publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/1188906
I L T A W H I T E P A P E R | I N F O R M A T I O N G O V E R N E N C E 57 Launching such a program requires the attention only a C-suite leader can garner when allocating resources and driving collaboration across practice areas. Identifying the steering committee, with defined roles and responsibilities follows. The committee should be comprised of a small group of representatives typically from Administration, IT/IS, RIM, HR, and General Counsel who will focus on driving results and ensuring the program remains on target. Develop an elevator pitch, onboarding literature, lunchroom posters, training specific to the audience, and ongoing refreshers. Think in terms of workplace safety programs and the ongoing effort involved. This is about shifting the workplace culture and how employees regard information assets. Policy Development IG policy is crucial in creating a defensible program, it's essential that firms have a formally adopted document they can reference in guiding user behavior. Once the steering committee is identified and engaged, a risk assessment should be performed to identify security gaps that help drive policy. Firms should determine whether ethical firewalls are in place, how personal smartphones are used in client communications, whether USB drives are encrypted or CD/DVDs password protected, and whether staff use unsanctioned cloud file share applications like Dropbox. For instance, are firm employees using network share drives for scratch work or are they using these as an alternative to saving files to the records management system? Does the firm have a means to wipe business data from personal smartphones when employment ends? Is confidential data stored – and forgotten – in cloud file share applications? Conducting end user focus group sessions is a great method to uncover unique ways in which staff operate. Once firms have a grasp of workflows - and workarounds – that staff employ, drafting IG policy can begin. Policy needs to address the handling of all file formats across all data locations. Physical records, e-mail, electronic files saved to network shares and the document management system (DMS), data tape back-ups and so on all need to be accounted for. Consider adopting a standardized naming convention to streamline file searches. What access restrictions will the firm apply to certain files? For instance, will everyone have access to all client/matter files in the DMS? Who will have access to personnel files, firm budgeting files, documents that outline the firm's growth strate? How will this be monitored going forward to ensure staff who transition from one administrative role to another, or who transition from one attorney team to another have appropriate access rights? An audit schedule is an important inclusion in IG policy to identify and close gaps while highlighting training opportunities. Consider policy carveouts for unique situations, such as those that exist with Wills, Trusts & Estates. It is critical not to make exceptions outside those specified in IG policy in order to maintain a defensible program. Also consider incorporating into client engagement letters options for handling all physical and electronic records - the burden of hosting terabytes of client data shouldn't fall on the firm. Bear in mind that records "disposition" is not always synonymous with "destruction". Returning client records at the end of the retention period is an appropriate means of disposition, as is destroying attorney notes and firm billing records on the same matter at end of life. Both means of disposition should be called out in the policy document as well as end of life options incorporated into client engagement letters. Retention Schedule – Electronic and physical. Address "data is cheap" Once the policy framework is in place, the retention schedule now has a place to call home. Firms should consider the trigger event that starts the retention clock. This is typically matter closing, but when exactly does this occur – once final judgement is reached in a case or when billing is closed in the firm's accounting system? If the latter, how will you handle situations where matters aren't closed according to policy and remain unnecessarily open for years on end? This may require callout in your policy. Also bear in mind when a retention schedule calls for the disposition of records, this accounts for all forms of records, physical and electronic, regardless of storage location. Imaging file boxes to be kept indefinitely so that physical records can be shred is not C H - C H - C H - C H A N G E S : I G S A Y S I T ' S T I M E T O M A K E A C H A N G E . B U T H O W ?