Blog Viewer

The Purge!

By Rebecca Sattin posted 12-21-2023 11:03


Please enjoy this blog authored by Rebecca Sattin, Senior Director, Partner Success, NetDocuments. 

Setting Up for Success in 2024: Strategies for Managing Data for Departing Users
In this blog post, the author will discuss ideas on how firms may consider implementing strategies that purge departed user data and secure management approval to do so.

Having a sound information governance policy is a necessity for any business, and particularly law firms as they are responsible for keeping client data safe and secure. Data retention policies help manage this risk and the cost of storing data indefinitely. What should firms do and how should they handle data once a user departs an organization? 
Firms with mature information governance policies may already have outlined how these occurrences should be handled, however, many firms lack policies and procedures which may open a firm up to risk. 
While each firm is unique and has its own nuances that should be considered, here are some ideas to help your firm start thinking about its internal approach, policies, and strategy as it relates to removing departed user data. 

Understanding Where User Data is Located
The first consideration is ensuring that client data is captured and organized, so retention policies can be applied. Therefore, the first thing to consider reviewing before crafting a data offboarding process is the location of the data within the firm. To do this, Firms should always maintain a thorough and accurate data map.
Let’s start by identifying where user-related data is stored. 
Firms that have a document management system (DMS) are at an advantage, and likely already have data organized to varying degrees. They may have cabinets in place that are designated for work product and client communications, or cabinets for administrative and personal workspaces. This allows client data to remain in place and be subject to retention policies associated with the close of that client’s matters. Personal workspace data can be easily examined to ensure it is not client related. 
Email systems or email management can be a bit more challenging when a user is departing. In the absence of a DMS, firms can consider policies that ensure users separate email messages into folders organized by matter, so client data can be easily identified and retained. Firms may consider including guidelines on naming conventions, to ensure consistency across the firm and reduce confusion once an employee has departed. Should the firm have a DMS, include policies specifying that all client communication be stored therein. 
Increasing in popularity is Microsoft Teams. Because Microsoft Teams (and their underlying SharePoint sites) can contain important conversations, having a clear policy is key to handling a departing user’s data and an important part of a firm’s information governance strategy. As with any technology, without proper oversight it can quickly become the Wild West, so having a matter-centric strategy for Teams creation can be helpful. Depending on a firm’s DMS, documents may remain in the DMS but be visible within Teams or be checked out to a Teams channel. If a departing user created Teams or was the manager of some Teams, ownership or management changes may be necessary to ensure that someone else takes over that role.
If your firm has a litigation practice, eDiscovery data will be present. Having a well-defined strategy is helpful, especially as it typically involves client-owned data versus work product. The volume of data may be quite large and have additional security requirements. Ideally, a purpose-built eDiscovery platform is the place for such data, but at times a copy of it will still be stored on a firm’s system. Having a centralized location defined and set up using a least-privilege model, such that only those who require access to the data for each client actually have access, is a best practice even if it is just a file share. Should such data also be stored in the DMS, it should be set up with a least-privilege model and marked read-only.
Firms with users who are accessing OneDrive and network file shares may likely have data that is only accessible by the individual who is departing. A policy should outline the organization and classification of data in these locations as well as what information is appropriate to be stored there.
When it comes to devices like PCs, laptops, and mobile devices, policies may include that any data of import be stored either in the DMS or in another shared location. This way, devices can be re-imaged and repurposed once an employee departs without having to review their contents. Mobile devices, especially when owned by users rather than the firm, can quickly become tricky and for that reason firms may utilize mobile device management tools like Microsoft’s InTune which enable firms to segregate and wipe solely the firm’s content from the device, leaving personal content intact. Firms should consider their mobile device policy around the storage of client data and which communications are appropriate to be held on mobile devices.
Creating Policies (and Enforcing Them!)
As your firm starts to draft its information governance policies, ensuring support from leadership is key. Involve different practice areas and roles in the discussion to ensure all needs are being met. There are risks involved when firms fail to adopt strong policies including costs of data storage, the risk of a breach of unnecessary data and the required breach notifications that accompany such situations, and even the large amount of non-billable time that would be required to identify client data before beginning the offboarding process.
Strong policies will benefit the firm by mitigating risk in situations that don’t involve departing users. I have heard of law firms that did not organize their email messages in any way, and instead users had Inboxes with over 500,000 items in them. In one instance, one of these lawyers was served with a third-party subpoena, requiring the individual to produce some of his email data. The firm’s partners were aghast when they realized how much non-billable time would be involved in complying with the request. Strong policies and oversight keep these types of situations from occurring.
Once leadership is on board, strong and consistent communication throughout the firm is key to ensure compliance. The ABA Model Rules discuss an attorney’s duty to supervise which involves ensuring that those communications include why these policies are important so that every person at the firm understands the need to follow them. Having a strategy in place for who will be delivering the messages of updates to the policies, how they will be enforced, and consequences for not doing so are all important points to consider including in your roll out.
Change is rarely a one-time conversation. Having check-ins throughout the year and as part of your planful strategy will help ensure policy changes are successful. 

Creating Procedures Based on Policies
Policies should communicate whose responsibility it is to determine retention of user data and include procedures triggered by notice of a departing employee. As an example, upon receiving notice of a user’s departure, a memo could be sent to that user’s superior. If it was a partner, the memo could be sent to the head of the practice group or managing partner. That memo could outline what is to happen to that user’s data, in what time frame, and describe what pre-destruction review procedures should be completed.
Procedures should also include the time frame available for review of user data. A good rule of thumb is to allow 90 days for the review of user mailboxes and personal workspaces before deleting them. The person to whom the memo is sent would have the responsibility for alerting IT should an extension be required. Initially, the email mailbox could be set up with an out of office message alerting senders that the person is no longer with the firm but that the mailbox is being monitored. With this approach, someone should be assigned to review and handle any inbound messages. 
If litigation holds are present for certain documents, matters or authors, this needs to be taken into account as well. Some document management systems have built-in capabilities to implement litigation holds. For those that do not have this capability natively, there are third party products that can be purchased for this purpose. Since the 2010 version, Microsoft Exchange has had a litigation hold feature built into it for handling emails, but steps should be taken to ensure no data is deleted.

Success from the Start: Onboarding New Users

Policies should be shared at the start of onboarding so appropriate expectations can be upheld from day one. It is also wise to document all equipment and access provided to the new hire, while providing training about how to properly store data. Ensure all new users sign off on policies indicating they will adhere to them. 
Oversight and continual support ensures partners are adhering to the firm’s policies. Using a least-privilege model, users should only be provided with access to what they need, understanding that many firms still have a fairly open DMS security model. 
In Conclusion

Years ago, all client-related information would be stored in a paper file. With the advent of paperless electronic data, the DMS is the de facto client file. As such, firms should stress the importance of maintaining the client file just as they did in the days of paper files. The file, after all, belongs to the client and it is the responsibility of the firm to maintain it and ensure that it is a complete and accurate record of the firm’s representation of the client.
By being proactive with creating and enforcing policies throughout the firm you can reduce risk, set expectations for all employees, and have a clear path forward if a user is to leave your firm. This helps streamline workflows, keep costs to a minimum, and keep operations moving with minimal interruption or risk.