Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1508143
57 I L T A N E T . O R G Hockey explains that the information governance policy exists to establish the fundamental high-level principles of IG at the firm, set responsibilities and reporting guidelines for committee members and other personnel, and to provide a framework for IG across the firm. It also references the key components of IG, which include matter lifecycle management, information security and incident management, technology and data governance, IG awareness and education, and privacy and regulatory compliance. Each of these in turn may well merit its own policy. Hockey says it's also important to develop a data governance policy that looks at data classification systems, tagging and metadata. He also notes that to some degree the information governance policy he drafted was aspirational. "It's consciously meant to be kind of future thinking, in terms of what is the ideal state. This policy represents our ideal set-up and configuration, and how we're going to get there. I really wanted to leave room for us to grow into the policy we were creating." Once drafted, it was reviewed by the CIO and sent out for a further review to a third-party Chief Information Security Officer (CISO) with lots of IG policy experience. She mainly checked if anything was missing, not clear, or redundant, e.g. covered by another policy. Then other members of the administrative team had sight of the policy before it went forward to the steering committee (see below). This sequencing is because, notes Hockey, "We really wanted to make sure that we were uncovering any potential pitfalls ahead of time. We wanted to understand what might cause consternation with the end users that ultimately we're trying to affect change with. Not necessarily to remove those issues but to at least be in a position to be upfront and say, 'We understand this might be alarming, or maybe it's not what you're used to doing, but here is why we've put it in the policy.'" Steering a path Thereafter, the linchpin of the firm's successful IG strategy was the firm's monthly Privacy and Security Committee on which there were 12 members, including the COO and the General Counsel. The other members represented the different practice groups across the firm. They came from different levels and locations, and included some more senior members, some associates and generally one or two summer clerks. This core was refreshed every January to ensure a continual infusion of new blood. Including lawyers from different practice groups and levels was key. "What we were trying to do," Hockey explains, "is to make change happen with the attorneys. If we could get the representative attorneys on the committee behind our ideas and efforts and really explain the challenges to them, it's much easier for change to happen because they will take it to their peers. It's coming from attorneys not some guy higher up. It has a bigger impact." Rolling an information governance policy out The committee's formal role was to approve and sign off on all the related IG policies. Policy enactment is largely controlled by processes and procedures. Hockey tried to keep committee members out of the weeds to some degree when it came to procedures. His tactic was to identify ahead of time those procedures that needed to be brought to the group that might cause consternation and on which there might be some pushback. "We brought these to the group to say: 'This is what we are proposing, I need your help in backing us up on this and helping us communicate it out.' It's not every procedure, but we identify the key procedures that we know are going to cause some issues." Aside from their formal role, then, when it comes to rolling IG policy out into the wider business, steering committee members also acted as emissaries and