1. BEST
PRACTICES
Legal Information Risk
— Action Plan and Roadmap
A law firm has only a few principal assets: its reputation, its people, its relationships and the collective information for which it
is responsible. Ensuring the quality of this information and protecting it from risk is critical to a firm’s viability. While many share
responsibility for the quality of information, the CIO has the central role in handling risks that threaten its existence, accessibility,
and security. IT’s hardware, software and services, while complex and expensive, are simply the tools that help IT deliver on
these responsibilities. We have assembled an action plan for some of the considerations when addressing nine risks to law firm
information and a roadmap to outline key aspects of the expected future state. While not exhaustive, it is a useful guide for CIOs,
COOs and security directors when considering their firm’s priorities and risk tolerance.
action plan
Risk: Theft by External
Parties Risk: Theft by Internal
Security firms have conveyed that
law firms are easy Parties
targets for obtaining infor mation on law firm clients;
varsity team to break For collaboration, law firms trust
hackers might not even bring their their own employees and
in. Whether this situation drives law firms to third-party provide wide access once logged
onto the IT systems.
rity services or Headline events of associates sellin
providers of infrastructure and secu g firm information for
improves internal procedur es is yet to be seen; in any profit have not yet driven most firms
to change this model
responsibility that is (although a small number of firms
case, security know-how is an IT have done so). Firms
growing in importance. Con siderations include: can take more prudent steps and
better protect sensitive
information by moving to a “trus
t but verify” model.
rity specialist, including Considerations include:
Annual audit by third-party secu
penetration testing
Consistent, automated ethical walls
across major
itorin g of WAN and information systems (online acco
Expert (third-party or in-house) mon unting, business
intelligence reports, time entry,
firewall security incidents document management,
file shares, intranet and search resu
lts)
are patch
Mature (consistent and fresh) softw
ent procedures Private folders and need-to-know
managem project code names
for sensitive matters not subjecte
d to an ethical wall
ad and other PDAs
Secure client software for iPhone/iP
Rights management and/or encr
yption applied to very
g you know, sensitive client and firm documen
Two-factor authentication (somethin ts
logon
something you have) for network
Expiration dates on information,
e.g., the information
opriate complexity and is purged or access is denied after
Password policies to ensure appr a defined period of
al change time
occasion
and incident response Automated monitoring for extra
Clear information security design ordinary events (e.g.,
responsibilities, including appropriate training mass export or printing)
Secured screen savers and daily
log-out policies

2. Risk: loss by firm
vendors
cord
Risk: Completeness of Re Breaches and losses of informati
on by the firm’s third-
ntly, lawyers rely on the complete party providers are, unfortunately
To provide legal advice compete , frequent headline-
er; hence, the driving need makers. Considerations include:
and up-to-date record of the matt cycle
for processes and tool s that support access to and life
the moment a matter is opened: Up-to-date inventory of vendors
management of information. From who hold the firm’s
information and the information
each vendor holds
store, organize, protect materials
Repositories must be in place to
Assure vendor data privacy oblig
as created or received ations comply with firm
policies and client obligations
t-matter number
Materials must be classified by clien
Verify actual scope and applicab
ility of vendor security
firm and personal resources claims, such as ISO 27001 or SAS
24/7 access must be available via 70
in place to prevent the
Information-use policies must be
mation, ensure the protection of
proliferation of unclassified infor destruction
confidential informati on, and govern the appropriate
of obsolete information
m for information life
Alas, there is no “silver bullet” syste business
cycle management; today it comprises automated new
IDs associated with the electronic
intake to establish client-matter
ent, which when broadly focused,
repositories; document managem Risk: Re
matter-related information tentio
is the repository that houses all documents); n and
(including email and attachments and transacted/filed The corolla disposa
s information retention periods ry to the n l
records management, which track the value eed for a
il archives, which house aged, of inform complete
and disposition events; and ema retention ation also
expires an
record is
that
is costly to d that ove
unclassified email. with effici store, ma
nage, and rlong
ent access protect; in
the risk th to relevan terferes
at it will b t informati
To be defe e subject on; and a
nsible, th to legal h dds to
dispositio e rules go old and p
n of inform vern roduction
actions ta ation must ing the retention a .
ken must be reason nd
without a be consist able and
duty to p ent, done the
Considera reserve at in good fa
tions inclu the time o ith, and
de: f the disp
m osition.
y fir
: lo ss b Records p
records a
olicy that
establishe
Risk yees elieve
d nd inform
ation man
s the acco
untabilitie
lo are b agement s for
emp emplo
yees
ata
Retention
schedules
rm of d
s by fi l breaches opinions based on
laws, regu
losse
t data n actua clude: lations an
d bar
erten mmo in
Inadv e most co iderations drive
s Records m
th ns hard rd anageme
to be ntiality. Co rtab le PC
on-s tanda and dispo
sition trig
nt system
to apply re
co nfide ovid ed po ction of n gers consi tention p
eriods
rm-pr dete stently
n of fi rives (and Legal hold
yptio
Encr B thumb d system to
prevent th
fore informatio
and U )
S ok be n while th e dispositi
Outlo ere is a d
uty to pre
on of
dev ices il from serve
t ema Destructio
ncryp nts to
n process
bilit y to e accou
documen
t the actio
es that pre
serve con
Capa email t blocking
) n fidentialit
g nal y and
s endin of perso bsequen
g use nd su r all
hibitin mation (a ies fo
y pro r abilit
Polic info e cap
it firm tion/w
ip
transm e dele
emot
and r
ords
Passw
PDAs

3. BEST
PRACTICES
Risk: Re
gul
Non-Com atory
pliance
Law firms
are relative
the roles, ly new to
education regulatory
Risk: Breach of Ethical Considera
tions inclu
and proce
de:
sses are st
controls,
ill develop
so
ing.
Obligations C-level kn
owledge
confidentiality to their HIPAA/HIT of the firm
Lawyers have duties of loyalty and and ITAR,
ECH, state ’s obligati
privacy la ons unde
clients. In today’s vola tile market, lawyers are moving as well as ws, EU Da r
clients, su regulation ta Protect
rapidity. While the 2009 s affecting ive
from firm to firm with increasing ch as the
Graham-L the firm’s
changes to ABA Mod el Rule of Professional Conduct each-Blile
y Act
est: General Rule, Inventory
1.10, Imputation of Conflicts of Inter it obligation
of the firm
’s data su
makes it easier ethic ally for lawyers to change firms, s and the bject to th
e above
icts clearance, ethical well as an data it ho
lds on be
heightens the requirements for confl geograph
understan
ding of th half of clie
icit client consent. e flow of nts, as
screens, client notification and expl ic bounda
ries this data
of unauthorized across
All have implications for IT: ingestion Designati
information from later als, ethical screens over client- on of a da
ta privacy
of client instructions. officer
matter information and tracking Registrati
Considerations inclu de: on with n
on-U.S. d
ata prote
Regular co ction auth
orities
Lateral transfer processes their oblig
mmunica
tions to fi
ations and rm lawyers
occurs how to re and staff
identify ethical (and act if a risk on
Conflicts clearance processes to or breach
track them
busi ness) conflicts and databases to Intranet si
te that se
source fo rves as a
usive) r the firm’s complian
Matter screens (inclusive and excl lawyers a ce educati
onal
nd staff
Risk: loss of access
When lawyers and firm leadership lose access to firm information
(i.e., system downtime or disasters), it is among the highest profile
incidents for a CIO. Considerations include:
Ability to recover key business systems in less than an hour, even
if certain key staff are not available
99.98 percent uptime for core systems (equivalent to less than
two hours downtime per year)
While this action plan on
ly
No or minimal data loss (e.g., email and document edits) when focuses on a few key issue
failures do occur s
in each area, it highlights
Recovery exercises at least twice a year (tabletop exercises — the multidisciplinary
verbal rather than actual tests — are practical complements to
actual recovery exercises)
nature of protecting
information from risk.

4. roadmap
Attributes that will define the maturity of information risk
management in the next few years include:
Governance basic, manual risk registers (inventories of risk issues and
CIOs cannot act in isolation when making decisions about actions to be taken to address them). Over time, they will
or taking action to address information risks. Law firms be expected to dynamically inventory, monitor, assess and
are best served by creating a risk management team to address information risk issues. IT departments need to
address information risks in the broader context of the develop the risk-savvy skill sets to use these tools.
legal and operational risks. This team should include roles
responsible for information risk and data breaches (not Physical Disaggregation of Information
likely to be the same person). Such a team provides a In opposition to the ongoing trend to consolidate
check-and-balance by making information risk decisions systems into primary datacenters, the physical locations
separate from the IT personnel tasked with implementing of information will grow as firms turn to vendors for
them. Despite good intentions, a busy and cost-conscious infrastructure or software as a service. Risk management
IT department often compromises good risk management policies and audit capabilities will need to extend across
protocol; a risk management team provides a forum for organizational and geographic boundaries, especially as
determining the firm’s tolerance for risk in the context of virtualized systems make data flowing in and out of vendors
its business priorities. more straightforward and dynamic.
Risk Management Through Contract Risk Standards
The maturity of IT vendors and the proliferation of “as-a- Over the past two years, law departments have increased
service” options will drive the evolution of risk management the depth and complexity of their risk-related questions
skill sets from technical to legal competencies. COOs and markedly. This trend is expected to continue accelerating,
lawyers, who are often uncomfortable navigating technical with multiple departments standardizing on similar risk
risks, are already warming to managing risks through contract expectations. As a response to these expectations, over a
negotiations, agreed formal procedures and incident dozen law firms have achieved the ISO 27001 information
responsibilities. IT will be best positioned when it can security certification in response to now-common RFP
address both technical and legal aspects of information risk. requirements. Accordingly, expect growth in certifications
and standardization.
Self-Audit
Many regulated companies already employ monitoring This action plan and roadmap should provide a
tools, data scanning software and governance risk starting point to ensure good risk governance is in place.
compliance (GRC) dashboards to understand their current Without it, IT is inappropriately taking all the risk on its own
state in real time and manage their progress in relation shoulders. ILTA
to risk initiatives. Law firms are just beginning to keep
This article was first published in ILTA’s June 2011 issue of Peer to Peer titled “Law2020TM: One Year In” and is reprinted here with permission. For
more information about ILTA, visit their website at www.iltanet.org.
David Cunningham is one of the original Meg Block has over 25 years of experience
consultants of Baker Robbins & Company, consulting to the legal community. A
helping it grow from 12 to 120 consultants and Managing Director, she is a senior leader
now part of Hildebrandt Baker Robbins. David in Hildebrandt Baker Robbins’ information
leads strategic technology assessments, cost management service line. Her specialties are
reduction and outsourcing analysis, and risk business process reviews and the design and
management assessments. He established the implementation of enterprise-wide information
Law Firm Technology Scorecard and co-leads programs in the areas records management,
the risk management practice. He can be new business intake, conflicts of interest, IP
reached at dcunningham@hbrconsulting.com. and litigation calendar-docket. She also teams
with email and document management experts
to develop practical and defendable digital
records management strategies. She can be
reached at mblock@hbrconsulting.com.