Blogs

10 REASONS WHY CIO’S NEED TO ENGAGE WITH DATA MINIMIZATION

By Denise Prior posted 02-23-2023 05:30

  

In a world where data volumes are increasing exponentially, it’s surprising that nearly half of US law firms don’t even have a policy to manage data retention and disposition. The problem may be that firms haven’t grasped the dangers of excess data, and therefore why they should take data minimization seriously. To help bring firms some clarity, these are the top ten reasons why CIO’s need to destroy much more of the data they hold.

1.       Excess data makes your firm a bigger target for cybercriminals. In particular, ransomware attacks have been identified as an “increasing threat to attorneys and law firms of all sizes.”[1] Given that in 2021 cybercriminals earned more than Japan – it’s clearly time to take the threat of cyberattack very seriously.[2]

2.       Data minimization is part of ISO/IEC 27001 certification. As the international information security management standard becomes more popular, firms wanting to achieve certification must show third-party auditors they’re meeting data retention requirements.

3.       Outside Counsel Guidelines are increasingly likely to put limits on how long client data is held. Rising cybercrime is targeting client data held by law firms, so OCGs are increasingly likely to cover how and for how long client data is kept by the firm. To maintain OCG compliance, client data must be destroyed or returned as mandated.

4.       The move to a cloud based DMS will be much simpler with data minimization in place.
Firms contemplating the move to a cloud based DMS should reduce the quantity of data to reduce the duration, fees and ongoing costs of the transition.

5.       New and existing privacy regulations place strict limits on how long PII data can be held. For compliance with GDPR when handling EU citizens’ data, and compliance with UK, Californian, Brazilian, and upcoming Canadian data privacy legislation, firms must continually purge Personally Identifiable Information (PII) or risk a compliance breach and being sued by a data subject. 

6.       Demonstrably strong data governance is a pitch-winning card to play. Firms that can demonstrate they’re keeping information governance and data retention and disposition under close control will more likely win the confidence of prospective clients.

7.       Firms and lawyers are required to take care of client information as part of their professional obligations. Lawyers and firms must adhere to rules of professional conduct such as those of their State Bar and of the SRA in the UK, in relation to how client assets, including data, are handled. 

8.       The cost of electronic data storage is skyrocketing. The costs of electronic data storage are doubling every four years.[3] So it makes business sense to reduce the volume of extraneous data. Plus, IT budgets aren’t keeping up so other important areas of IT provision are under strain.

9.       Excess data impacts the efficiency of law firm systems. Time is money, so can you afford to be running sluggish systems that are clogged with excess data? Plus waiting for a lagging computer can cause lawyers unnecessary stress, eroding their well-being and job satisfaction.

10.   Data minimization can give your firm a competitive advantage. Even with all the compelling reasons why data minimization is a good idea, still only 53% of respondents to the ABA’s 2021 cybersecurity survey [4] said their firm had a data retention policy, while a recent LegalRM poll suggests only 26% of firms with policies are implementing them. The majority of firms are exposing themselves to unnecessary costs and risks by not minimizing data. The firms that do  better on data minimization will be more resilient, more attractive to clients and more efficiently run. 

In summary, the most compelling reason why firms should opt for a data minimization strategy is because the costs of not doing so can be very high. They can include lost productivity, and excess storage costs. They can take the form of a loss of reputation after a cyberattack; or a significant regulatory fine; or the cost of losing a client because OCGs weren’t honored. Firms have it in their power to avoid these risks, exposure and penalties. In the second blog in this series, we’ll cover how firms should go about putting a data minimization strategy in place.

To find out more about how to instigate a data and data policy review join us for our upcoming webinar. We will discuss the advantages of a data minimization strategy, and in particular focus on why this strategy is of particular importance to a CIO, or the IT budget holder within a firm. To register, click here.   


[1] https://www.americanbar.org/groups/law_practice/publications/techreport/2021/cybersecurity/

[2] In 2021, cybercrime is estimated to have generated USD$6 trillion, Japan earned USD$4.9 trillion, see: https://news.cybersixgill.com/chinese-russian-cyber-threats/

[3] https://www.lightedge.com/blog/the-data-explosion-and-hidden-data-storage-costs-in-the-cloud-could-object-storage-be-the-answer/

[4] https://www.americanbar.org/groups/law_practice/publications/techreport/2021/cybersecurity/

0 comments
14 views

Permalink