The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/411912
WWW.ILTANET.ORG 43 governance strategy. To get lawyers and staff to embody these policies in their actions and habits, Rudy spends a lot of his time marketing information governance throughout the firm. His experience has shown that the following rules of thumb help encourage interest and adoption: • Encourage Practice Group Leaders To Be Your Diplomats: Practice group leaders (PGLs) have close contact with the members of their groups, not only serving a management function, but also acting as trusted advisors and business partners. Set regular meetings with PGLs to update them on risks and policies, and have them help achieve compliance on their teams. • Configure Systems To Communicate Information Security Requirements: Users tend to forget security and compliance lessons they learn during one-time training sessions. Send automatic notifications regularly to remind users of key risks. Make it hard for lawyers and staff not to comply with policies, such as setting rules where documents not filed properly are deleted after 90 days. • Highlight Cost Savings and Efficiency Gains: Activity-monitoring investigations often reveal highly inefficient work habits that could be amended to be in accordance with good governance standards. A strong security program provides firms with a competitive advantage and can reduce professional liability insurance rates. • Train the Things You Can't Control: As data proliferates across devices, the risks of lost information are heightened, and executing enterprise governance programs becomes more difficult. Security stakeholders must accept that their programs will never be foolproof and train users regularly on risks. • Reference Peer Practices: Few firms want to be the first to try something, but no firm wants to be the last. If management views security as the new standard of care enforced by peers, they will readily endorse your initiative. Communities like the ILTA LegalSEC group are a great resource for gathering data about security practices at other firms. An extensive, reasonable and thorough security policy is useless unless your lawyers and staff adopt it. IT professionals should therefore engage in some basic sales and marketing techniques to drive interest and continued success. THE HYBRID SECURITY MODEL "Laws too gentle are seldom obeyed; too severe, seldom executed." — Poor Richard's Almanack One core security practice sparking debate is how firms should secure content in their document management systems and other information repositories (such as file shares or SharePoint). In the former perimeter-based model, firms often granted lawyers and staff open-by-default access to client information, erecting ethical walls when needed to comply with professional responsibility requirements. Today, firms must address increasingly stringent client and regulatory requirements, often requiring that they adopt the "minimum necessary" approach endorsed by regulatory rules like HIPAA and enforced by most financial services clients. To secure sensitive information at scale, many firms are now considering a move to a closed system, where each matter is locked down to the respective matter team. However, the cultural and administrative shift required to move to a closed system is so steep it can render the approach unfeasible in some firms. Security stakeholders must chart a compromise, finding a way to integrate access controls with business requirements so the firm can improve its security posture without frustrating business owners and lawyers. Fortunately, firms can approach access controls creatively and find a middle ground. Here are some best practices firms can use to develop a hybrid approach: • Secure Small Quantities of Regulated Information at the Document Level: The 2013 HIPAA Omnibus Rule requires that law firms secure protected health information (PHI) acquired via defense work on behalf of a covered entity (an organization like a hospital, insurance provider or health clearing house). As this information often appears in only a few documents per matter, firms can apply security only on those regulated documents, leaving the rest of the matter content open for knowledge management and sharing. Lawyers working with PHI should be trained on their obligations. • Secure Sensitive Client Information at the Matter Level or with Client Subgroups: Firms often represent large institutions in multiple types of matters with varying degrees of sensitivity. Granting access to all lawyers and staff working on a client's matters rarely meets client demands regarding sensitivity. Firms should tag sensitive client matters at new business intake and apply more stringent controls for those matters, including monitoring About the Authors Mohit Thawani, Vice President of the Information Security Practice Group at Intapp, focuses on enabling organizations to address their client confidentiality management obligations mandated by professional rules, clients or external regulations. Mohit has over 20 years of experience in the legal industry. Contact him at mohit.thawani@intapp.com.