Because law firms have traditionally been grouped in a special category of information handler, they haven't always been held to such rigorous standards, instead being left to self-police and self-regulate based on rules of professional responsibility and ethics.
As this landscape changes the question of "where does responsibility for information governance and compliance live?" becomes increasingly relevant. (Information Governance refers to the policies, procedures, enforcement and reporting regarding how sensitive information should be and is being treated.) As the article notes:
- "One consequence of the growing body of laws, regulations, standards, and contractual requirements dealing with protected categories of personally identifiable information (PII) is a heightened awareness of the importance of establishing effective internal governance mechanisms. The organization needs to be clear on who decides, and how..."
- "In most modern companies, IT is used for data collection and reporting and, indeed, is critical to the success of the organization. Thus, internal and external auditors refer to IT management 'control objectives'...IT control objectives may include items such as access controls, encryption, and data retention policies as required to comply with PII rules or to manage PII risks."
No comments:
Post a Comment