Staying in compliance with client conditions

Executive Summary

For years, many clients have provided their outside counsel with guidelines that must be followed in order to obtain, or retain, their business. More recently, these guidelines include instructions on how law firms are expected to manage and protect client data - either because organizations are more conscious of security risks, or because they are being forced to do so by regulatory bodies. In some instances, they may feel the need to stringently audit service partners, including legal providers.

Unfortunately, these guidelines are often not communicated to the legal teams providing service to the client, a fact often brought to light when clients conduct an audit to confirm the protocols are in place. Moreover, implementation of such requirements can, at times, create a financial burden for the firm, conflict with the firm’s established organizational culture or even conflict with requirements provided by other clients.

This report provides practical guidance for the creation of a cohesive process with which law firms can respond to, and deliver on, client requirements for the governance and management of their information. It addresses steps for gathering requirements along with their analysis, communication, implementation and maintenance, including suggestions for responsible roles.

Introduction

The number of requirements found in protective orders, business associate agreements (BAA), outside counsel guidelines (OCG), client security questionnaires and similar documents are not likely to diminish anytime soon. In response, firms can better position themselves to proactively address such situations by identifying and establishing a process and team to review these information governance (IG) requirements. After the review, firms can educate the case teams and staff, making them aware of what was agreed upon and how it is being implemented. They can ensure the client’s requirements align with the firm’s own initiatives and environment, and address any contradicting requirements. Furthermore, they can determine what policies and procedures need to be created or modified in order to fulfill what the client is requesting.

These, of course, are just the initial steps of what must be a “lifelong” process throughout the client relationship. Firms must establish procedures and internal control processes to ensure that systems, policies and procedures, and personnel remain in compliance. Firms must consider what technology is available to assist them in complying with client requirements, and whether the projected revenues from the client relationship outweigh the costs of investing in these tools. Eventually, firms may want to optimize their position by considering certifications, aggregating standard audit responses to more efficiently respond to questionnaires/ onsite inspections, and ultimately leveraging their security protocols as a means to market their business.

Two years ago, the Law Firm Information Governance (LFIG) Symposium produced a paper called Outside Counsel Guidelines Management: An Information Governance Issue. That paper discussed the management of the Outside Counsel Guidelines (OCGs) as an IG issue. This paper addresses the data management and security requirements found in those OCGs, in addition to other engagement contracts, governmental regulations and court orders. It explores ways in which the law firm can gather and review requirements, as well as implement controls to satisfy the IG requirements with the end result of putting the law firm in a better position to manage information in accordance with agreed upon IG requirements.

I. Gathering Client Information Governance Requirements

Where To Find Client Information Governance Requirements (Cigr)?

A CIGR is any IG requirement the firm must meet to manage client data. There are several possible sources that might contain CIGRs. Examples include:

• OCGs are a very common source for these types of requirements, typically found under section headings such as confidential information, information security, or records retention.
• Some clients require firms to sign an engagement letter that contains confidentiality and other data security and management terms.
• Healthcare providers who are covered entities under HIPAA may require the firm to sign a business associate agreement (BAA).
• Many clients ask firms to agree to a nondisclosure agreement (NDA), and sometimes, these agreements extend to data of a third party involved in a case.
• Litigation matters may have protective orders that contain stringent court orders which have IG implications for the firm and the client.
• In some industries clients send “security” questionnaires that contain a wide variety of CIGRs. Even request for proposals (RFPs) from prospective clients may contain binding requirements if the firm is successful in obtaining the business.

For purposes of this paper, CIGR is used as an overarching term to reference all of these sources that may contain IG requirements.

Responsibility For Requests - Who Assists With The Process?

There should be a well-defined entry point and distribution process within the firm to ensure consistency and accuracy when responding to CIGRs. While there are many methods that can accomplish this goal, most are categorized as either a decentralized or centralized approach. As explained more fully below, this task force recommends a centralized process whenever possible. Regardless, as many CIGRs contain requirements that impact many functional areas within the firm, representatives from these areas described below must be accounted for in the distribution process.

Information Technology:Enterprise architects, database administrators and others with comprehensive knowledge of the firm’s data map can be very useful in assembling accurate responses.

Information Security:Information security professionals with knowledge of the firm’s overall security policy, practices for meeting the specific security controls referenced in the requirements and the necessary protocols for granting exceptions to the policy.

Legal/Risk: General Counsel, risk director or manager, or equivalent may be the authority to weigh in on conflicts provisions and other requirements often found in CIGRs.

Facility Security: Facility management or physical security managers can provide information regarding physical access controls and surveillance of sensitive facility assets (file rooms, server rooms) and general facility perimeters.

Records Management/IG:Records Management and/or IG director or manager can be the authority to review client retention schedules to determine alignment with the firm’s own schedule. They can also assist in identifying data ownership, workflows and security.

Human Resources: Director, manager or other HR professional can respond to client requirements about demographics and diversity of legal teams as well as hiring procedures such as background checks and training.

Accounting/Finance: Pricing specialists and/or billers familiar with firm billing guidelines which are often addressed in CIGRs.

Marketing/Business Development: Marketing managers and others responsible for preparation of materials for client RFPs are logical recipients of client requirements as part of new business pitches.

Practice Group Management: Practice group support specialists assisting with the implementation of protocols related to the representation processes that support IG, such as methods of ingesting, storing and sharing client data, redaction of draft documents and sharing client feedback with the appropriate team members.

Procurement / Contract Reviewers: Some firms have designated contract reviewers to review all firm contracts before final approval and execution. These procurement / contract reviewers may be able to identify additional IG requirements from eDiscovery or other third party vendors.

In addition to the identification of members of the response team, firms should also consider, and incorporate, departments and roles which are natural collection points for intake of client requirements. These areas can also act as a backstop by flagging documents that may have bypassed the standard approval process. For example, marketing is often the first area to receive requirements as part of the sales process for new business to a potential client. Information technology may receive security audits directly from a client rather than through an attorney. Similarly, accounting may receive requirements from the client directly in response to an invoice, or just as the point of contact for billing matters. These collection points, typically in a responder role, should also serve to initiate the process under such circumstances.

Decentralized Responsibility

In a decentralized approach, CIGRs are sent directly from the point of intake to those with the knowledge to respond to the requirements. A decentralized approach places more responsibility on the attorney or other original points of intake to not only track down and collect responses, but also to ensure the agreed upon process is followed. As such, all possible entry points must be educated as to the necessary steps to ensure a complete and accurate response. Appendix A includes an example checklist to assist attorneys and others in meeting all process requirements. Each attorney, as a potential point of intake, needs to know who else should review the CIGRs.

Because this approach is less likely to efficiently produce consistent results, a decentralized approach is generally less desirable. However, depending on the size of firm and/or the number of CIGRs received, a decentralized approach using one of the following models, buttressed by a strong education component, may be sufficient:

• Individual Respondents
  The firm designates individuals with knowledge of the firm’s capabilities in areas typically covered by CIGRs. The individuals analyze their portion of the CIGRs and respond to the point of intake. This might be appropriate for a smaller firm where individuals wear multiple hats in terms of areas of responsibility.
  
  
• Designated Departments
  This model is similar to the above, except that departments, rather than individuals, are assigned responsibility for different subjects covered by CIGRs. Depending on the size of the department and skillset of its members, this approach may provide greater flexibility and result in faster response times. It also provides other benefits, such as the ability to work around employee absences and the opportunity to collaborate on difficult questions. It does necessitate a commitment of more than one resource to engage in the process.

Centralized Responsibility

A centralized approach attempts to reduce the effort required by the point of intake to respond to CIGRs, while ensuring an efficient, timely and accurate response. This approach provides the point(s) of intake with a single contact who is responsible for CIGR distribution and follow up. As the point of intake is often the matter-responsible or client attorney, the centralized approach can reduce the amount of otherwise billable time an attorney may expend tracking the progress of CIGR responses across multiple individuals or departments. A centralized process also helps facilitate collective analysis of CIGRs to identify opportunities for standardized responses, potentially leading to faster and more efficient processing.

The centralized process is accomplished in several ways:

• Individual Custodian
  The firm identifies one individual to receive CIGRs from the point of intake and to work with other individuals and/or departments to obtain the requested information. All follow-ups, whether from the original point of intake or the department members providing responses, are channeled through the individual custodian. The custodian can maintain a central repository of CIGRs received by the firm.

• Task Force or Committee
  This can be a group of individuals representing different functional areas who collectively respond to CIGRs, or a small committee comprised of individual custodians who collectively work through CIGRs with department representatives. In either case, the collective is a single point of contact, typically through an email distribution list or automated workflow solution.

Section II of this paper details possible approaches for building a repository of CIGRs and responses.