- Dan, I'm pleased to report back a successful Risk Roundtable series in multiple US firms. Kilpatrick Townsend, Vinson & Elkins and Post & Schell generously agreed to host our group of risk and technology leaders. A special thanks to Chris Ward, Director of Information Security at Vinson & Elkins, who gave an expert take on risk assessment protocol in law firm environments, and to Andrew Allison, Chief Compliance Officer at Post & Schell, P.C., who prepared material on his firm’s information security strategy.
- In Atlanta and Houston, Gina Buser and Joe Buser of Traveling Coaches joined us to discuss techniques and methodology for developing a security training initiative that can effectively change lawyer and staff behavior and foster firmwide security awareness. Firms in both cities were keenly interested in sharing best practices to mitigate risks arising from new technologies. To reduce risk and protect client confidentiality, multiple organizations are shifting from a system-centric security strategy to a data-centric security strategy, where confidential information is selectively locked down within the document management system to meet “need-to-know” access requirements required by clients and regulations.
- Firms across the country increasingly receive pressure from clients to implement stricter security controls. Firms are looking to their peers to set industry guidelines for satisfying audits in a way that does not compromise knowledge management and collaboration. Many firms report that client questions are becoming increasingly targeted: whereas firms previously had to check general yes/no answers on audit questionnaires, clients are now asking targeted questions like “how many people in your offices can potentially access my documents?”
- With the September 23 HIPAA Omnibus enforcement deadline looming, every firm that has a healthcare practice or a litigation practice that receives Protected Health Information (PHI) is taking swift steps to achieve compliance. We spent much time discussing what effective HIPAA compliance looks like in a law firm environment, focusing on how firms can identify incoming PHI during the new matter intake process, how firms can implement access control models to meet the “minimum necessary” standard of the Privacy Rule, and how firms are using activity monitoring tools to achieve compliance with the Security and Breach Notification Rules.
- Finally, in Philadelphia, Eric Mosca of InOutsource led a spirited debate about the choice to implement a centralized conflicts clearance process. Can firms entrust the entire conflicts process to a non-lawyer, administrative committee? Does this break professional responsibility standards as specified by the ABA model rules? Different firms have different responses and this is clearly an evolving area of disucssion.
Thursday, April 18, 2013
technology, people and processes. Kathryn Hume, who manages and moderates the Risk Roundtable Program, sends this update:
Posted by Dan Bressler at 7:16 AM