The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/34686
Risk: loss by firm vendors Risk: Completeness of Record To provide legal advice competently, lawyers rely on the complete and up-to-date record of the matter; hence, the driving need for processes and tools that support access to and life cycle management of information. From the moment a matter is opened: Breaches and losses of information by the firm’s third- party providers are, unfortunately, frequent headline- makers. Considerations include: • Up-to-date inventory of vendors who hold the firm’s information and the information each vendor holds • Repositories must be in place to store, organize, protect materials as created or received • Materials must be classified by client-matter number • 24/7 access must be available via firm and personal resources • Information-use policies must be in place to prevent the proliferation of unclassified information, ensure the protection of confidential information, and govern the appropriate destruction of obsolete information Alas, there is no “silver bullet” system for information life cycle management; today it comprises automated new business intake to establish client-matter IDs associated with the electronic repositories; document management, which when broadly focused, is the repository that houses all matter-related information (including email and attachments and transacted/filed documents); records management, which tracks information retention periods and disposition events; and email archives, which house aged, unclassified email. • Assure vendor data privacy obligations comply with firm policies and client obligations • Verify actual scope and applicability of vendor security claims, such as ISO 27001 or SAS 70 Peer to Peer the quarterly magazine of ILTA 33 Risk: Retention and disposal The corollary to the need for a complete record is that the value of information also expires and that overlong retention is costly to store, manage, and protect; interferes with efficient access to relevant information; and adds to the risk that it will be subject to legal hold and production. To be defensible, the rules governing the retention and disposition of information must be reasonable and the actions taken must be consistent, done in good faith, and without a duty to preserve at the time of the disposition. Considerations include: • Records policy that establishes the accountabilities for records and information management • Retention schedules based on laws, regulations and bar opinions • Records management system to apply retention periods and disposition triggers consistently • Legal hold system to prevent the disposition of information while there is a duty to preserve • Destruction processes that preserve confidentiality and document the action Risk: loss by firm employees Inadvertent data losses by firm employees are believed to be the most common actual breaches of data confidentiality. Considerations include: • Encryption of firm-provided portable PC hard drives and USB thumb drives (and detection of non-standard devices) • Capability to encrypt email from Outlook before sending • Policy prohibiting use of personal email accounts to transmit firm information (and subsequent blocking) • Passwords and remote deletion/wipe capabilities for all PDAs