Managing your data isn’t just about protecting you and your clients from cyber-threats, it’s about generating actionable insights into your business processes and opportunities to enhance your business practices and client service. This article explores the principles and opportunities of practical data governance and how they can be applied to keep your firm more secure while operating more efficiently and improving client service.
Until now the principle of data management has driven commerce. Contracts and agreements are crafted, purchase orders are made, products are delivered with packing slips, and somewhere along the line payment is rendered and recorded. Successful businesses keep meticulous records of the costs to produce the product, the amount their customer paid for the product, and the number of products sold.
If we apply this to the legal industry, we find complexity in defining what the product actually is, how much it cost to produce, and how much the customer paid for the product. In addition to knowing where all your data resides and ensuring that it is secure, data governance for legal is about clarifying what products you sell, how much they cost to produce, and how much the firm should charge for the products to make a profit. It is also about knowing your customer, their needs and potential future needs to the best of your ability.
When data is governed properly, it can generate actionable information and institutional knowledge. For instance, if you can see that your customer is filing more diversified patents, it may be time to talk about their business goals and where you are able to help the customer achieve them beyond filing their patents. If automotive-related patents are ramping up, there may be an opportunity for you to help your client with relevant corporate acquisitions to enhance their portfolio.
The total economic value of the data stored in your systems has yet to be realized. Understanding that data has become our most unknown asset, there’s even an emerging disciple of Infonomics aimed to assert economic significance to information.
Risk Management Benefits
Privacy and security are at top of mind for every firm and corporate legal department. Recent data breaches, some directed at law firms, and the regulations being developed to limit the impact of these breaches have caused firms to close and others to grow new compliance practices.
In part as a reaction to recent corporate data breaches compromising personal information for millions of people, the European Union and the state of California have stepped up their efforts to protect their citizens and residents. Most notably, the General Data Protection Regulation (GDPR) sent businesses worldwide into a fluster, threatening steep penalties for companies unable to comply with GDPR requests made by individuals.
Under the regulation, EU residents have the right to demand that a company with whom they have interacted, even if only by visiting their website, 1. identify all instances of the person’s information residing across all their systems, 2. edit that information upon request, and 3. permanently delete all instances of that information and cease collecting that information upon request.
Signed into effect on June 28, 2018, the California Consumer Privacy Act (CCPA) 2018 resembles the GDPR in that it empowers California residents to demand a company with whom they have done business to, 1. identify what personal information is being collected, 2. provide the individual with access to that information, 3. identify whether their personal information is disclosed, and if so, towhom, 4. Identify whether their personal information is sold (if so, they have the right to opt out of the sale), and 5. they have the right to be provided equal service and price regardless of whether or not they exercise their privacy rights. Where it deviates from the GDPR is that it does not include the right of its residents to opt-out of data collection completely.
Enforcement of the CCPA is expected to begin in 2020, once certain issues around the cost of services for those who opt-out of data collection are ironed out. Currently, penalties in the law can include up to $7,500 per incident. This translates to a $75 million fine for a data breach involving 10,000 customers.
Meanwhile, your data doesn’t have to be breached to be penalized. A recent instance of poor data governance resulting in stiff penalties is the case of Central Hospital of Barreiro Montijo in Portugal. Their fines totaled over $450,000 by Portugal’s GDPR supervisory authority for allowing nearly 1,000 people to have doctor-level access to its patient management system with only 300 doctors on staff.
Proper data governance is essential to complying with these emerging regulations and can be marketed to customers and prospects as a strategic advantage.
Data Governance in Action
A driving principle of good data governance is to provide data access to only those in your firm who need it, and only for the duration of time needed; also known as least privilege access. To do this, you need to know where your data resides. Discovering this takes interviewing employees from each practice group and business service group to discuss the data with which they interact. They need to explain why they need this data, and for how long they need this data. That way you can defend your collection of the data and assign a retention schedule to it so that you don’t store it for longer than necessary.
Your practitioners need to identify all the internal and external sources from which they receive data and to which they provide data. That way you can establish more comprehensive agreements with your vendors to ensure they are properly controlling the data as well.
While classifying your data by what types of personal information is collected is another principle of good data governance, as the definition of what constitutes personal data expands, having less classification buckets has become a prudent and easier tactic to manage. Specifically, for law firms, it is fair to say that all the information we amass, whether from our client, from our employees, or what we create internally is confidential. This makes for simplified control and retention parameters.
When going through a GDPR preparedness exercise with a law firm, the head partner of their privacy group posited the question, “If you put it all in one bucket, does that require more effort to discovery relevant data in the case of a GDPR request?” My answer was, “No, it will require more effort to devise technical segmentation strategies, and these classifications will continually dictate and complicate how we build out future infrastructure.” This advice works well for law firms but is not necessarily applicable to other industries where they have more disparate data to control, and buckets where they can classify information as non-sensitive.
Another core principle of data governance is restricting data storage to their applicable repositories. Documents and email should be saved to a Document Management System (DMS). Practitioners should have little to no ability to store their document elsewhere. This includes limiting the size of email boxes and promoting, “File it or Delete it” practices. Personal and shared network drives should be avoided or used for transitory purposes and be controlled by strict retention and deletion schedules, so that nothing remains there for longer than necessary.
For practice, resource, customer-relationship and financial systems, it is common to leverage Excel for data manipulation and reporting. Ensure that these documents are saved to and shared through the DMS. This may seem redundant, but it is not uncommon for business service groups like Finance, Marketing and HR to avoid using the DMS for a variety of perceived limitations or, ironically, security concerns.
Utility, Directives and Enforcement
It is equally important that data governance practices include clear directives and easy to use systems for how to properly describe clients, matters, and work product. Despite all the efforts of New Matter Intake Systems, DMS Document Types, Practice Group restructurings, and the like, firms grapple with accurately documenting key information about their clients and their matters. Here we have the adage: garbage in, garbage out. Good data governance practices include proper data curation.
All of this is much easier said than done and requires direction and enforcement from the top. Most likely, your General Counsel is the appropriate champion for the cause. They are the risk experts and are placed in that role to advise the Managing Director, who also needs to back the initiatives.
History tells us that people will find their own way to work if a practical way is not presented to them, and if they get burned once by a system, for instance losing two hours of document editing, they will avoid or have parallel processes to protect themselves from that system going forward. These parallel processes usually manifest as documents saved to their desktops and emailed to themselves, essentially providing two additional places where data can be compromised, email being the absolute worst place to store redundant copies of information, as they reside on personal devices that can be lost or stolen in an unlocked state. (See Figure 1.) Consequently, in addition to policy and enforcement, you must provide stable, easily accessible systems on which your practitioners can rely.
In brief, governing your data well results in clean data, which can be analyzed, reported upon, and modeled after to better understand your business and capitalize off this understanding. Today it means you can answer an RFP or security audit with confidence and professionalism. Tomorrow it means you can predict how your business, your employees, and your clients will behave, and act accordingly to meet and exceed your expectations of success.
The GDPR preparedness exercise a law firm went through identified a glut of vendors being used by individual attorneys, paralegals, and litigation support staff, undoubtedly resulting in the firm and their clients paying too much for services by not leveraging the potential work individual vendors could inherit. Once this manifested itself, the firm was able to establish a more select group of vendors at better rates.
Clients are increasingly requiring firms to complete cyber security risk audits. There is no one standard audit to complete nor certification to attain to satisfy the requirements of these audits. And more recently, detailed cyber security questions have found their way into RFPs. Least privilege access and data access-auditing are core requirements of these audits and questionnaires. Good data governance makes these requirements easy to meet. And for RFPs, it can be a selling point and differentiator from your competition.
Acme* law firm’s leadership wanted to improve their partner’s cross selling efforts to acquire more work from existing clients. While partners are often reticent to jeopardize their client relationship by introducing colleagues they may not know well into the relationship, knowing who knows who helps begin the dialog. A firm leader who understood this principle saw CRM as an essential source of useful and actionable data. She succeeded where others failed by insisting, via process, that all client entertainment expenses be recorded in the CRM system for reimbursement. This forced the attorneys’ hands and provided firm leadership with insight into their client relationships and opportunities for building upon them.
Acme law firm’s Marketing and Finance departments struggled with responding to RFP’s asking for relevant experience, cost estimates and alternative fee arrangements. Not only was there not a single source for this information, but the integrity of the sources was suspect. Clients and matters were onboarded in the quickest rather than most accurate and comprehensive manner. Initial matters descriptions were never updated to reflect the actual nature of the matter, and fee agreements were made via email never to be seen by Finance. A Senior Partner was tasked with addressing this problem as part of the firm’s overall strategic plan and developed a set of recommendations for establishing and maintaining a clean instance of matter data specific to the single practice group with the most interest and incentive to change, the group responding to the most RFPs.
This involved pulling data together from disparate systems, as well as creating new data sets addressing their needs, and a curation processes to ensure that data accuracy is maintained over time. Note, curation in this context requires people and agreed upon processes that enable these people to take the time out of an attorney’s day to ensure their matter is being documented properly. In the future, as the process is institutionalized, matter curation can be achieved through automated prompts rather than people showing up at the attorney’s door. This new instance of the enriched data and improved processes became the model for how the firm redesigned their new matter intake and management practices.
[*] The name of the law firm has been withheld to protect the Identity, IP and practices of our client.
Data Governance for Artificial Intelligence
A recent survey of risk managers, senior finance, IT, and management executives by analytics provider SAS and the Global Association of Risk Professionals (GARP) identified Data Quality as the top challenge to utilizing Artificial Intelligence.
Fortunately for DLA Piper, they had confidence in their data governance practices using artificial intelligence to answer leadership’s question of how to better retain clients. The firm analyzed various sets of data related to their client relationships and used the analysis to develop a data model that found four key variables that directly affected client retention:
- Reducing the size of matter teams to five or less and increasing time per team member proportionally where possible;
- Introducing one new professional to the relationship;
- Adding one more industry expert to the team (which could coincide with point two); and
- Running a focused, relevant marketing initiative for each client.
When comparing a control group to a group focused on improving those key variables, DLA prevented 85 percent of fee loss on a year-over-year basis.
The CLOC Effect
The Corporate Legal Operations Consortium (CLOC), has emerged as the premier voice of Fortune 500 legal departments. Their intent is to drive their outside counsel to more efficient matter management to surface and compare commodity work delivered across law firms and establish fair pricing for their work. They have defined a maturity model applied to law firms that serves as a basis for their service expectations in which data governance and process management are guiding principles across each of the levels of maturity. (See Figure 2.)
CLOC estimates that 60 to 90% of a lawyer’s day can be automated, and/or supplanted by legal service providers. Although this may seem extreme, their basic premise will trickle down to smaller companies’ legal departments over time – law firms need to be more efficient. Combine this with resources like TyMetrics and Serengeti, now Thomson Reuters’ Legal Tracker, and legal departments know how much your competition is charging for similar services.
Firms that can give tangible examples of being efficient will win CLOC members’ and others’ business. And efficiency requires good data governance. You want to be able to provide facts like:
- Completing phase 1 of this matter could take 20 days but now that we re-engineered our process and leverage our precedent data, it takes 8 days.
- Currently, 92% of our budgets are within 9% of actual cost because we have collected better data by managing our matters more effectively.
Furthermore, good data governance of your client’s matters can lead to bespoke product offerings
that can generate new repeatable streams of revenue for your firm. I give a final example of a firm’s “Corporation in a box” model, designed by a venture capital practice group to consolidate the matters, phases, and tasks necessary to form a corporation into a single, flat-fee product.
In closing, data-related crimes are being committed electronically every second of every day. Our immediate response was to improve our cyber security controls to keep criminals out of our servers and desktops. Improvements in firewalls and external threat detection and prevention systems pushed criminals to a new vector – the individual.
In response, we need to focus our attention on our individuals. We need to limit the damage done to our businesses by individuals being compromised. The best way to do this is to limit what data these individuals have access to at any given time and over time. To accomplish this, we need to know what data they need and how they access and disseminate it. Knowing this allows us to govern our data’s disposition over time. We need to set limits on where the data can reside and for how long, with the objective of centralizing, de-duplicating and normalizing as much of our data as possible.
Along the way to achieving these objectives, data integrity improves, we will find new opportunities to use the data in meaningful and profitable ways, and we will develop better ways of performing our work and servicing our clients.