Defining a Framework for Legal Information Governance

Jeffrey Brandt, Principal, Brandt Professional Services

With the exploding amount of internal data, law firms are instituting governance systems to collect, organise and secure their digital records.

We’ve been hearing the term “information governance” (“IG”) a lot more these days. But what is it exactly—just another tech term du jour? Is information governance simply a way to revitalise interest in records management? It is much more than that. We’ll examine what it is and why you should not only be looking into, but heavily investing in it.

What is IG?

Wikipedia defines IG as a “set of multi-disciplinary structures, policies, procedures, processes, and controls implemented to manage information at an enterprise level, supporting an organization’s immediate and future regulatory, legal, risk, environmental, and operational requirements. IG encompasses more than traditional records management. It incorporates privacy attributes, electronic discovery requirements, storage optimization, and metadata management.”

There is actually a simpler definition that came out of a session at the AHIMA’s Health Information Integrity Summit that I also like: “Managing the systems used to collect and maintain data, keep it secure, keep it clean and pure.”1

How did the need for information governance arise?

Back in the early days of law firms, things were pretty simple. Lawyers were closer to information processes. Critical information was written on firm letterhead, and substantive documents were in hardcopy. They could be easily organised and managed in a physical file. Somewhere along the way information became a byproduct of technology, not the object. Work product became more complex as it moved into the electronic world. As the quantity of information grew, we stopped organising and started to rely on free form search. The idea developed that knowledge workers were too valuable and expensive to spend time sifting through data. Lawyers adopted the “open the digital aircraft hangar and toss it inside” mentality. This was an attitude that IT reinforced when they added Xobini, email archiving tools and other search enhancements to the desktop. On the back-end, IT added more disk space to accommodate the growing expanse of information. When sheer space wasn’t enough anymore then IT invested in faster drives. Just a few weeks ago a client was showing me their fancy new flash SAN and citing the petabytes of storage the firm currently has online. Now we seem to be waking up to the realisation that we have a boatload of information with not much management or governance. Users passed the buck to IT and IT added to the problem. On the positive side, the situation has evolved to the point where change is taking place.

Where to start?

You can think of IG principles as a set of Venn diagrams or groups of overlapping processes viewed through a holistic lens. To do it well, that means getting everyone involved. For law firms that includes people in Information Technology, Information Security, Records and Information Management, Risk Management, Knowledge Management and various practice groups. Iron Mountain, a US information management services company, published a “Proposed Law Firm Information Governance Framework” that lists the following seven areas as your place to start:

  1. Project Scope;
  2. Defining Roles and Responsibilities;
  3. Defining a Process;
  4. Achieving Collaboration and Creating Partnerships;
  5. Electronic Information Challenges (Outside Influences, Internal Processes, Transfers);
  6. Moving Unstructured Information to a Structured Repository Environment (Paper vs Electronic, Transitory Files); and
  7. Key Processes for Consideration (Matter Mobility, Document Preservation and Mandated Destruction, Administrative Department Information, Third-Party Relationships).

Some firms have difficulty implementing one of these areas, let alone bringing them all together in a holistic fashion. The world today is very different from what it used to be. There are more and more convergences as the world of information evolves from physical to digital. The reality is that law firm silos still exist, as do departmental fiefdoms. We can start to see why information governance is no easy endeavor. But it is doable. Progressive and forward-looking firms are addressing IG head on. Beth Chiaiese, Director of Professional Responsibility & Compliance at Foley & Lardner LLP, is one such person who is working hard to make IG a reality at her firm.

One approach

Why IG? Chiaiese said that Foley recognised the need for something more because of the growing amount of information and “the risks to us and our clients.” Chiaiese said that the Foley team began by getting buy-in at the highest levels of the firm. The process of educating senior management can sometimes be repetitious, but ultimately well worth the effort. Chiaiese’s second step was rewriting all policies relating to information with the integrated IG framework in mind.

Chiaiese surprised me by saying that she tells users, “I can’t do it for you.” That is often not a well-received message. Volume and technology have indeed shifted the onus to the end user. Today, important records can exist across multiple digital formats (email, text messages, documents databases, etc.) and never actually make it to a physical record. That is the point: information must be managed regardless of its format. Trying to delegate responsibility for the organisation and management doesn’t make sense when the detailed instructions to someone else take more time then actually doing the work.

Foley realises how important its users’ active daily participation in process is to their success. Their awareness program includes ten guiding principles. They are:

  1. Manage confidential, sensitive or personal information as required by law, agreement or firm policy.
  2. Understand third party access requirements.
  3. Respond promptly to IG compliance notices.
  4. File email records regularly.
  5. Maintain the firm’s official records in electronic form, unless hard copy is required.
  6. Store official records in a FLARR (Foley & Lardner Approved Recordkeeping Repository).
  7. Organise official records by correct client/matter number.
  8. Retain and destroy records as permitted by firm policy.
  9. Avoid making multiple copies of records.
  10. Don’t handle file transfers (in or out) on your own.

Chiaiese says that it’s no coincidence that the first two principles are security related. You can’t do much with your data if it isn’t safe and secure first. Security was already at the forefront of many people’s minds at Foley, so they simply capitalised on that as the jumping off point. Foley is just at the beginning of its IG journey, one that will never truly end. But they are off to a solid start.

Start now

Information governance is big. It is wide. It is interconnected at levels beyond what you are used to. I think “governance” is a purposely-used word. It implies laws, and consequences when they aren’t followed. It may require a tougher stance than firms have taken before. But to quote Lao-tzu, “A journey of a thousand miles begins with a single step.” The IG journey might be more than a thousand miles, but one your firm needs to begin today. Start educating yourself, your peers and your management on IG. Don’t underestimate the amount of change management required. Some law firm cultures will need a greater shift than others. And remember, IG is a team effort. Try going it alone and you are sure to fail.

Additional Information Governance resources are available through ARMA, Iron Mountain and ILTA.

1. Breaking Down Information Governance Versus Data Governance, AHIMA.