In a world where data volumes are increasing exponentially, it’s surprising that a large proportion of law firms don’t even have a policy to manage data retention and disposition. The problem may be that firms haven’t grasped the dangers of excess data, and therefore why they should take data minimisation seriously. To help bring firms some clarity, these are the top ten reasons why law firms need to destroy much more of the data they hold.
- Excess data makes your firm a bigger target for cybercriminals. In particular, ransomware attacks have been identified as an “increasing threat to lawyers and law firms of all sizes.” Given that in 2021 cybercriminals earned more than Japan – it’s clearly time to take the threat of cyberattack very seriously.
- Data minimisation is part of ISO/IEC 27001 certification. As the international information security management standard becomes more popular, firms wanting to achieve certification must show third-party auditors they’re meeting data retention requirements.
- Outside Counsel Guidelines are increasingly likely to put limits on how long client data is held. Rising cybercrime is targeting client data held by law firms, so OCGs are increasingly likely to cover how and for how long client data is kept by the firm. To maintain OCG compliance, client data must be destroyed or returned as mandated.
- The move to a cloud based DMS will be much simpler with data minimisation in place.
Firms contemplating the move to a cloud based DMS should reduce the quantity of data to reduce the duration, fees and ongoing costs of the transition.
- New and existing privacy regulations place strict limits on how long PII data can be held. For compliance with GDPR when handling EU citizens’ data, and compliance with UK, Californian, Brazilian, and upcoming Canadian data privacy legislation, firms must continually purge Personally Identifiable Information (PII) or risk a compliance breach and being sued by a data subject.
- Demonstrably strong data governance is a pitch-winning card to play. Firms that can demonstrate they’re keeping information governance and data retention and disposition under close control will more likely win the confidence of prospective clients.
- Firms and lawyers are required to take care of client information as part of their professional obligations. Lawyers and firms must adhere to rules of professional conduct such as those of the of the SRA in the UK, in relation to how client assets, including data, are handled.
- The cost of electronic data storage is skyrocketing. The costs of electronic data storage are doubling every four years. So it makes business sense to reduce the volume of extraneous data. Plus, IT budgets aren’t keeping up so other important areas of IT provision are under strain.
- Excess data impacts the efficiency of law firm systems. Time is money, so can you afford to be running sluggish systems that are clogged with excess data? Plus waiting for a lagging computer can cause lawyers unnecessary stress, eroding their well-being and job satisfaction.
- Data minimisation can give your firm a competitive advantage. Even with all the compelling reasons why data minimisation is a good idea, still only 53% of respondents to the ABA’s 2021 cybersecurity survey  said their firm had a data retention policy, while a recent LegalRM poll suggests only 26% of firms with policies are implementing them. The majority of firms are exposing themselves to unnecessary costs and risks by not minimising data. The firms that do better on data minimisation will be more resilient, more attractive to clients and more efficiently run.
In summary, the most compelling reason why firms should opt for a data minimisation strategy is because the costs of not doing so can be very high. They can include lost productivity, and excess storage costs. They can take the form of a loss of reputation after a cyberattack; or a significant regulatory fine; or the cost of losing a client because OCGs weren’t honored. Firms have it in their power to avoid these risks, exposure and penalties. In the second blog in this series, we’ll cover how firms should go about putting a data minimisation strategy in place.
To find out more about how to instigate a data and data policy review join us for our upcoming webinar. We will discuss the advantages of a data minimisation strategy, and in particular focus on why this strategy is of particular importance to a CIO, or the IT budget holder within a firm. To register, click here.
Chris Giles is CEO at LegalRM, which creates market-leading software, services and solutions for records, risk and compliance management and serves some of the world largest law firms as well as blue chip organisations from other industry sectors.
 In 2021, cybercrime is estimated to have generated USD$6 trillion, Japan earned USD$4.9 trillion, see: https://news.cybersixgill.com/chinese-russian-cyber-threats/