PRO Partners

Why law firms must conquer their data mountain - Part 1

Chris GilesA common theme when we talk to law firms about information retention and disposition is that people know it ought to be done, but they lack information and urgency as to exactly why and they don’t know where to start. Here Chris Giles sets out the growing risks firms face when excess data isn’t dealt with and suggests the five steps they can take to tackle the issue once and for all. 

Here’s an alarming fact about data. When UK private sector IT leaders were surveyed in April 2023, they concluded that more than two-fifths (41%) of the content they’re storing is being kept for no reason, at a cost of £3.7bn each year. Flushing that kind of cash down the drain is bad. In a climate crisis with soaring energy costs, it’s even worse. 

And alas, there’s no reason to believe that law firms are any better at data retention and disposition than anyone else – and some reason to think you might be worse. A 2021 American Bar Association cybersecurity survey found that only just over half (53%) of respondents even had a policy to manage data retention. This suggests that when it comes to information governance, law firms have a lot of room for improvement.


Meanwhile, firms are increasingly moving into cloud-based data storage for things like Office 365, document management systems and time and billing systems. Plus, storage costs are soaring. In December 2022, a survey of 500 UK tech leaders found that their data storage and management costs had risen 30% in the preceding 12 months

The first big reason to get rid of information you don’t need is that it’s costing the firm way too much. An associated cost is the negative impact on system efficiency, which can be an unnecessary drag on your productivity. Yet another good reason to get rid of excess data. 


Yet slow systems are the least of your worries in comparison with a cyberattack, which is a very real danger for law firms. As far back as 2018 the National Cyber Security Centre identified the extent to which law firms were a particular target for cybercriminals. Last year the SRA noted that the move to remote working and more dependence on IT only increases your exposure. This risk is further heightened when you hold excess data and present a fatter and juicier target to determined and professional criminals. 

Another risk is that as you accumulate and retain information you may breach your clients’ increasingly prescriptive outside counsel guidelines. OCGs have become noticeably more concerned with data retention and disposition recently because clients have also noticed that law firms can be hacked. Sadly, this was all too clearly illustrated by the news that the 150-year-old Ince Group – once the UK’s largest listed law firm – went into administration in April 2023, a year after it was subject to a major ransomware attack from which it never recovered

Regulatory compliance

Yet another data danger is that what you’re storing “times out” of compliance. You’ll recall that in 2022 a leading UK criminal law firm was heavily fined by the ICO for breaching the Data Protection Act. Attackers breached an archive server and went on to publish court bundles on the dark web that included medical files, witness statements, and names and addresses of witnesses and victims. 

The firm did have a data retention and disposition policy but had overlooked this particular server. The ICO found the firm was storing court bundles after the seven-year retention period had elapsed. The firm has suffered a grave reputational and financial hit that could have been avoided had its data retention policy been thoroughly and systematically enforced. 

Get a plan 

To avoid following in their footsteps, firms should take hold of data retention and disposition, make plans, and then conscientiously enforce them. Of course, this can seem like a daunting prospect, especially when there are decades of content to deal with, it’s widely dispersed across many physical and electronic systems, and different practice areas need different treatment. But there’s no alternative if the firm is to gain control of grave data risks.

To that end, we believe the answer is to adopt a methodical and pragmatic five-step approach which looks like this: 

  1. Identify and build a committee
  2. Understand what data you have and where it is
  3. Develop a retention and disposition policy
  4. Execute the policy 
  5. Get destruction decisions across the line 

How to execute the five steps will be explained in greater detail in part two of this series and was the subject of our ILTA Masterclass: Rome wasn’t built in a day. To watch the session on demand, click here.    

Chris Giles is CEO at LegalRM, which creates market-leading software, services and solutions for records, risk and compliance management and serves some of the world largest law firms as well as blue chip organizations from other industry sectors.

Copyright © 2023 Legal IT Professionals. All Rights Reserved.

Media Partnerships

We offer organizers of legal IT seminars, events and conferences a unique marketing and promotion opportunity. Legal IT Professionals has been selected official media partner for many events.

development by