AI in 2024: Should We Still Be “Moving Fast and Breaking Things”?
Editor
Where are things headed with AI in the coming year? What trends should legal IT professionals be awa(...)
Document and Email Technology Predictions for 2024
Dave Wilson
As trusted advisors to law firms around the globe, we're often asked about the latest trends in lega(...)
Data disposition is becoming an increasingly hot topic for law firms, both because the volume of data keeps growing, and because the risk of breaching GDPR by retaining excess data continues to rise, as Chris Giles explains in part 1 of the data disposition series.
Among the many consequences of the global pandemic, one was that it drove many law firms to embrace digital transformation. And in the course of enabling remote working, many introduced cloud-based systems and took the opportunity to scan existing paper records. This has led firms to believe that, to the necessary degree, they’ve “taken care of” their records. But is that entirely true?
I’d argue that even though many paper records have been digitised, now is not the time for firms to be complacent about data and records. You should continue to ensure you’re managing information governance with appropriate controls on retention and destruction, because when holding onto excess data in whatever format, several pitfalls remain.
The costs of storage
The obvious first problem with keeping excess data is that it’s expensive. The costs of physical storage are well understood. But now the costs of electronic storage are emerging and it’s becoming clear that there’s a price on every excess gigabyte. This is especially apparent when firms transition to cloud-based document management systems, and it’s something that firms should control rather than accept.
Privacy regulation
The next problem with excess data is that there’s a growing body of data privacy regulation and legislation for firms to negotiate. They’re impacted because virtually all firms will hold some Personally Identifiable Information (or PII) including dates of birth, addresses, social security numbers and banking information in anything from property deeds to the due diligence done on directors in the commission of M&A work.
In Europe, people are widely familiar with the various national incarnations of the EU’s General Data Protection Regulation (GDPR). In North America, Canada has its Anti-Spam Legislation (CASL), while in the US, a tapestry of state data privacy legislation is emerging, making it all the harder for firms – or anyone else – to stay compliant.
The issue in relation to data retention is that most of this legislation includes requirements that data is retained for no longer than necessary for the purpose for which it was acquired. It means that if firms hold on to PII for too long they risk compliance breaches, which in the case of GDPR can cost up to 4 per cent of a company’s annual global revenues or 20 million euros (c. US$22.3 million), whichever is the bigger amount. 1
Cyberattack
A third problem with carrying excess electronic data is that you’re increasing the attack surface and thereby making cyberattack more likely. We already know that law firms are considered rich pickings for cyber criminals because of the quality of your data. Also, post-pandemic, incidents of cyberattack are increasing. Nor should the impacts be underestimated. They can include anything from a temporary business disruption to major systems failure and shut down. To that you can add the costs of paying a ransom or ransoms to retrieve data, the reputational impacts, and the costs of remediation, such as hiring data security specialists. Not to mention potential regulatory fines.
Doing business
The final problem with excess data is that it impedes the efficiency of the firm. Time is money, and excess time is expended searching when there’s more data held than there needs to be. There’s also a cost when things can’t be found or found quickly enough. Firms can incur the costs of replacing things they can’t locate or, in a worst-case scenario, can be fined for failing to produce documents requested by a court quickly enough.2 There’s also a real danger that poor records and data management has a knock-on impact on client service levels, client confidence and even client retention.
What is the conclusion? That firms will benefit if they commit some effort to rationalising the volume of data they hold. This means creating a retention and destruction policy that everyone signs up to, and locating all the firm’s data, doubtless in a range of media and places. Firms must then produce and enact a retention and disposition schedule that keeps track of what needs to be returned to clients or destroyed, and when. Firms are also well advised to use specialist software to help them manage data retention and disposition, so that they can control data costs and risks much more cost-effectively.
To find out more join us for our ILTA Masterclass ‘Retain, or destroy (data)? That is the question!’, where we will deliberate the growing pressure on firms to manage data retention and disposition efficiently and compliantly. Click here to register.
Copyright © 2023 Legal IT Professionals. All Rights Reserved.
We offer organizers of legal IT seminars, events and conferences a unique marketing and promotion opportunity. Legal IT Professionals has been selected official media partner for many events.
