Law Firms and Information Governance

Monday, May 10, 2010

Law Firms and Information Governance

The Information Law Group published an interesting article on building and managing policies for handling personal and other sensitive information subject to regulatory controls such as HIPAA/HITECH. While the article focuses on corporate audiences, this subject matter is increasingly relevant to law firms as organizations find themeslves facing stricter legal and client requirements regarding information controls and confidentilaity management.

Because law firms have traditionally been grouped in a special category of information handler, they haven't always been held to such rigorous standards, instead being left to self-police and self-regulate based on rules of professional responsibility and ethics.

As this landscape changes the question of "where does responsibility for information governance and compliance live?" becomes increasingly relevant. (Information Governance refers to the policies, procedures, enforcement and reporting regarding how sensitive information should be and is being treated.) As the article notes:

"One consequence of the growing body of laws, regulations, standards, and contractual requirements dealing with protected categories of personally identifiable information (PII) is a heightened awareness of the importance of establishing effective internal governance mechanisms. The organization needs to be clear on who decides, and how..."

The authors, and several other industry experts, make the case that Information Governance enforcement should be a core responsibility of IT organizations, with CIOs, CTOs and IT Directors being held accountable and reporting to senior management. Given the nature of the challenge at hand:

"In most modern companies, IT is used for data collection and reporting and, indeed, is critical to the success of the organization. Thus, internal and external auditors refer to IT management 'control objectives'...IT control objectives may include items such as access controls, encryption, and data retention policies as required to comply with PII rules or to manage PII risks."

Given the complexities and stakes involved, law firm risk stakeholders must work closely to support IT organizations managing firm information governance efforts.

No comments:

Post a Comment

Reader Testimonials

"The Risk Management blog is consistently outstanding. Dan Bressler and his colleagues at Intapp have a discerning 'ear' for what good law firms need to know. I write a lot about conflicts and ethics opinions, but the news about these activities and trends in Dan's blog provides a practical and necessary perspective to the area."
- Bill Freivogel (Freivogel on Conflicts)

"I like to know that people in the legal world are paying attention to risk management. You can lose sight of the bigger issues when you're grinding through your job everyday."
- Conflicts Manager, Covington & Burling LLP

Law Firm Risk Management Blog

Monday, May 10, 2010