The confluence of privacy regulations (GDPR, CCPA, SHIELD) and cybersecurity incidents forces general counsel, managing partners and practice group leaders into the domain of technology. Knowing how data is accessed, used and retained is now a business priority. Leaders need to understand that internal processes are not always clearly defined, and subverted policies put firms at higher risk of data loss and inconsistent client service.

Data governance policies for saving emails and documents to document management systems are subverted by individuals and groups for reasons of functionality, access, ignorance, apathy, etc. If attorneys are working in various ways, client service varies, too.

If you are considering moving your applications to the cloud, this is a great opportunity to address process improvements and cybersecurity threats at once. Cloud providers offer a wide range of security controls and productivity enhancements, but not without risks of their own. Finding internal champions who understand your firm’s security requirements from a business perspective is critical to making the right decisions.

Join ILTA and IVIONICS’ Director of Consulting – Legal, Chris Zegers for a virtual roundtable with a candid look at issues often too delicate to leave boardrooms.

First thing’s first:  how legal departments define ‘service’ from law firms has fundamentally changed – so fundamental, in fact, that it no longer always includes the key object ‘from law firms.’  Change doesn’t get bigger than that, and it has triggered an onslaught of new behaviors (think RFPs, LPOs, AFAs, ALSPS and even more acronyms) that have resulted in shrinking demand for law firm services and the acceleration of competition to win and maintain business that accompanies shrinking demand.

 

If ‘from law firms’ is no longer even in the definition of client service, it begs the question, then what is?  Is it tickets for a coveted suite at the next Super Bowl or something else? This is a 3-part series investigating the answer to this question—in this first installation, our aim is to understand what clients want, which means understanding their pain points and how we, as law firms, can solve them best. In other words, client service.

 

Most noticeably, legal department spend has remained effectively constant over the last 5 years while managing increasing workloads, putting Chief Legal Officers are under tremendous budgetary pressure. Efficiency of service delivery and controlling costs have, therefore, become clients’ number-one priority.[1]

 

This internal pressure explains the multitude of new tactics legal department professionals now deploy:  growing their own departments and insourcing work  (6% growth in 5 years[2]); shifting work to lower cost firms (31%[3])’ sending work to non-law-firm-vendors (6% and growing); and—when work does got to law firms–leveraging outside counsel guidelines (79%) to influence process, security, detail an increasingly complex array of pricing and billing arrangements, and more.[4]

 

While these tactics are “new” they in fact are outcomes of the clients’ own budgetary pain points and the clear signal as to what they want:  efficiency and lower costs.  Clients are, in fact, saying very clearly the new definition of service.

 

Law firms, however, have not historically been known for their efficiency and ability to control costs; this left them vulnerable to losing some lower cost work—which they did (as seen above) as well to some automation platforms (i.e. contract review work).

 

There’s good news for firms here, though:  this is not a story of doom and gloom.  In fact, many law firms are posting record breaking revenues and the industry’s overall revenue growth is strong.  Combined, shrinking demand and high revenue growth means leadership has the opportunity to make some strategic investment choices.

 

For the industry’s most financially successful firms, this has meant investments in technology[5]. Over the last few years, there has been mounting evidence that law firms that proactively address the needs of their clients by making better use of innovative technologies—are posting higher than average profitability margins than those which do not.

 

Seeing these results accumulate, law firms have gone on a hiring spree. According to Bloomberg law, 50+ major firms now have chief innovation officers, and as of 2019, CINO roles have been added in 57 of the top 200 law firms by gross revenue, up from 32 one year ago, a near 50% increase.

Great news, right?  Client service = innovation.  Firms with innovation officers, therefore, are de facto delivering client service utopia.  Right?

 

Not so fast. There’s just one problem—it’s called data, and it happens to be the number one concern of Chief Legal Officers.  And there’s no innovation without a data strategy—but more on that in part II.

[1] 2018 Thomson Reuters State of the Legal Department

[2] ibid

[3] Altman Weil Law Firms in Transition

[4] ibid

[5] TR Dynamic Firms Study

 

 

Recorded on 10/17/2019

Location: Moritt Hock & Hamroff LLP in Garden City, New York

Description: We look at what other firms are doing right now regarding data governance and how they got started. The discussion will include how you can develop and implement a program that is appropriate for your firm. We start with a definition of data governance, then look at who at the firm is responsible for what. We continue with a discussion on developing a program and hear about the pain points from those who have been down this path already.

Cloud Management Security Essentials

Introduction

Moving your applications to the cloud is a great way to address cyber security threats faced today. Cloud vendors offer a wide range of security controls. It’s important to go into evaluating cloud vendors knowing your firm’s minimum-security requirements, and the universe of options available to you to better understand your risks specific to each application, service provided, and vendor.

There are essential capabilities and procedures your cloud provider should have to ensure your data is as secure as possible. There are also procedures your firm must establish to ensure that if technical malfunctions, cyber-attacks or human errors happen, your data is not exposed or if exposed, for the least amount of time possible. Using practice and matter management software as an example, here’s what should be considered when evaluating vendors.

Practice and matter management captures confidential client and matter details, including contact and financial information, proprietary data, processes and documents, and authentication credentials in cases where clients access a portal. From a data governance perspective, the cloud is absolutely the right place for this work, as it provides centralized storage and use of data, which limits the proliferation of confidential data outside the system and thus improves data control. Better control means financial reports, including compensation and profitability, no longer have to be emailed around. Wondering which executive assistants saw the details and who they will tell is a thing of the past; as is wondering who will mistakenly save reports with public viewing access in the document management system or shared drive.

Better control of your data also means more opportunities to utilize emerging artificial intelligent cloud services to improve upon your business practices and opportunities. Consistent contracts of the highest value to the client and improved customer engagement are two of the many benefits being realized by firms embracing data governance and AI. But with each of these opportunities brings additional risks to monitor.

 

Regulations Compliance

Your cloud provider should be ISO27001, SOC1 and SOC2 certified, and be compliant with PCI-DSS, and HIPAA when applicable. Compliance with additional standards, including the Cloud Security Alliance (CSA) program, NIST, and FeDRAMP is preferred. For an idea of how far a cloud service provider can go to be secure and compliant, head on over to Amazon Compliance.

 

Interdependencies

Managing risk cannot be left to your cloud vendors. The certifications and standards above are only relevant within each vendor’s parameters of securing your data within their environment. Once you inter-connect cloud services, for instance, to include multi-factor authentication, you must now ensure that the connectivity between the two services remains secure and understand the ramifications of an outage of any particular service on your cloud ecosystem. If your MFA provider has an outage, do you take the risk of allowing connections authenticated solely on username and password? What if the MFA vendor was targeted as part of a larger operation for the specific reason of forcing companies to let their guard down? Ask the question: What breaks and what risks do they present? Mapping out interdependencies and devising Plan B’s and C’s will uncover your risks so you can address them adequately and with clear intent.

 

Human Error and Malice

Ultimately, in the cloud or not, your data is in the control of your employees. Whether by error or intentionally, your employees are a conduit for data exfiltration. Your cloud vendor is not going to question your business practices related to sharing data with external parties. If an employee has the ability to setup an online folder to share content with a client incorrectly, resulting in general public access, you should have monitoring systems in place to track and correct access rights. If your email systems administrator can miss a step in her upgrade routine rendering MFA unnecessary to access email, you should have a system in place that will alert you to this anomaly.

 

Data Backup and Recoverability

Essential to data preservation is understanding the full extent of a cloud vendor’s data storage, backup, redundancy and business continuity plans. Insist on ongoing proof that data resides only where it should, is backed-up to disk, tape, and other media, and s successfully restored. They should also have proof that their Plan B’s and C’s are tested regularly. Questions to ask may include:

How long will it take to move people over to the DR system and is the account migration an automated or manual task?

Where does your data reside, including on backup media, and what are the retention schedules? (If a firm is required to delete all data for a client, they must ensure it is done and be able to prove it to the client.)

 

Multifactor Authentication

If you currently utilize a cloud service without multi-factor authentication, stop reading this and contact someone who can effect this change quickly. Relying on a username and password to protect data is no longer an acceptable business practice. Just ask Deloite.

Effective cyber security is not accomplished by simply moving your data to a vendor with mature security measures. It requires data governance, training, and on-going process review and improvement. New technologies change the way people work; understanding these changes over time keeps your firm on the right track. If people begin working in undocumented ways, your firm risks governing and securing data effectively. The consequences are two-fold: you lose the data integrity that makes your products, reporting and analysis reliable, and you increase the opportunities of data exfiltration. Diligent management and monitoring of your business activities across service providers is essential to staying secure and competitive.

Conclusion

Time has never been better to get in the cloud. Data centralization and governance is a cornerstone of good cyber-security, and productivity enhancements are being realized every day. Getting to the cloud, however, requires more than signing up online. It should start with a conversation about your business strategies and risk-tolerance and continue through ongoing process improvements that ensure you know what data is there, who uses it and for what purpose, and how to govern it effectively over time.

Managing your data isn’t just about protecting you and your clients from cyber-threats, it’s about generating actionable insights into your business processes and opportunities to enhance your business practices and client service. This article explores the principles and opportunities of practical data governance and how they can be applied to keep your firm more secure while operating more efficiently and improving client service.

Data Management

Until now the principle of data management has driven commerce. Contracts and agreements are crafted, purchase orders are made, products are delivered with packing slips, and somewhere along the line payment is rendered and recorded. Successful businesses keep meticulous records of the costs to produce the product, the amount their customer paid for the product, and the number of products sold.

If we apply this to the legal industry, we find complexity in defining what the product actually is, how much it cost to produce, and how much the customer paid for the product. In addition to knowing where all your data resides and ensuring that it is secure, data governance for legal is about clarifying what products you sell, how much they cost to produce, and how much the firm should charge for the products to make a profit. It is also about knowing your customer, their needs and potential future needs to the best of your ability.

When data is governed properly, it can generate actionable information and institutional knowledge. For instance, if you can see that your customer is filing more diversified patents, it may be time to talk about their business goals and where you are able to help the customer achieve them beyond filing their patents. If automotive-related patents are ramping up, there may be an opportunity for you to help your client with relevant corporate acquisitions to enhance their portfolio.

The total economic value of the data stored in your systems has yet to be realized. Understanding that data has become our most unknown asset, there’s even an emerging disciple of Infonomics aimed to assert economic significance to information.

Risk Management Benefits

Privacy and security are at top of mind for every firm and corporate legal department. Recent data breaches, some directed at law firms, and the regulations being developed to limit the impact of these breaches have caused firms to close and others to grow new compliance practices.

In part as a reaction to recent corporate data breaches compromising personal information for millions of people, the European Union and the state of California have stepped up their efforts to protect their citizens and residents.  Most notably, the General Data Protection Regulation (GDPR) sent businesses worldwide into a fluster, threatening steep penalties for companies unable to comply with GDPR requests made by individuals.

Under the regulation, EU residents have the right to demand that a company with whom they have interacted, even if only by visiting their website, 1. identify all instances of the person’s information residing across all their systems, 2. edit that information upon request, and 3. permanently delete all instances of that information and cease collecting that information upon request.

Signed into effect on June 28, 2018, the California Consumer Privacy Act (CCPA) 2018 resembles the GDPR in that it empowers California residents to demand a company with whom they have done business to, 1. identify what personal information is being collected, 2. provide the individual with access to that information, 3. identify whether their personal information is disclosed, and if so, towhom, 4. Identify whether their personal information is sold (if so, they have the right to opt out of the sale), and 5. they have the right to be provided equal service and price regardless of whether or not they exercise their privacy rights. Where it deviates from the GDPR is that it does not include the right of its residents to opt-out of data collection completely.

Enforcement of the CCPA is expected to begin in 2020, once certain issues around the cost of services for those who opt-out of data collection are ironed out. Currently, penalties in the law can include up to $7,500 per incident. This translates to a $75 million fine for a data breach involving 10,000 customers.

Meanwhile, your data doesn’t have to be breached to be penalized. A recent instance of poor data governance resulting in stiff penalties is the case of Central Hospital of Barreiro Montijo in Portugal. Their fines totaled over $450,000 by Portugal’s GDPR supervisory authority for allowing nearly 1,000 people to have doctor-level access to its patient management system with only 300 doctors on staff.

Proper data governance is essential to complying with these emerging regulations and can be marketed to customers and prospects as a strategic advantage.

Data Governance in Action

A driving principle of good data governance is to provide data access to only those in your firm who need it, and only for the duration of time needed; also known as least privilege access. To do this, you need to know where your data resides. Discovering this takes interviewing employees from each practice group and business service group to discuss the data with which they interact. They need to explain why they need this data, and for how long they need this data. That way you can defend your collection of the data and assign a retention schedule to it so that you don’t store it for longer than necessary.

Your practitioners need to identify all the internal and external sources from which they receive data and to which they provide data. That way you can establish more comprehensive agreements with your vendors to ensure they are properly controlling the data as well.

While classifying your data by what types of personal information is collected is another principle of good data governance, as the definition of what constitutes personal data expands, having less classification buckets has become a prudent and easier tactic to manage. Specifically, for law firms, it is fair to say that all the information we amass, whether from our client, from our employees, or what we create internally is confidential. This makes for simplified control and retention parameters.

When going through a GDPR preparedness exercise with a law firm, the head partner of their privacy group posited the question, “If you put it all in one bucket, does that require more effort to discovery relevant data in the case of a GDPR request?” My answer was, “No, it will require more effort to devise technical segmentation strategies, and these classifications will continually dictate and complicate how we build out future infrastructure.” This advice works well for law firms but is not necessarily applicable to other industries where they have more disparate data to control, and buckets where they can classify information as non-sensitive.

Another core principle of data governance is restricting data storage to their applicable repositories. Documents and email should be saved to a Document Management System (DMS). Practitioners should have little to no ability to store their document elsewhere. This includes limiting the size of email boxes and promoting, “File it or Delete it” practices. Personal and shared network drives should be avoided or used for transitory purposes and be controlled by strict retention and deletion schedules, so that nothing remains there for longer than necessary.

For practice, resource, customer-relationship and financial systems, it is common to leverage Excel for data manipulation and reporting. Ensure that these documents are saved to and shared through the DMS. This may seem redundant, but it is not uncommon for business service groups like Finance, Marketing and HR to avoid using the DMS for a variety of perceived limitations or, ironically, security concerns.

Utility, Directives and Enforcement

It is equally important that data governance practices include clear directives and easy to use systems for how to properly describe clients, matters, and work product. Despite all the efforts of New Matter Intake Systems, DMS Document Types, Practice Group restructurings, and the like, firms grapple with accurately documenting key information about their clients and their matters. Here we have the adage: garbage in, garbage out. Good data governance practices include proper data curation.

All of this is much easier said than done and requires direction and enforcement from the top. Most likely, your General Counsel is the appropriate champion for the cause. They are the risk experts and are placed in that role to advise the Managing Director, who also needs to back the initiatives.

History tells us that people will find their own way to work if a practical way is not presented to them, and if they get burned once by a system, for instance losing two hours of document editing, they will avoid or have parallel processes to protect themselves from that system going forward. These parallel processes usually manifest as documents saved to their desktops and emailed to themselves, essentially providing two additional places where data can be compromised, email being the absolute worst place to store redundant copies of information, as they reside on personal devices that can be lost or stolen in an unlocked state. (See Figure 1.) Consequently, in addition to policy and enforcement, you must provide stable, easily accessible systems on which your practitioners can rely.

Benefits

In brief, governing your data well results in clean data, which can be analyzed, reported upon, and modeled after to better understand your business and capitalize off this understanding. Today it means you can answer an RFP or security audit with confidence and professionalism. Tomorrow it means you can predict how your business, your employees, and your clients will behave, and act accordingly to meet and exceed your expectations of success.

The GDPR preparedness exercise a law firm went through identified a glut of vendors being used by individual attorneys, paralegals, and litigation support staff, undoubtedly resulting in the firm and their clients paying too much for services by not leveraging the potential work individual vendors could inherit. Once this manifested itself, the firm was able to establish a more select group of vendors at better rates.

Clients are increasingly requiring firms to complete cyber security risk audits. There is no one standard audit to complete nor certification to attain to satisfy the requirements of these audits. And more recently, detailed cyber security questions have found their way into RFPs. Least privilege access and data access-auditing are core requirements of these audits and questionnaires. Good data governance makes these requirements easy to meet. And for RFPs, it can be a selling point and differentiator from your competition.

Case Studies

Acme* law firm’s leadership wanted to improve their partner’s cross selling efforts to acquire more work from existing clients. While partners are often reticent to jeopardize their client relationship by introducing colleagues they may not know well into the relationship, knowing who knows who helps begin the dialog. A firm leader who understood this principle saw CRM as an essential source of useful and actionable data. She succeeded where others failed by insisting, via process, that all client entertainment expenses be recorded in the CRM system for reimbursement. This forced the attorneys’ hands and provided firm leadership with insight into their client relationships and opportunities for building upon them.

Acme law firm’s Marketing and Finance departments struggled with responding to RFP’s asking for relevant experience, cost estimates and alternative fee arrangements. Not only was there not a single source for this information, but the integrity of the sources was suspect. Clients and matters were onboarded in the quickest rather than most accurate and comprehensive manner. Initial matters descriptions were never updated to reflect the actual nature of the matter, and fee agreements were made via email never to be seen by Finance. A Senior Partner was tasked with addressing this problem as part of the firm’s overall strategic plan and developed a set of recommendations for establishing and maintaining a clean instance of matter data specific to the single practice group with the most interest and incentive to change, the group responding to the most RFPs.

This involved pulling data together from disparate systems, as well as creating new data sets addressing their needs, and a curation processes to ensure that data accuracy is maintained over time. Note, curation in this context requires people and agreed upon processes that enable these people to take the time out of an attorney’s day to ensure their matter is being documented properly. In the future, as the process is institutionalized, matter curation can be achieved through automated prompts rather than people showing up at the attorney’s door. This new instance of the enriched data and improved processes became the model for how the firm redesigned their new matter intake and management practices.

 

[*] The name of the law firm has been withheld to protect the Identity, IP and practices of our client.

 

Data Governance for Artificial Intelligence

A recent survey of risk managers, senior finance, IT, and management executives by analytics provider SAS and the Global Association of Risk Professionals (GARP) identified Data Quality as the top challenge to utilizing Artificial Intelligence.

Fortunately for DLA Piper, they had confidence in their data governance practices using artificial intelligence to answer leadership’s question of how to better retain clients. The firm analyzed various sets of data related to their client relationships and used the analysis to develop a data model that found four key variables that directly affected client retention:

  • Reducing the size of matter teams to five or less and increasing time per team member proportionally where possible;
  • Introducing one new professional to the relationship;
  • Adding one more industry expert to the team (which could coincide with point two); and
  • Running a focused, relevant marketing initiative for each client.

When comparing a control group to a group focused on improving those key variables, DLA prevented 85 percent of fee loss on a year-over-year basis.

 The CLOC Effect

The Corporate Legal Operations Consortium (CLOC), has emerged as the premier voice of Fortune 500 legal departments. Their intent is to drive their outside counsel to more efficient matter management to surface and compare commodity work delivered across law firms and establish fair pricing for their work. They have defined a maturity model applied to law firms that serves as a basis for their service expectations in which data governance and process management are guiding principles across each of the levels of maturity. (See Figure 2.)

CLOC estimates that 60 to 90% of a lawyer’s day can be automated, and/or supplanted by legal service providers. Although this may seem extreme, their basic premise will trickle down to smaller companies’ legal departments over time – law firms need to be more efficient. Combine this with resources like TyMetrics and Serengeti, now Thomson Reuters’ Legal Tracker, and legal departments know how much your competition is charging for similar services.

Firms that can give tangible examples of being efficient will win CLOC members’ and others’ business. And efficiency requires good data governance. You want to be able to provide facts like:

  • Completing phase 1 of this matter could take 20 days but now that we re-engineered our process and leverage our precedent data, it takes 8 days.
  • Currently, 92% of our budgets are within 9% of actual cost because we have collected better data by managing our matters more effectively.

Furthermore, good data governance of your client’s matters can lead to bespoke product offerings

that can generate new repeatable streams of revenue for your firm. I give a final example of a firm’s “Corporation in a box” model, designed by a venture capital practice group to consolidate the matters, phases, and tasks necessary to form a corporation into a single, flat-fee product.

 Conclusion

In closing, data-related crimes are being committed electronically every second of every day. Our immediate response was to improve our cyber security controls to keep criminals out of our servers and desktops. Improvements in firewalls and external threat detection and prevention systems pushed criminals to a new vector – the individual.

In response, we need to focus our attention on our individuals. We need to limit the damage done to our businesses by individuals being compromised. The best way to do this is to limit what data these individuals have access to at any given time and over time. To accomplish this, we need to know what data they need and how they access and disseminate it. Knowing this allows us to govern our data’s disposition over time. We need to set limits on where the data can reside and for how long, with the objective of centralizing, de-duplicating and normalizing as much of our data as possible.

Along the way to achieving these objectives, data integrity improves, we will find new opportunities to use the data in meaningful and profitable ways, and we will develop better ways of performing our work and servicing our clients.