Until recently, information governance (IG) in law firms was focused on chain of custody tracking, securing access to systems, and safeguarding data. Most firms never actually disposed of electronic documents nor destroyed physical records. But in the past few years, companies in highly regulated sectors have rapidly advanced their risk mitigation initiatives, and they have been issuing increasingly detailed IG protocols that are just now reaching their outside counsel.
As a result, law firms are being forced to evolve their IG capabilities to accommodate the distinct guidelines of individual clients, reduce storage costs, and mitigate litigation risk by eliminating old documents and records.
The IG revolution is here, but most firms are not equipped to handle it.
According to the Information Governance Initiative Annual Report, 94% of law firms identify records management as a key part of IG, ranking it higher than e-discovery (86%), risk management (77%), and compliance (88%). Yet it is estimated that over 70% of law firms are currently using records management software that is outdated, unsupported, or sunsetted.
Even worse, these legacy systems have never included even the most basic IG functionality of applying retention policies against physical records and electronic documents. So while the IG revolution has come, most firms are not ready. As a result, IG compliance threatens to overwhelm law firms’ resources, massively reduce productivity, negatively impact reputations, and undermine long-term profitability.
What’s behind the IG shift?
Attorneys are starting to realize the risks associated with failure to comply with their own IG policies. Costs are escalating for storage of both electronic and physical records, as are the risks of data being subject to discovery when firms cannot demonstrate consistent application of retention policies.
But the biggest factor making law firms comply is industry cooperatives, which are driving IG compliance forward. Leaders in regulated industries like financial services, government agencies, and insurance are collaborating to identify risks and define policies and practices to address these risks.
For industries with common risk profiles and regulated or sensitive information, collaboration enables them to pool their experience identifying risks and share successes, thus reducing these risks. They are also sharing their lessons from data breaches, whether these occurred internally or through supply chain breaches.
All of this knowledge is being used to create detailed IG controls the members of the consortium are all adopting. These controls are then supplied to law firms as outside counsel guidelines (OCG), which are being included as part of engagements and subject to audits.
IG audits are increasing year over year.
Law firm clients are increasingly adopting a Ronald Reagan-style approach to OCG: “Trust, but verify.” Essentially, information governance and compliance do not run on the honor system anymore. Today clients are conducting detailed audits of their contracted law firms to validate that guidelines are followed, especially relating to how sensitive information is being handled.
Failing a client’s IG audit can have far-reaching consequences. The audit mechanism employed by the cooperative may mean that the failure will be shared with other firm clients or prospective clients who are also members. Failure may mean the firm is blacklisted as an unsatisfactory service provider for all member organizations.
IG compliance starts with automated disposition.
Many firms have essentially ignored disposition of electronic documents, and only a handful are doing regular destruction of physical records because disposition isn’t easy. In fact, it is incredibly complex and becoming exponentially more difficult every year.
During the past 10+ years, digital information has gotten easier to store which has resulted in the volume of data growing at an unprecedented rate. According to some estimates, its compound average growth rate is 61.7%—a rate that’s expected to skyrocket even higher over the next decade.
Not only do firms have to manage and track the retention and disposition of paper records, they must also keep up with rapidly growing digital records as well, and those records are everywhere. Electronic records are stored in many places outside document management solutions from SharePoint to shared network drives to individual computer desktops.
Physical records are stored on-site at numerous branch offices, as well as in off-site storage facilities. It’s not hard to see why tracking and managing records in so many different places has become almost impossible.
IG compliance is incredibly complex.
Along with the dramatic growth in volume, IG and compliance have become incredibly convoluted in today’s industry—particularly government-regulated industries.
Many information security and governance stipulations are not consistently applied to all data in a legal matter. Oftentimes clients issue different management controls and retention for their client data versus the other information involved in a legal matter.
For example, some clients are requiring law firms to confirm the return or destruction of “client-provided data” within 120 days of work on a matter, while other legal matter records may be retained for seven years.
Moreover, many clients are now defining “key data” (i.e., very sensitive client information, such as service account details, employee information, or business trade secrets) to which they are assigning very exacting limitations. These limitations may include who is authorized to access it, the data’s geographic location, and requirements for IT system controls (such as data encryption). They are also stipulating the technical methods used to delete the data from a firm’s IT system and confirmation methods for that deletion.
Automation is now essential.
In this environment, effectively instituting and following through with IG policies is a task that very few firms succeed at.
While some firms try to tackle the issue of electronic records by rolling out electronic document management solutions, these systems simply don’t address retention, much less solve the disposition problem across multiple repositories.
Ultimately, an effective IG program uses records management as its defining pillar. Today, the goal of an effective IG program is to manage and track all records in every repository. Beyond physical records and electronic documents, this even includes transactional records, such as those found in AR, AP, and ERP systems.
Ideally, managing retention policies and disposition reviews should be done once in a single software system.
Retention policies need to be granular enough to apply any variations from a client’s OCG to the correct documents. Furthermore, all the steps within the software need to be automated so that nothing falls through the cracks. And, most important of all, audit trails and reporting must easily document compliance for a matter for all records and documents across all repositories.
A law firm’s best strategy for success in IG is to thoroughly vet the available IG software. Create a roadmap, do a proof of concept, and compare the products side by side.