Behavior is the Hardest Part of Information Governance

In recent years, law firms have faced new regulatory and client-driven requirements necessitating increasingly comprehensive approaches to information governance (IG). Firms taking a holistic view of IG must consider policies, procedures, processes, and technologies. Savvy firms strive to establish a strong IG foundation of policy and procedure, supported by the appropriate workflows, software solutions, and other mechanisms to enact compliance with said framework. Absent an effective compliance component, law firms cannot fully embrace the benefits of well-developed IG.

The traditional tools of a compliance program are monitoring and auditing. Essentially, these methods take note of compliance after the fact. In order to improve compliance rates, law firms should better incorporate the behavior of individuals who will be subject to these policies and processes from the outset.

A Brief History: The Information Access Pendulum

In the late 1990s and early 2000s, law firms were challenged by intense competition for legal talent, rapid developments in mobile device technology, and relatively stagnant developments in document management system (DMS) technology. This confluence of factors led to firms meeting lawyers’ demands to increase mobile work access, along with the ability of individual attorneys to choose the technology they used to achieve that access. With DMS unable to keep pace due to development stagnation or lack of resource allocation towards enhancements within firms, lawyers continued to seek out and find more places to access and store client and firm information—such as their personal, non-firm email accounts, home computers, or unsecured flash drives. The firms endorsed some, but certainly not all, of these new uncharted territories as appropriate information repositories. As a result, during this period, very few firms could answer two fundamental IG questions:

  • Do we know what information we have?
  • Do we know where our information is?

Despite lacking coherent or complete answers to these questions, lawyers were historically given a free pass because of their overarching duty to keep client information confidential.

Beginning in the late-2000s, the information access pendulum began to swing the other way. Law firms found themselves subject to new legislation and under greater scrutiny from their clients. Historically, law firms’ clients themselves had always been subject to IG-related laws and regulations and had never been as permissive with information access inside their own organizations. Over time, these organizations began to expect the same higher standard of IG from the lawyers trusted to handle some of their most sensitive information. Concurrently, criminals began increased targeting of law firms as sources of that sensitive information. Suddenly, actors on all sides began to question whether law firms truly were satisfying their duties of confidentiality if they could not answer those fundamental IG questions.

Think About Compliance First

Given the tendency of attorneys accustomed to liberal information access, law firms will find themselves burdened with IG policies that are hard to deploy and enforce if they neglect to consider this history. Unfortunately, lawyers at many law firms will not adjust for learned behavior of their own volition to conform to new policy. For example, imagine a firm implements a new IG policy requiring storage of client information only in approved, secured repositories (such as the DMS), but continues to make other repositories (such as shared network drives) just as readily available and easily accessible as they were prior to the policy change. In this scenario, lawyer behavior will be unlikely to change—attorneys will continue storing and accessing information as they please, undermining the policy and the perception of IG at large as a serious undertaking. Similarly, if a firm policy requires the use of only one remote access method, but continues to support multiple alternatives, compliance is impossible. When crafting policy and change management programs, law firms must keep the downstream compliance issues in mind.

When More is Less: Executive Function and Decision Fatigue

In the brief examples above, we imagined a firm that provides too many options to its attorneys across various realms of information management. Having an over-abundance of options places undue pressure on our executive functioning. Executive function is a psychological concept that refers to an individual’s ability to self-regulate and orient one’s resources towards his or her objectives.

When we overburden our executive function by making too many conscious decisions over an extended period, one negative outcome is decision fatigue. Our brains are a finite resource of energy, and we tap into this limited capacity when we make decisions both large and small. The idea of making a choice or having a preference about a choice is much less psychologically taxing than the actual act of making a choice. With too many choices in front of us, feelings of doubt, anxiety, and paralysis are all-too-common experiences. This may help illustrate why attorneys often report enjoying the ability to manage information as they choose in the abstract, without being forced to consider exactly where to save or retrieve a document in a critical moment.

If there is no strong IG structure in place for lawyers to follow, they are forced to draw upon their executive function to make decisions about where and how to save and retrieve information, rather than preserving their mental energy for the higher-order billable work of the matter. When too many choices are available, individuals tend to make poorer, less-informed choices; in the legal IG setting, this results in inefficiencies for collaborative matter teams as well as costs associated with duplicative information and/or information gaps.

Despite human nature’s illusory preference for having multiple choices, law firms’ IG programs should provide a limited, higher-quality set of options to their attorneys, resulting in better outcomes for information management. In our examples above, the information storage and remote access policies are strengthened by actually eliminating the alternative sources of information access that existed in the more permissive information access environments of the past. Additional approaches for law firm IG departments seeking to counterbalance the negative effects of decision fatigue can be found in unconventional sources of inspiration: the behavioral psychology of gaming and parenting.

Harnessing Behavioral Strategies for Compliance

Reinforcement is a long-standing component in the behavioral psychology literature. Traditionally, systems of reinforcement have included positive incentives for desired behavior, alongside punishments for incorrect actions, such as B.F. Skinner’s classic experiments studying rats’ capacity to navigate a maze. The notion of incentivizing desired behavior reaches new heights with the concept of the compulsion loop. Compulsion loops are a mechanism through which desired behavior is engineered, reinforced, and amplified by receiving rewards or incentives. Essentially, compulsion loops can make compliance addictive.

IG departments can benefit by thinking creatively about what types of incentives would jump-start end user motivation within their firms. For instance, if a firm has an Official Electronic File Policy in place mandating that the official client matter file resides in the firm’s DMS, incentivizing end users who properly maintain their information in the appropriately designated repository will make those users more likely to maintain this desired behavior in the future. This rewards-based approach is not necessarily viable in the long term, however; it is important to strengthen the habits of restricted information environments through additional mechanisms.

As discussed above, it is much more difficult to enforce the desired behavior when the paths to the less-desirable choices remain as accessible as ever. In addition to rewarding day-forward utilization of the proper, firm-approved repositories, law firms must strictly limit or eliminate the unregulated stores of information from continued use. This approach should be paired with the step of removing ongoing access to the previously permissible repositories and eventually phasing them out of active use.

Parents utilize similar methods with children. IG departments must take back control over choice, much as parents must ensure that decision-making power does not reside wholly with their children. While lawyers should retain decision-making authority over the legal strategy of their cases, it is a norm rather than a necessity that lawyers have free reign in choosing where and how to manage their information. Setting IG standards is best left to the subject matter professionals. Allowing lawyers to continue to dictate the terms of IG is akin to allowing children to drive decision-making about dinner time, bedtime, and screen time: choices are often counter-productive and frustration on both sides of the relationship is inevitable.

Just as children are ultimately more comfortable within parental boundaries, so too will attorneys and staff feel better-equipped to face the challenges of holistic IG within clearly defined parameters. Having a well-informed IG program in place to determine responsible limits on information management also prevents overtaxing of lawyers’ and support staff’s executive functioning. Over time, as IG departments and frameworks continue to situate lawyers and IG professionals with the appropriate roles, responsibilities, and internal changes necessary to support those distinctions, the historical preference for a liberal information access environment will become a relic of the past.

 

About Adrienne M. Girone and Max Welsh

Adrienne M. Girone and Max Welsh
Adrienne M. Girone, IGP, information governance project manager for InOutsource, works with law firms on a variety of information governance projects and cost containment initiatives. Max Welsh, senior risk management consultant for InOutsource, has experience as a lawyer in both private practice and for the U.S. Government. The combination allows him to provide a perspective to InOutsource clients that is based on a deep understanding of the legal industry.

Check Also

Computer Forensics

Computer Forensics: What Lawyers Need to Know

Here are 10 simple tips that every lawyer who collects or utilizes electronic evidence should understand.