Leading Expert Patrick Tisdale Has Some Answers
Recently, I had a conversation with Patrick Tisdale on the topic of information governance (IG) at law firms today. Tisdale’s expertise is impressive. Prior to founding Tees River Consulting, he was the CKO of Dentons and CIO of McKenna, Long and also CIO at Orrick. Here’s a transcript of our conversation, which delves deep into how and why information governance is more complex than ever. He also has some answers about how to fix your IG processes and procedures if they’re broken.
Darrell: For starters, let’s talk about how much law firms are making toward complete IG compliance.
Patrick: Progress is definitely being made. Law firms are really starting to appreciate the importance of information governance. And they’re starting to implement a wide range of audit verifications of compliance stipulated chains of custody, access controls, file handling and usage policies, and file retention and destruction procedures.
In today’s environment, having this all in place is crucial. Being proficient with IG can help law firms win new business. Conversely, being lax with IG can mean the loss of existing business if an IG compliance audit results in unfavorable findings.
I think it’s interesting to note that every day we see that there’s a wide variation in the maturity of law firms’ information governance capabilities. Really, there’s no particular profile to the law firms that are doing it right. The most or least IG-capable firms are not distinguished how many lawyers are on staff, their annual revenues or their size.
Darrell: Tees River Consulting is working on these issues every day. So you know all this from firsthand experience, right?
Patrick: Yes, exactly. Tees River helps law firms and legal operations modernize their services from the inside out. By doing so, we ensure that their time- and resource-constrained teams perform more efficiently and that their work improves in terms of consistency and quality.
Right now, we’re really focused on helping law firms objectively assess their business practices to ensure they comply with their clients’ increasingly complex information governance protocols. This includes outside counsel guidelines, as well as government regulations associated with sensitive information industries (such as healthcare, banking and finance, insurance and government contracts). And don’t forget the European Union Data Protection Regulation becomes effective in May of 2018—so we’re also helping law firms prepare for that.
Darrell: Are there any trends that you’re noticing in your daily work? What about law firms that specialize in sensitive industry sectors? Do they tend to have more sophisticated information governance?
Patrick: Generally, “yes.” However, there’s significant differences, depending on their industry sector. For example, government contracts that involve work with confidential, secret and higher classifications of information are subject to intrusive third party audits. Not surprisingly, law firms involved with these clients are much more likely to adopt compliant business processes – at least within those practice areas. Compare this to sectors where compliance with regulations is self-administered, such as healthcare HIPAA governance guidelines. In these cases, the actual governance maturity of law firms varies considerably.
Darrell: So, it sounds like the level of a firm’s IG compliance depends on the degree of outside auditing. Sectors that use the ‘honor system’ of self-auditing tend to have inconsistent governance compliance.
Patrick: Correct. Generally, firms that consistently align information governance with client expectations tend to have partner leadership, general counsel and senior business leaders at the helm who view information governance and information security as tightly joined risk mitigation concepts. The laggards tend to be firms with an old school perspective, which equate governance with simply the filing and storing of paper records.
Darrell: Earlier, you hinted to the increasing complexity of regulatory and client directed information governance compliance. Can you elaborate?
Patrick: I’ll be glad to.
In the past, law firms defined their own information governance policies, chain of custody tracking, access controls, retention guidelines and the like. As time progressed, we started seeing the emergence of industry regulations. Just think about all the regulations today surrounding healthcare data, financial credit information, and personally identifiable information. Then think about all the regional regulations and global regulations around that data (such as EU Data Protection). Today, information governance compliance is highly complex.
If a law firm is working in a highly regulated sector, then it has likely been forced to evolve its information governance in order to comply. However, there are many firms outside such highly regulated sectors that have continued to employ more general firm-defined information governance across all their book of business.
Today, clients in sectors such as banking and finance are rapidly advancing the risk mitigation expectations for their vendors, which include law firms. In order to ensure compliance, they’re issuing increasingly detailed information governance protocols. Notably, these information security and governance stipulations are not consistently applied across all data in a legal matter.
As a result of these developments, different management controls and retention are being issued for “client data” versus other information involved in a legal matter. For example, some clients are requiring law firms to confirm the return or destruction of client provided data within 120 days of work on a matter, while other legal matter records may be retained for 7 years.
Moreover, many clients are now defining “key data” (i.e., very sensitive client information, such as service account details, employee information or business trade secrets). And, they’re assigning very exacting limitations on it. These limitations may include who’s authorized to access it, the data’s geographic location, and requirements for IT system controls (such as data encryption). They’re also stipulating the technology methods used to delete the data from a firm’s IT system and confirmation methods for that deletion.
Increasingly, clients are adopting a Ronald Reagan-esque approach to arms reduction agreements with the then Soviet Union. In other words: “trust, but verify.” Essentially, information governance and compliance doesn’t run on the honor system anymore. Rather, it is based on detailed audits of every vendor that has custody of their sensitive information.
Check back next week for Part 2 of this series when Patrick and I will discuss what’s behind the increase in IG audits. Patrick will also share some of his best advice for laws firms that are scrambling to comply with rapidly evolving IG directives.