Many organizations are demanding their law firms adopt client-specific information governance requirements. These new requirements are usually stated in the outside counsel guidelines (OCG): a document that formally communicates the legal department’s expectations to their law firms for a wide range of topics, including the handling of their records. The records management requirements are referred to as the Client Information Governance Requirements (CIGR): client-directed policies on how the law firm will handle, secure and dispose of a client’s data. CIGRs are conceptually straightforward, but they can also be challenging to integrate into a firm’s overall infrastructure, especially if different clients impose different data-handling requirements.
CIGRs can pose several challenges when incorporating the new client-specific requirements into the law firm’s infrastructure. The CIGR will differ from client to client, requiring firms to have flexible processes and technology. Many firms incur additional costs if they need to repurpose floor space, purchase new technology and hire experienced personnel to meet the new requirements. Those firms that instead try to accommodate their current document management system to the new CIGR often must create exceptions to their standard policies, schedules and workflows — a practice many firms’ information governance (IG) professionals discourage. These requirements are potentially disruptive, but firms may discover that client accommodation changes can ultimately be beneficial.
Will Records Management Practices Be Affected?
So how are the law firms responding to the new CIGR? A survey from the just-released Law Firm Information Governance Symposium (LFIGS) report shows that 63.6% of organizations have updated their IG or security policies in the last year in response to the CIGR. Firms are indeed recognizing the importance of the CIGR and responding positively.
To adapt, firms should consider changing their current procedures. The first procedure to address is the “contract intake process.” Firms should be sure to communicate the CIGR to the IG department so the IG team can determine whether the firm’s system is capable of meeting the requirements. If not, the CIGR may be able to be renegotiated to fit the firm’s capability.
A 2017 International Legal Technology Association study provides an important listing of common CIGR requests. The top three were the right to audit the firm’s processes/procedures, the need to follow specific client document-retention guidelines, and the doctrine of least privilege access — only the responsible legal team can access client data.
Many versions of the CIGR, specifically from multinational organizations, drive the concept of geographic data storage. Clients may ask that their data be restricted to storage in specific geographic regions.
Another popular requirement concerns data security, particularly data encryption, including encryption of data at rest and encryption of data in transit. The CIGR encryption requirement refers to electronic data being stored, shipped or transmitted electronically. Encryption of data at rest requires encrypting client data stored on firm workstations, laptops, servers, tapes, DVDs and CDs, thumb drives, hard drives, etc. Encryption of data in transit requires encrypting data being moved, shipped or transmitted electronically.
Information Retention, Disposition and Matter Mobility
The last common CIGR issue law firms should be aware of is the requirement of information ownership, retention/disposition and matter mobility.
Many clients now include provisions in their CIGRs declaring that the client owns everything the firm creates as part of its representation. However, in most jurisdictions, at least some documents created as part of the representation are owned by the firm, not the client.
Some clients are concerned about how long law firms retain their information. Nevertheless, many law firms have records retention policies that dictate records retention periods, including how long they must be kept past the end of a matter. Usually, the retention periods are based on state and federal regulations and statutes of limitations for a legal malpractice action.