Legal Technology Journal

A good compliance policy support strategy is vital to your firm’s success.

Proactive compliance. Risk management. Loss prevention. Regardless of what you call it, all firms have the need to ensure that client information is handled properly at all stages, to mitigate litigation and penalty risks, and to protect client and firm reputation.

Proactively addressing compliance issues involves firm-wide awareness, attention and communication. It involves people, processes and technology working together across all departments. Sorting through risk issues and prioritising initiatives is no easy task. Interestingly, in comparison with this, the technology side of the equation is manageable. In some firms compliance initiatives drive IT requirements, whereas in other firms IT initiatives force firms to confront risk issues. For example, it is estimated that the average lawyer deals with 800 to 1,000 e-mails per week. This is not only an information storage issue, but a proper data classification, access and retrieval issue as well. Regardless, the role of the law firm IT professional is experiencing a paradigm shift. Operational efficiencies and stability are no longer enough. Today, IT must be included (or self-inserted) in the risk management planning process.

Why? To be successful, technology to support compliance initiatives must be invisible and mirrored to current end-user behaviours. Compliance policies, procedures and technologies vary from firm to firm, depending on factors such as practice area, geography, etc. However, there are universal considerations that the IT professional can and should address.

Map information flow

It is critical to map the way that information flows and is utilised throughout firm systems to identify any risk management issues and close loopholes. Take into consideration issues that could arise based on off-line, remote and mobile access. Overlay the firm’s risk management policies to determine how to leverage existing technologies and/or identify new technologies that the firm might need to put into place.

Know when compliance begins

Compliance should begin at the intent to do business so that information is collected properly from the start. The client intake process should be automated so that every step, from the intake form to waivers and engagement letters, is validated and able to be audited. The opening process should include a thorough conflicts screening, including cross-references of internal (eg time and billing) and third-party (eg OFAC) databases to confirm that the engagement is in line with the firm’s business rules, and an analysis to ensure that the engagement contributes to the firm’s health.

Leverage a federated, matter-centric approach

All information should be handled based on the practice type of the matter, not the repository in which the data is stored. The best way to achieve this is to use one system (eg records management) as an information hub or ‘compliance engine’ that eliminates redundant data entry, tracks retention periods, allows for auto-profiling and categorisation, and provides federated search and retrieval capabilities.

Decide who owns the data

Information about a matter and information created during the course of the matter proliferates quickly in a firm’s many conflicting technology systems. It is imperative that everyone on a team understands who ‘owns’ each piece or type of data. For information about a matter, many firms will hold an ‘ownership summit’ (attended by the business owners and IT) to determine who is allowed to create, maintain, modify and delete information. For instance, the accounting department may own the billing address (it obviously needs to know where to send the bills) but the new business/conflicts department may own the matter name (to ensure that the general nature of the matter doesn’t change significantly – as this can be a sign that someone may be trying to avoid a conflicts check). All the information can (and should) be created through one system – but that doesn’t mean the business owner of that system owns the information in the system. It is very possible to be responsible for the genesis of information without owning it. Likewise, with information created during the course of a matter, best practice is to assign a records management lawyer (RML) to every matter. The RML’s primary role is to determine the ‘rules’ for how information is handled and then communicate those rules to everyone who works on the matter. A billing lawyer, who is responsible for all of the elements of billing a client, is the person at the firm who best knows the client. Similarly, the RML is the lawyer who best knows the details of the matter, and so is the most appropriate person to determine how the records and non-records are to be maintained. Know who has the ultimate responsibility for each component of the engagement.

Know when to hold ‘em

What constitutes a record? The rise of electronic data, especially e-mail as a primary form of client/lawyer communication, has blurred the lines in terms of defining a record. You must be clear about the point at which information is considered a record and be sure that it is subject to the firm’s retention policies.

Be prepared to produce

How long would it take for your firm to respond to a subpoena to produce all information related to a matter? How many resources would it take? How expensive would it be? A large part of being prepared to produce is being prepared to preserve. Any litigation, or even threat of litigation, against the firm means you need to take a close look at what information you have (all copies of it – think back-up tapes) and determine how to ensure that it does not get destroyed – even accidentally. If you have an enforced retention policy, you need to suspend those practices on the responsive information.

You also need a documented preservation order process that is consistently followed for every instance of litigation, whether perceived or real. This might include a standard message that is sent to everyone who billed time to the client or matter in question informing them of the preservation order and outlining their duties and responsibilities, as well as standard communications to all departments alerting them to the order, informing them of the retention policy and outlining their duties and responsibilities.

Once you have ensured that the information that may be responsive to a court order is preserved, you have to collect it (and document your collection process). This can be a painful process in today’s world of excessive proliferation. You can minimise that pain, however, if you classify and organise your information up front and destroy it according to a retention policy.

Remember security

It is important to recognise that there are two basic types of information security in law firms. The first type is ethical walls. Ethical walls are erected to protect the information of the clients and to avoid the appearance of impropriety. It is a safety precaution that is usually implemented when a lateral hire joins the firm and has some past adversarial relationship with the firm’s clients. Ethical walls can also be erected to accept new business that might create a conflict. In this case, the client might agree to a sign a waiver allowing the firm to proceed if it agrees to erect an ethical wall forbidding the lawyers on each side to discuss the matter. The second type is equally important, but slightly different, and includes confidential and private information. This may be a publicly secret matter (like a takeover or a big company about to go into bankruptcy) or just something private (like a performance evaluation). So, even though the reason for the security is different from that of ethical walls, they are usually technologically executed in the same way and have the same result (to prevent or grant people access to information – documents, e-mails, the inventory and existence of physical records, etc). For example, in Hummingbird’s LegalKEY Records Management system, the actual security module is called ‘Ethical Walls’ but it is used to control both ethical walls and security (making things private or confidential). The ultimate goal is to be sure that rules pertaining to information access are consistently applied in all firm systems. Right now, there is no magic bullet to reach that goal, but firms continue to work in that direction.

Manage duplicity

Proliferation of information is one of the biggest liabilities that firms face today. What is particularly dangerous is that proliferation is so pervasive that a lawyer may delete or destroy something not realising there are still 20 copies of it in various repositories around the firm (back-up tapes, messaging systems, copies stored locally, etc). Those copies are still discoverable and must be produced if ordered. But if the lawyer thinks it is destroyed, they may be in for an unpleasant surprise when their IT department produces it as part of a subpoena. A good solution for this is very structured, well-communicated IT/records management policies. A good policy would include a list of ‘firm-approved information repositories’ (FAIRs) and need strict adherence by the IT staff to that policy. Practically speaking, that means when IT staff install a new piece of software, they alert the records manager that a new potential repository is about to be created. The records manager can then work with them to assess whether that new system will become an information dumping ground, ensuring that the following conditions are satisfied:

• must be easily accessible;
• must have security;
• must be able to destroy information based on the firm’s retention policy; and
• must be able to lock down (or preserve) information.

Keep it simple

Remember, the best way to help your user community comply with the firm’s risk management policies and procedures is to keep the compliance engine as seamless as possible. Yes, your lawyers will still have to review and declare e-mails as records, but that process should be as simple as a folder drag-and-drop. Risk management and compliance are everyone’s responsibility and are ongoing. As an IT professional, you play an integral role in ensuring both firm and client protection. Be proactive and stay informed about industry best practices as well as your firm’s specific business rules. 

Ann Ostrander is the senior manager of loss prevention departments for the global operations of Kirkland & Ellis LLP. This article was first published in LJN’s Legal Tech Newsletter®, March 2006.