A big mistake a lot of law firms are making now is that they’re not paying as much attention as they should to getting rid of data. We know that invariably lawyers want to hold on to everything forever. But in today’s climate that’s just not wise, for several reasons.
The first drawback of holding too much data is simply the cost of storage. In recent years this has been skyrocketing as firms move from on prem “owned” DMS solutions to cloud-based subscription models with their significant operating costs. Whether it’s physical or electronic, this in an overhead that firms should keep an eye on. A second area of concern with excess data is the penalty it imposes on efficiency. Searching for the right document and not quickly finding it among all the chaff can be a serious drag on productivity, as can having to recreate documents that can’t be found. It’s also likely there’s a negative knock-on impact on client service levels.
The attack surface
There’s also the problem that excess data storage increases the attack surface for cybercriminals at a time when cybercrime is rising, and law firms are a recognised target. This is evidenced by the fact that 90 of the UK’s top 100 law firms are so concerned about the impact of cyberattacks that it’s the top threat they identified to their future growth ambitions. So why exacerbate the exposure by holding on to excess data?
Finally, law firms should be careful about the compliance risks they run by retaining excess data. In particular, most firms will retain some Personally Identifiable Information (PII) in the form of dates of birth, addresses, social security numbers and banking information, in anything from property deeds to due diligence on directors acquired doing M&A work.
Under Europe-wide GDPR legislation, it’s an offence to keep PII longer than necessary for the purpose for which the data was originally acquired. A breach of GDPR in the UK recently resulted in a leading criminal law firm being fined nearly 3.25% of their annual income. Plus there’s an increasing body of GDPR-like legislation emerging in North America: Canada already has CASL, and in the US a slew of states has already signed state data privacy legislation into law.
All told there are many unwelcome hazards associated with excess data retention and one clear answer for firms. They must now get on top of these issues by creating and executing robust data retention and disposition policies, which is what we’ll cover in the next blog.
To find out more watch our webinar ‘Retain, or destroy (data)? That is the question!’, where we deliberate the growing pressure on firms to manage data retention and disposition efficiently and compliantly. Click here to register.