Monday, May 10, 2010

Law Firms and Information Governance

The Information Law Group published an interesting article on building and managing policies for handling personal and other sensitive information subject to regulatory controls such as HIPAA/HITECH. While the article focuses on corporate audiences, this subject matter is increasingly relevant to law firms as organizations find themeslves facing stricter legal and client requirements regarding information controls and confidentilaity management.

Because law firms have traditionally been grouped in a special category of information handler, they haven't always been held to such rigorous standards, instead being left to self-police and self-regulate based on rules of professional responsibility and ethics.

As this landscape changes the question of "where does responsibility for information governance and compliance live?" becomes increasingly relevant. (Information Governance refers to the policies, procedures, enforcement and reporting regarding how sensitive information should be and is being treated.) As the article notes:
  •  "One consequence of the growing body of laws, regulations, standards, and contractual requirements dealing with protected categories of personally identifiable information (PII) is a heightened awareness of the importance of establishing effective internal governance mechanisms. The organization needs to be clear on who decides, and how..."
The authors, and several other industry experts, make the case that Information Governance enforcement should be a core responsibility of IT organizations, with CIOs, CTOs and IT Directors being held accountable and reporting to senior management. Given the nature of the challenge at hand:
  • "In most modern companies, IT is used for data collection and reporting and, indeed, is critical to the success of the organization. Thus, internal and external auditors refer to IT management 'control objectives'...IT control objectives may include items such as access controls, encryption, and data retention policies as required to comply with PII rules or to manage PII risks."
Given the complexities and stakes involved, law firm risk stakeholders must work closely to support IT organizations managing firm information governance efforts.

No comments:

Post a Comment