impractical, expensive, and potentially embarrassing if there is information that can be harmful to the case. “It is a liability if it is not governed, if it’s not managed, and if it’s not recognized as an asset and treated as such,” says Felsky.

Legal observers are nevertheless convinced that law firms — large and small and solo practioners – are at the very least starting paying closer attention to information governance. Ironically, more and more law firms are advising clients over the merits of information governance. “Litigators within firms are very well versed with what can happen when client’s records are a big mess,” says Manning. “Whether or not that translates into law firms themselves have their records in good order is probably hit and miss.”

Some law firms, especially the bigger ones, no longer seem to have a choice. Major requests for proposals now on the street are taking into consideration whether law firms have in place information governance methodologies. Clients who anticipate they will be handing especially sensitive information to law firms “want a higher degree of assurance that it will be handled the right way” and are coming to the lawyer relationship with their own set of terms around privacy, encryption standards and technical safeguards, says a lawyer familiar with the information governance scene. “Increasingly, a law firm’s information management and governance obligations are based on demands passed down by clients,” says Sookman. “Clients now are becoming much more focused on ensuring that lawyers themselves live up to certain standards.” Friedman put it even more bluntly: “Law firms got to act first, or they are going to lose business as corporations get more sophisticated in what they need to protect their own customer data and proprietary information.”

It remains though that some firms and partners are resisting, some because they are set in their ways and refuse to let go of paper while others simply do not want to invest the time, energy, and resources needed to implement information governance. “It really depends on the firm’s culture, the practice area, and how technologically savvy the lawyers themselves are,” says Nickle. “But that is a big challenge to a firm when some want to and others don’t because it makes it very difficult to develop consistent policies across the firm.”

There is no doubt however that growing numbers of law firms have taken the plunge but few boast about it, if only because it is largely perceived to provide a competitive edge over its rivals. But because of cultural, financial and technological impediments, the information governance programs in place at some law firms are not nearly as effective as they should be, says Jaar. He maintains that there are “so many lawyers” who refuse to pool their know-how in a document or knowledge management system and have no interest in pooling their contacts in a contact relationships management system because they feel it is their expertise and their clients. These law firms have “real good technology that they could leverage a lot more,” says Jaar. “So the IT investment has been made but the culture change has not yet happened, and the processes do not support a full information governance program. So it’s been fairly tough for them to move to an information-driven or data-driven organization.”

The other culprit is the billable hour model. A number of lawyers are reluctant to use technology to its full extent because it takes time to learn, and time spent absorbing the ins-and-outs of technology are not billable, which in turn means lower productivity and lower revenues. “That prevents law firms from truly engaging in information governance projects,” adds Jaar. He also holds that some law firms who have invested in the technology to support information governance fail to take into consideration that an effective information governance program requires an investment in setting up a structure and education and training. Technology represents about one-third of any investment in information governance, another third needs to be allocated to developing the governance to put in place policies and procedures, and the remaining third should go to changing the culture inside the firm through a communications strategy, and education and training. “Often, they are under the impression that if we buy this piece of software, we’re done when, in fact, it’s far from true,” says Jaar.

Yet through it all Jaar is optimistic that law firms will eventually embrace information governance. He shares the view espoused by others that information governance will be embedded into the firm’s business. Or as Taylor puts it, “We are going to continue to see it on the radar screen, and eventually having good control of your information will become sort of one of the givens of an organization just like the way organizations manage its finances, its human resources, and its capital assets.”

This story was originally published in the magazine Canadian Lawyer.

Risk management advisors must be registered with the provincial securities regulator, says court

Independent risk management advisors must be registered with the provincial securities regulator in order to carry on advisory activities related to insurance product offerings, following a precedent-setting ruling by the Court of Quebec that is being hailed as a victory for Quebec consumers by insurance and legal experts.

Up until the ruling Quebec consumers had no recourse against risk management advisors because they operated outside the scope of An Act respecting the distribution of financial products and services (Act) thanks to a loophole in the law.

“This ruling sheds light on what has been considered to be a grey zone,” noted Sylvain Théberge, a spokesman with the Autorité des marchés financiers (AMF), the regulatory and oversight body for Québec’s financial sector. “It’s not because you are an unregistered risk management advisor that the repercussions of the advice being offered will have less of an impact than a consultant who is duly registered. The ruling clearly states that by the very nature of their work these consultants must be duly registered.”

Independent risk management advisors, also known as damage insurance consultants, tend to be hired on a project or retainer basis to help assess and identify risks associated with insurance policies as well as assist with negotiations with insurance brokers. They do not sell insurance, and hence do not receive commissions. The potential gain or loss of commission income does not enter into the decision-making process, which ostensibly eliminates potential conflict of interest. There are no hard figures on how many damage insurance consultants operate in Quebec. But at least one organization encouraged members to use their services. The Union of Quebec Municipalities, which has represented municipalities of every size and in every region of Quebec since its founding in 1919, required its members to hire risk management advisors who were not brokers, agents or insurance representatives.

But on March 2012, after repeated warnings fell on deaf ears, the AMF charged a numbered company operated by damage insurance consultant Claude Descheneaux with three counts of carrying out activities reserved for registered firms and representatives.

Descheneaux argued that there is no mention in the Act that risk management advisors is a profession reserved to brokers, representatives or firms that sell damage insurance. He also noted that Article 6 of the Act states that a damage insurance broker is a natural person who offers a range of damage insurance products from several insurers directly to the public, or who offers damage insurance products from one or more insurers to a firm, an independent representative or an independent partnership. Damage insurance consultants, however, do not offer insurance products and therefore could not have infringed the Act, asserted Descheneaux.

Court of Quebec Justice Monique Perron dismissed his arguments. Justice Perron pointed out that the Act is a law of public order that strives to protect consumers, and it imposes duties and responsibilities on natural or legal persons who offer damage insurance products. Justice Perron added that if the legislator wanted to limit the reach of Article 6 of the Act only to representatives who have the “capacity to sell products,” it would have chosen the expression sell rather than offer. “By using the word offer, the legislator wanted to regulate the greatest number of activities relating to insurance products,” said Justice Perron in her 23-page ruling. She also noted that Article 6 of the Act specifically states that a damage insurance broker also acts as an advisor in damage insurance.

“Whether or not the counsellor sells insurance products, the counsellor plays a role well-beyond of someone who informs a person,” said Justice Perron in Autorité des marchés financiers c. 9111-3258 Québec inc. 2013 QCCQ 13994. “The doctrine in insurance law underlines that a counsellor is an essential actor who guides clients for the best possible coverage…They influence the decision taken by a client to choose one protection over another. After all, the insured consult them to obtain their opinion.”

Justice Perron also pointed out that the simple fact that a risk management advisor does not receive commissions is not a gage of his competence but is “strictly a guarantee of his independence.” She added that the legislator had no intention of prohibiting clients from using the services provided by damage insurance consultants but only that they be regulated by the AMF.

“This is a case where there was a loophole that was exploited by people who did not want to be registered under the guise of being independent,” said Jean Mathieu Potvin, an in-house counsel with La Capitale assurances générales inc. who is also the secretary and treasurer of the Corporation des assureurs directs de dommages du Québec, an industry group representing the Quebec damage insurance industry. “What’s interesting about the ruling is that it states unequivocally that offering advice does not necessarily encompass selling. Whether there is a sale or not, if the advice is inadequate and the consumer suffered harm, the consumer must be protected.”

Yvan Paradis, a lawyer based in the Laurentians who unsuccessfully represented Descheneaux, has a complete different take on the ruling. Paradis, who has in the past worked as a consultant in the former incarnation of the AMF, believes that the ruling may have closed a loophole in the Act but does not respond to the needs of the marketplace. Small business and municipalities will be particularly hard hit by this ruling because they cannot afford to hire a full-time risk management advisor to advise them on damage insurance.

“Insurance representatives and brokers may have a permit but they do not have the experience or expertise in providing advice on damage insurance, especially when risks are complex as is often the case in commercial matters,” said Paradis. “The solution to the problem would be for the government to oblige people who are giving advice over damage insurance to receive training, but that is going nowhere.”

Ironically, says Paradis, the ruling may put into jeopardy the protection of the public. By allowing consultants to be able to offer insurance products and receive a commission, it “considerably modifies his role. He will no longer be independent, and may possilbly lose his objectivity as there is a personal interest involved, that is, the commission he may receive. The conflict of interest is evident,” said Paradis.

Descheneaux, who received a certificate from the AMF as a broker in damage insurance on July 2012, was found guilty of the three charges laid against him by Quebec’s financial watchdog.

Doing business in China – With rewards comes risks

When Montreal toy maker Mega Brands Inc. was awarded $1.3 million by Quebec Superior Court following a legal tussle with a Chinese supplier, it highlighted the perils of doing business abroad but also underscored the value of putting pen to paper a comprehensive, detailed and binding contract that clearly spells out the obligations of each party.

Keen to strengthen ties with the world’s fastest-growing economic juggernaut, Canadian business all too often gloss over the risks and exposure of doing business with Chinese suppliers. Risk management is frequently eschewed, due diligence shirked, and contracts inadequately drafted.

“What is so surprising is that in Canada even small business would not conceive of entering into a relationship without having a contract, yet when we go into China we lose our minds and don’t undertake the due diligence because we are so eager to have the business relationship,” observed Cyndee Todgham Cherniak, a leading lawyer in international trade.

Yet taking steps to mitigate risks makes sound business sense, particularly since the potential for disputes arising in fast-paced and emerging markets such as China is high due to distance, cultural and language differences, added Cherniak, who represented the Government of China, Chinese Associations and exporters in the three of the first four anti-dumping and countervailing duty cases against China.

A case in point is the Mega Brands case. When Blue Box International Ltd., a Hong-Kong-based toy manufacturer with several plants in China, sued Mega Brands for failing to pay for product that had been delivered, the Canadian firm successfully argued that the Chinese supplier failed to fill orders that led to lost sales during the 2004 holiday season. Indeed, its case hinged on the contract it signed with the Chinese supplier. In the end, Justice Claudine Roy ruled that Mega Brands suffered $1.34 million in lost profits on more than 95,000 units Blue Box failed to deliver but ordered the Montreal toy company to pay $420,000 for product that was delivered. (Blue Box has filed leave to appeal before the Quebec Court of Appeal. The case is expected to be heard sometime next year.)

“This was a contractual claim,” said Peter Kalichman, of Irving Mitchell Kalichman of Montreal, who represented Mega Brands. “The two parties contracted, had an agreement on how product was to be manufactured, how much, when it was to be delivered – and one of the parties failed to fulfill its obligations.”

While not necessarily the exception, the solid contract Mega Brands had with its Chinese suppliers is far from the norm. Though there is an “increasing awareness of the critical nature of good contracts,” many Canadian firms still rely on poorly-drafted contracts or even on the printed terms of their invoices, which can be exceedingly difficult to prove they are part of the contract, notes James Klotz, co-chair of the international business transactions group at Miller Thomson LLP in Toronto.

“The best reason why you have a contract is so that everybody understands what everybody is supposed to be doing,” said Klotz, who has written several books on international business law for both lawyers and business persons. “The more you spell it out, the less likely there is going to be a dispute. That means that longer contracts are called for. Unfortunately in those countries, longer contracts are typically not the norm. And quite frankly, Canadian companies don’t necessarily like long contracts either. They’re expensive.”

It may be tempting to require offshore manufacturers to enter into formal contracts containing provisions such as proof of insurance, exclusive jurisdiction and choice of law clauses in order to protect the purchaser, but it may not always be the most judicious course to take.

Canadian firms that rely on Chinese firms to ship goods into Canada should have proof of insurance clauses, which requires the Chinese business to prove that it has proper liability insurance, with adequate limits, said Cherniak. But a growing number of Canadian companies are preferring to receive goods freight on board or at the Chinese factory gate, in which case the Canadian firm is responsible for the insurance coverage, because if anything happens to the goods “they’re the ones who have the direct relationship with the insurance company,” added Cherniak.

The same holds true for exclusive jurisdiction and choice of law clauses. It may be appealing to include provisions that would grant Canadian courts with the exclusive forum for resolving disputes under the contract, but it may not be the strongest remedy. Even if the Canadian plaintiff is awarded judgment in Canadian soil, there is the sticky issue of how to enforce the award, particularly if the Chinese supplier does not have any assets in Canada.

“It all depends on how the supplier sees their prospects of doing business in Canada,” said Klotz, who represents Canadian and multinational enterprises in all areas related to international business transactions. “If the Canadian business is not that important to them, they may take the position of come and get us if you can. But that’s not an uncommon response in lesser developed countries.”

A more astute posture would be to examine all of one’s options, said Cherniak. In some cases, it would be shrewder to try and resolve the dispute before Chinese courts, in others before an arbitrator, and yet others to try and seek “a wise old sage” respected by the Chinese supplier to help to solve the problem.

“Canadian companies need to understand that the way of doing business is different in China,” said Cherniak, who also provides advice to Canadian companies doing business in China or with Chinese companies. “Canadian companies need to do their due diligence. We’re at a point in time where you shouldn’t just see the dollar sign. There should be additional steps taken to make sure that this is done properly.”