All law firms have records – a lot of them. But it’s only recently that they’ve started to become seriously problematic, for a host of reasons, which is why firms now need help with systematic information retention and disposition.
By far and away the biggest concern for law firms is the increased risk of cyberattack. Given the highly sensitive and confidential nature of the information held, there’s the very real danger that excess data and supported legacy systems attracts cybercrime. Ransomware attacks have been identified as an “increasing threat to lawyers and law firms of all sizes”. Plus cybercriminals may perceive law firms as having weaker security defences compared to other industries , making them the target of attacks.
Compliance and Regulatory Issues
Meanwhile excess content can complicate compliance with data protection and privacy regulations, specifically GDPR. You’ll know of the criminal law firm fined £98,000 by the ICO after a major data breach of an archived server. This was in part due to the firm’s: “failure to adhere to or to justify departure from its retention practices”.
As well, excess data increases the complexity of complying wit Outside Council Guidelines, which are becoming more prescriptive about how long client data is held.
Storage and Cost
And don’t forget the extra cost of storing and managing excess data, which requires either adequate infrastructure, including servers and backup systems, or cloud storage, the cost of which is substantial and rising. The costs of electronic data storage are doubling every four years.
Once seen as not a priority for many law firms, this has become a significant driver for law firms, as they move to Office 365 and cloud based document management systems.
Another emerging issue is that many firms have an aging IT infrastructure. These can harbour forgotten data-laden servers. A firm we know found a redundant business intake and conflict resolution system that was superseded by a newer version more than ten years ago, but never taken down. The system was unsupported, so ripe for hacking.
There’s also the problem of shadow IT. This is when data lurks in IT systems that are beyond the boundary of the firm’s provisioned and sanctioned infrastructure. Think of work done on home computers and emails exchanged using personal email addresses, especially during the pandemic.
Data held in these hidden corners can come back to bite you in the form of a security or compliance breach.
To mitigate all these risks and costs, law firms need to systematically prune excess data via effective information governance practices. This can be a big job and if you don’t know where to begin, we recommend a logical five-step approach that institutes and implements a robust and comprehensive solution. The five steps are:
- Identify and build a committee
- Understand what data you have and where it is
- Develop a retention and disposition policy
- Execute the policy
- Get destruction decisions across the line.
How to execute the five steps will be explained in greater detail in part two of this series, and was the subject of our ILTA Masterclass: Rome wasn’t built in a day. To watch the session on demand, click here.
Chris Giles is CEO at Legal RM, which creates market-leading software, services and solutions for records, risk and compliance management and serves some of the worlds largest law firms as well as blue chip organisations from other industry sectors.