May, 2023 | Article
Conquering Information Governance: Where do you start?
Law firms are now waking up to the fact that they should be tackling data retention and disposition much more systematically than they are. But they’re also beset with trepidation over where and how to start what can seem like a gargantuan task. In this article, Chris Giles outlines the issues and recommends five basic steps for conquering data retention and disposition.
They shouldn’t, but it does seem as though a lot of the law firms we speak to about data retention and disposition are struggling to tackle the issues head on. They feel like it’s an overwhelmingly large task. Data is everywhere in the firm, no one knows where to start, and no one takes ownership, because it’s all too complex, too unwieldy and too formless a problem. Yet today’s law firms must conquer their growing mountains of data, because without intervention, they’ll just keep getting bigger.
Moreover, until recently, data retention and disposition has been the ignorable second cousin in the information governance family. Whereas there’s long been a clear understanding of the need for data security and data storage provisioning, and for all the facets of data management that contribute to fee earning and system efficiency; tackling the firm’s inexorably rising data volumes has seemed like a wearisome chore with no clear reward. That’s no longer the case. The time has come for firms to tackle their excess data.
Not real clouds
What are the dangers? Well, as data keeps multiplying it creates more cost and more risk for the firm. As to cost, as firms increasingly move into cloud-based storage for things like document management systems and Office 365 (Microsoft Teams, SharePoint, etc.), the spend on cloud infrastructure is becoming significant. The global spend on cloud infrastructure was estimated at US$48 billion in 2020, and – wait for it – US$178 billion in 2021.[1] Revenue from the storage segment of the data center market is forecast to continue increasing between 2023 and 2027 by around US$11.6 billion, a greater than 24% price hike.[2] And you get to pay for it. Less data costs less to store.
Hack attack
As to risk, the least of your worries is that systems bloated with excess data will perform less efficiently, impacting firm productivity. A more pressing risk is your increased exposure to hackers – the more data held the juicier a target you present.
Plus, these days hackers are known to target law firms because you’re low hanging fruit: lucrative, but generally still playing catch-up after the shift to remove working, and much less well-defended than healthcare or financial services. Also, depending on your area of law and your clients, your data may present an irresistible target to hacktivists or even state-sponsored cybercriminals.
Another risk as you accumulate and retain data is that you may breach your client’s increasingly prescriptive outside counsel guidelines. OCGs have become noticeably more concerned about data retention and disposition schedules recently because clients have also noticed that law firms tend to get hacked.
Regulation inflation
Likewise, as data ages it creates more risk for the firm. This is because old data risks breaching regulatory compliance. By this we don’t just mean GDPR – which applies to the personal data of EU citizens, irrespective of location – but also the growing body of state-based data privacy legislation, to date in California, Colorado, Iowa, Utah, Virginia and Connecticut; as well as in Canada’s Bill C-27.[3]
In addition, did you hear that on 27 March 2023, New York’s Attorney General secured a fine of USD$200k from a New York/New England based firm for a data breach that compromised the private medical records of nearly 115,000 patients? The firm’s Microsoft Exchange email server was hacked. Microsoft issued patches but the firm didn’t apply them soon enough. The breach violated the SHIELD Act,[4] and because of the firm’s relationship with healthcare clients, it breached HIPAA too.[5] As well as the fine, the New York Attorney General has required the firm to update “its data collection and retention practices … permanently deleting all such data when there is no longer a reasonable business or legal purpose to retain such information.”[6] The message is: “Don’t keep data any longer than you need to because it increases your risk.”
Institutional memory
The other issue with older data is it’s possible you don’t know you have it. We’re at the point where some firms have IT systems that are over 20-years-old. We know of one that found a live business intake and conflicts system that was superseded by a newer version more than 10 years ago. The old system was maintained for audit purposes and then forgotten. It was full of personally identifiable and other highly sensitive information, and being unsupported was easily hackable. Had the firm not stumbled on it, it would have gone on presenting a substantial, yet hidden, risk.
Likewise, there’s shadow IT, which arises when individual lawyers do work beyond the boundaries of the firm’s sanctioned and provisioned IT infrastructure. Thus, you may have parts of a matter record in systems outside of the firm, or on the lawyer’s personal email from when they worked from home in 2020 during the pandemic; or in a physical folder in their home office.
Regulatory breaches can be expensive, embarrassing… and terminal. In April 2023 a 150-year-old listed London law firm went into administration, mainly because it never recovered from a large ransomware attack in March 2022.[7] That’s why you should be worried about your historical data.
One step at a time
To avoid following in their painful footsteps, the time has come to get a serious grip on data retention and disposition. To restate: this will decrease the likelihood of falling foul of regulators, hackers and clients (in relation to OCG breaches), increase the efficiency of systems, and save money on storage costs.
It may seem daunting when there’s decades of data in physical storage as well as electronic systems; when different types of data, in different practice areas needs to be treated differently; and when the rules on data retention vary across jurisdictions. But the journey of a thousand miles starts with one step. Thus we recommend that firms get started on a logical, efficient and pragmatic five-step approach. These steps are:
- Develop a data retention and disposition policy;
- Understand what data you have;
- Draw up a retention schedule;
- Execute the policy; and
- Get destruction decisions across the line.
This approach will be explained in greater detail in part two of this series and during our ILTA Masterclass; Rome wasn’t built in a day, where we will discuss the five steps that will help you conquer your firms data. To register, click here.
[1] https://www.statista.com/topics/3150/data-storage/#topicOverview
[2] https://www.statista.com/forecasts/1251266/worldwide-storage-revenue
[3] https://iapp.org/media/pdf/resource_center/State_Comp_Privacy_Law_Chart.pdf
[4] https://bracewell.com/insights/new-yorks-deadline-comply-new-data-privacy-law-fast-approaching
[5] Health Insurance Portability and Accountability Act of 1996, a US federal law protecting sensitive patient health information from being disclosed
[6] https://legaltechnology.com/2023/03/27/heidell-pittoni-fined-200k-by-new-york-ag-for-2021-data-breach/
[7] https://www.standard.co.uk/business/law-firm-ince-group-administration-bust-b1073675.html