Five law firm IG leaders took the stage at ILTACON to demonstrate how law firms can actually achieve proper governance beyond the standard records room — and it starts with some key conversations
ORLANDO, Fla. — Increasingly, law firms of all sizes have started to come around to understanding the business opportunities of their data and the importance of effectively governing that data. After all, according to the Thomson Reuters Institute’s 2023 Digital Strategy Report, 83% of firms say that digital transformation is highly important or central to the firm’s strategy, and 54% currently have a defined digital strategy at the C-suite level.
As a result, it’s perhaps not surprising that many mid-size and large law firms now have dedicated information governance (IG) policies in place. For many firms, however, the issue comes with taking the next step: What do we actually do with our IG policy to help guide the firm?
A session at the International Legal Technology Association’s yearly ILTACON conference titled, You have an IG policy in place, now how do you manage compliance? looked to help answer that key question. The five law firm panelists, all members of a group known as the Law Firm Information Governance Symposium that has developed a report on the subject, noted that while many firms may pay lip service to IG concepts, a functioning program can take a lot of hard work.
“In my career, IG is sometimes not so easy to accomplish,” said Leigh Isaacs, Senior Director of Information Governance at DLA Piper.
Achieving buy-in with communication
Jill Sterbakov, Information Governance Compliance Attorney at Morgan, Lewis & Bockius, said she often gets the question of how often a traditional records room can transform into a modern information governance team. She estimates that “if you can secure the buy-in you need, the resources you need, in a large firm it should take about 3-5 years to develop an advanced program,” but that’s with one caveat: It requires full-firm buy-in.
“You need to sell before you can build,” Sterbakov added, noting that this doesn’t just mean going to GCs or managing partners for leadership input. “If you’re walking into an organization and you’re building an IG program, you really need to go to the practice group leaders and sell to them.”
Isaacs agreed, noting that data professionals need to “understand the culture and politics of the firm so you really know where to start.” She said that being a good listener is an underrated key skill. “If I’m taking a position where I’m coming in and telling you what medicine to take because it’s good for you, I might get some resistance to that,” she explained.
This means that all proper IG plans should include both two-way communication and a proper information program around the firm’s information governance goals. Karen Allen, Information Governance Manager at Wiley Rein, called this the “user education” portion. “I try to avoid the word training because when you say training, people run and hide,” Allen said, adding that this education around proper IG etiquette should be baked into every interaction. “It’s not one and done, [or] a once-a-year type of thing.”
In fact, law firm IG professionals should think outside the box about ways to get this training across, she explained. In one conversation, she noted, she brought actual Legos into the office to illustrate a point about how cloud architecture works.
Sterbakov also added that the firm’s internal calendar has become her friend. “I can see, oh the Philadelphia L&E group is meeting on March 3. So, I can go to the practice group leader and say, can I grab five minutes of that meeting?”
Technology and obligations
Panel moderator Michele Gossmeyer, Global Director, Information Governance, Risk and Compliance at Dentons, noted that law firms can’t lead with technology — it’s people and processes that need to drive technology’s use. That said, the panel agreed that the technology is an important component to making sure an IG program runs smoothly.
That’s why one of her most crucial relationships within the firm is with its IT team, Allen said, citing an example from her previous firm of building a dashboard with the IT staff to identify where data lived on employees’ computers. The dashboard allowed her to identify potential governance problems, such as: “I have a senior partner who has 40 gigs on my documents on their desktop and 12 documents in the DMS.”
That visibility was only possible with the technology and collaborative efforts with IT, Allen said. “They know where a lot of the stuff is, even if they don’t know why it’s important to us.”
Isaacs agreed, saying that she even brought IT into her IG education efforts, adding that “now we’ve got a nice cross-section of training.”
Data maps and visibility into data usage that technology provides can provide ammo in tough conversations with leadership, Sterbakov of Morgan Lewis said, citing, for example, that it’s “not just this one guy [putting things on C-drive] but 50% of the firm is doing this.” She added that people “always think they’re a unique situation” to get away with non-compliance but explaining the importance of compliance with “this is what we’re telling our clients and our insurer” can help get them back on track.
Indeed, the panelists pointed to data compliance requirements within outside counsel guidelines (OCGs) as a periodic burden, but also as a potential weapon for enforcing IG policies. James Merrifield, Director of Information Governance & Business Intake at Robinson & Cole, touts OCGs as a way to drive buy-in, “because now it’s not just important to the firm, but to the client.”
Sterbakov noted she reads every OCG that comes into the firm “and they’re getting more and more sophisticated what they’re asking to do. [And] if we accept those outside counsel guidelines, we’re telling them we’re doing that.”
Sound overwhelming? It certainly can be, especially as data governance technology is still continuing to evolve. But Merrifield said his key to satisfying disparate IG requirements within OCGs is to start small, perhaps by taking the firm’s largest 20 clients and certifying those requirements are satisfied first before building out.
Indeed, taking the next step in IG can potentially difficult, especially for those firms without ample technology or staffing resources. But Wiley’s Allen — herself the sole person fully responsible for IG within her firm — said data and records professionals shouldn’t be afraid to ask for help. “I have tentacles everywhere else that can help me get done what I need to get done,” she said. “Even as a party of one, that doesn’t mean you can’t staff your program.”