Leading Expert Patrick Tisdale Has Some Answers
In Part 1 of this series, Patrick and I discussed some of the industry's biggest IG trends, as well as why compliance keeps getting more complex. This week, we'll be exploring what's behind the increase in IG audits. Patrick will also share some of his best advice for laws firms that are scrambling to comply with rapidly evolving IG directives.
Darrell: We hear in the media that law firms are the ‘soft underbelly’ extension of organizations of interest to state-sponsored organized crime and one-off hackers. Is this behind the increased importance associated with risk management and audits?
Patrick: Yes, it is indeed.
Darrell: Recently, I read an article on your Tees River Consulting website about how the financial services industry is forming cooperatives to assess vendor risks, define risk-mitigating protocols and perform audits. This seems to be a trend that’s spreading to other industries. Can you tell us more about that?
Patrick: Sure. As you noted, the financial services industry--as well as US government agencies and the insurance industry--are collaborating to identify risks and define risk mitigation.
This enables industries with common risk profiles and somewhat similar sensitive information to pool their experience in terms of methods used to successfully avoid inappropriate access to their information. It also helps them share their learned lessons from breaches. As you mentioned earlier, law firms are a ‘soft underbelly,’ meaning that they have access to sensitive client information and they’re often less sophisticated in terms of their IT security controls. This makes them easy targets. When the bad guys want to access an organization’s information, it’s much easier to attack a soft target than one that’s highly fortified.
So the cooperatives are collaborating to develop vendor information governance controls (i.e., outside counsel guidelines for law firms). They’re also collaborating in their contracting of auditors to assess compliance. This move toward industry cooperatives creates a significant business exposure for law firms.
Darrell: And what is that?
Patrick: If your firm fails an information governance review for a client, this can have far reaching consequences. The audit mechanism employed by the cooperative may end up sharing that failure with other firm clients or prospective clients who are members of the cooperative. As a result, your firm could be flagged as an unsatisfactory service provider for all member organizations.
Darrell: What advice do you have for laws firms that are trying to comply with rapidly evolving information governance directives?
Patrick: Assess your firm’s limitations. Historically, if dealing with information governance has been challenging, the problem is only going to get worse. That’s the bad news.
However, the good news is that a lot of smart people have been working on solving these challenges for quite some time. There is some amazing information governance software—like the records management and IG software offered by FileTrail—that automates everything. FileTrail’s modern records management software features a built-in information governance tool that applies firm policies or outside counsel guidelines that relate to retention protocols as part of a matter. This applys to content in your DM system, Share Drives or other repositories. This information is then accessible to matter team lawyers and staff. And the tool has built in workflows that automate reviews and dispositions related to the matter content.
If you’re interested in accurately assessing your firm’s information governance maturity, visit the Tees River website to do an IG Self Audit.
Darrell: Any last thoughts?
Patrick: For firms with European client business, remember that the new European Union General Data Protection Regulation is effective May 25th, 2018!
Darrell: Thanks for your time, Patrick.