The State of Information Governance and the Disconnect Between Policy and Reality

This article appeared in ALM Legaltech News on April 29, 2024

Law firms are playing a game of catch up as the sheer volume of data, both in hard copy and electronic form, they routinely handle continues to skyrocket exponentially. To further complicate matters, most of this data is sensitive and/or confidential, driving the emergence of firms adopting robust information governance (IG) policies/strategies. Chief legal officers rank key components of a comprehensive IG program, such as cybersecurity, regulatory compliance, and data privacy as the most important issues they face year over year, according to the 2023 ACC CLO Survey.

IG programs are designed for the protection, management, security, and availability of a firm’s information, in an environment fostering compliance with legal and regulatory requirements, while simultaneously improving the firm’s overall efficiency and productivity. At the core of all IG is the desire to maximize the value derived from data, while mitigating the risks and roadblocks to compliance that maintaining it presents.

An effective IG policies-and-procedures framework guides employees on appropriate data use, where information should be stored, and how and when information should be disposed of (returned to client, destroyed, or converted to vital record status). IG programs further help with regulatory and outside counsel guideline compliance (OCG), operational efficiency, and reducing discovery costs.

Implementing an information governance policy in a law firm involves navigating a myriad of complexities, including:

  • Diverse Data Sources: Law firms handle diverse data types, including legal documents, client records, emails, and multimedia files, each with unique governance requirements.
  • Regulatory Compliance: Law firms must comply with an array of regulations such as GDPR, CCPA, HIPAA, and legal industry-specific guidelines, adding layers of complexity to IG implementation.
  • Client Confidentiality: Preserving client confidentiality is paramount for law firms, necessitating robust data protection measures and access controls.
  • Legacy Systems: Law firms often grapple with legacy systems and disparate data repositories, making data discovery and management challenging.
  • Collaboration Requirements: Legal professionals collaborate extensively, requiring seamless data sharing while ensuring data security and compliance.

However, while most firms now recognize the importance of having an IG policy in place, there’s an industry-wide gap between policy and implementation—and that’s exactly what we found in the Mattern 2024 Information Governance (IG) Report with survey results from 50 law firms, ranging in size from 21 to 3,000 attorneys.

New Benchmark Data: The 2024 Mattern Information Governance Report

The report takes a deep dive into the practices and policies law firms have related to information governance and provides a representative industry-wide benchmark for firm self-assessment, in the context of answering the question: What are our peer firms doing in this area?

The responses show that despite a growing heightened awareness and steady momentum in recent years toward the development and implementation of IG policies across law firms of all sizes, there is still plenty of work to be done to achieve defensible IG programs, and the road to that goal is not without its fair share of challenges.

As overall starting points, the findings from the report showed:

  • 94% of firms reported having some kind of IG policy in place.
  • 86% of firms reported having positions within their respective firms dedicated to overseeing records/IG.

It stands to reason that these numbers are so close, given the job descriptions associated with those dedicated positions, and their focus being driving creation and implementation of these programs. The majority of the remaining 14% of firms without dedicated positions in house are largely smaller firms, using a shared responsibility/oversight model.

Like other undertakings of a similar magnitude, financial implications underscore decisions regarding the creation and implementation of firm-wide IG processes and policies as well. Although a significant portion of firms surveyed noted a variety of cost-related factors they found themselves considering, cost is more of a concern for small firms than large, as illustrated by the following two examples:

  • The cost of hard copy records in off-site storage, is a concern for 36% of large firms, but 57% of small firms.
  • The cost of data storage in the document management systems, network shares, email accounts, etc., is a concern for only 9% of large firms, but 43% of small firms.

Beyond the financial implications, several additional challenges manifest themselves in the day-to-day implementation of successful IG programs, most are internal to the firm, regardless of size, but do extend beyond the firm’s walls as well, namely around compliance with outside counsel guidelines.

Enforcement/compliance is clearly the biggest challenge, at firms of all sizes. Overall, only 4% of all respondent firms reported strict compliance with their IG policies (9% of large firms and 0% of small firms), with nearly half the respondent firms reporting “substantial non-compliance.” These staggering compliance marks are evidence of having an IG policy and/or an in-house position dedicated to records/IG, while undoubtedly a step in the right direction, just scratches the surface. Although mandating strict adherence to any/all IG policies/procedures may seem like an easy fix, taking a step back reveals the lack of enforcement/compliance is far more complex than that and is driven by other IG related variables.

Policy exceptions are a threshold concern. Over 30% of firms, both large and small, reported an endemic culture of granting exceptions to their IG policies/processes. Exceptions inherently introduce the proverbial slippery slope, but a closer look reveals it is even more problematic, with inconsistency across why exceptions are being granted, by whom, for how long, and at what frequency those exceptions are being reviewed for merit.

Data organization is a common challenge as well. Twenty-seven percent of firms indicated they have no formal structure in place for network share drive content. A lack of meaningful folder taxonomy perpetuates poor IG practices, in so much that information cannot be associated with specific clients or matters for the application of appropriate retention schedules and/or ethical walls. Remediating information in network shares is a daunting task exacerbating the issue and associated risks.

Additionally, independent of how well a firm’s data is structured, there is the constant struggle regarding retention. Retention is relevant to a wide array of data repositories,

including document management systems, e-discovery databases, network shares, extranet file shares, lawyer, administrative, and support staff email accounts, email archives, and more.

Further complicating matters, a significant percentage of firms, both large and small (56%), indicated they currently have no strategy in place for limiting data sprawl. Responses regarding what to keep and for how long differed greatly, but a common theme did emerge. The most common retention schedule currently adopted by firms, of any size, regardless of the type of record it is or where it is stored is unlimited. They have no retention schedule in place.

2024-05-16T13:59:50+00:00