The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
case studies • File-Sharing Mechanisms. Our attorneys ask for them, and clients want us to use them. A multitude of products exist for sharing files. Some of the benefits of these solutions are easy account creation/maintenance, notifications of file uploads/downloads and overall ease of use. However, with the benefits come great challenges, as we continue to strive to accommodate ethical and legal responsibilities when maintaining our clients' files. • Mobile Device Management Options. We are now a truly mobile workforce. Attorneys are working from everywhere, all the time. Information is stored on these devices at a growing rate, and it must be secured and managed. BYOD is the acronym of the day — it cannot be ignored, and neither can our responsibility for managing and securing the information on those devices appropriately. How information is stored, accessed and secured, as well as end-users' responsibilities for managing the information on these devices, are issues that our groups are addressing collaboratively. • And Much More. Security is an ongoing obligation across the information lifecycle. We have a duty to protect client data and the firm's business records, and precautions taken by the security team lay a sound foundation for information management to provide assurances that data are managed with utmost care. What's Next? The collaboration between our information management and information security teams will continue well beyond the efforts we've already started. Our business requirements and client demands will change, and technology will change just as rapidly to accommodate them. We will ensure that policies and procedures are kept current and continue to reflect business processes, firm culture and risk tolerance. Our focus will extend beyond internal systems, since information must also be shared beyond the firm's firewalls. The following upcoming projects will require that our security and information management teams maintain a close alliance: • We recently obtained an ISO 27001 certification, requiring that we document, implement and follow our procedures rigorously. This certification will help ensure that we are meeting our client's security needs while also implementing documented procedures. The ISO certification is as much about security as it is about process and policy. Our groups work together to ensure a cohesive solution that fits our firm's needs and puts us in the right position to maintain certification. • We have the same challenges that many other firms do in adhering to privacy rules based on the type of data the firm handles for our clients. As a large firm with a multitude of Leigh Isaacs, CIP is the Director of Records & Information Management at Orrick, Herrington & Sutcliffe LLP. She has over 25 years of combined legal and information management experience. Leigh's expertise includes deployment of enterprise programs; development of information management programs; on- and off-site storage considerations, including outsourcing, process improvements and the evaluation and implementation of technology solutions; and the disposition of information for dissolved entities. Leigh can be contacted at lisaacs@orrick.com. clients, we maintain and process personally identifiable information (PII) so we must comply with HIPAA/HITECH regulations and Sarbanes-Oxley. • We are embarking on a data loss prevention (DLP) project to add additional levels of security mechanisms to protect against leakage of sensitive data outside the firm. DLP is a very broad term and can apply to many systems across the enterprise. It helps you discover, monitor, protect and manage this confidential data. DLP can watch and protect data in file shares/SANs, endpoint devices, databases, instant messaging systems, corporate/personal email messages, Web servers, FTP sites and removable media. It can even protect data during copy and paste operations. The information management group is responsible for many aspects of this data, so teaming up with the security folks on this project was a foregone conclusion. Like Churchill said, we can't shun our responsibilities today and hope that our data management problems will magically disappear. As protectors of the firm's data, our teams need to collaborate to ensure that our systems and policies protect our largest information asset – our data. As we've seen one too many times across diverse industries, a security incident can ruin an organization. It is the responsibility of our two groups to combine efforts and ensure that our policies, procedures and technologies work in unison to protect data without hindering the productivity of our staff and attorneys. Chuck Monfradi is the Manager of Solution Architecture and Security at Orrick, Herrington & Sutcliffe LLP. He has over seven years of experience in the legal field and has been working in information security for 15+ years. Chuck has a background focused on enterprise architecture, infrastructure operations, data centers, security, networking, telecommunications and Web development. He can be contacted at cmonfradi@orrick.com. 42 Peer to Peer