“By 2010, we as a species were creating more data per day than we did from the beginning of time until 2003.”
-Bruce Schneier
The amount of electronic data a modern law firm produces is overwhelming… and working with firm leadership to enforce retention compliance for those files can be just as large of an ‘opportunity’. The data challenge tends to be proportional for most firms - doubly so in Intellectual Property [IP] practices where significant quantities of customer IP data may be archived. The truth is that all this data is like risk; either you manage it, or it manages you.
The fact is that failing to destroy records that you should subjects your firm to significant risk. The obvious risk is that you may not be properly managing sensitive data that could be compromised in a breach. Often this data presents risks which your partners or executives may have already put behind them because that case is ‘over’, so they have checked it off their mental to-do list and moved on to the next issue. Secondly, this data is a simple, tangible, and easily audited item. Passing audits is hard enough without leaving low-hanging fruit sitting on every desktop and in every hard drive. However, one of the most sensible drivers to keep good data retention is also one of the simplest - lack of efficiency. Every extra digital file or piece of paper you have is one more piece of ‘noise’ to sort through when you are looking for something you need. If nothing else, think about it in terms of dollars: those bits of data are taking up hard drive storage or physical space in your office that you are paying for. Therefore, if you do not need the data you are throwing away money while increasing your risk.
The basic problem for data retention is much like eating the proverbial elephant – where do you start? One of the most fundamental and critical controls for the management of your firm’s data (both electronic and physical) is policy. As a directive control, policy sets the organization’s expectations for how this data is handled by establishing appropriate controls and accountability for execution of tasks. A simple Google search will return hundreds of articles and templates for your own data retention policy. However, we find that several critical components are often missing in most data retention policies. Make sure your policy addresses the following areas:
- Explicitly covering all types of digital records
Many firms focus on the digital age problems – hard drives, network shares, and databases. However, electronic data can also have a variety of physical storage media that must also be managed (e.g., Universal Serial Bus (USB) devices, CD/DVDs, etc.) It is not uncommon to find ‘old tech’ storage – from 5 ¼” floppy drives to microfilm – sitting abandoned in old desk drawers but storing potentially sensitive data.
Likewise, we should track and manage data that we allow to ‘live’ outside of the firm. This includes everything from recovery backups, cloud storage, and data sent to co-counsels. At the end of the day, it is YOUR firm’s and YOUR customer’s data, so YOU must manage it.
Finding and managing our data where it is ‘supposed to be’ (databases, network shares, etc.) is relatively easy because it is centralized and expected. However, even firms which do a great job of eliminating old floppy disks tend to miss one of the riskiest (and most common) locations for sensitive data – SPREADSHEETS. Historically there have been numerous data breaches which resulted from one misplaced or unmanaged Excel file. Users tend to save these in convenient places – like on the desktop – and may or may not delete the file when finished. If your firm does not do whole-disk encryption, you need to utilize tools to locate these files and get them under control.
Yes Virginia; paper records are also in-scope for data retention. However, we tend to find that data management at older firms is akin to watching a high-end episode of Hoarders; decades upon decades of full filing cabinets, storage boxes stuffed with manila folders & case briefs often stored in closets, old offices, and basements. We recommend that you have every member of your firm cull paper records office-wide annually for data that should have already been disposed. Given that most data in a law firm is confidential by definition, most firms would also be well served by having locked shred bins available for document destruction instead of open trashcans.
We do not just have to worry about the paper we discard, we must also ensure that policies provide guidance on how to dispose of digital assets. When you decommission a firm-owned computer, cell phone, or tablet you must either destroy the disk drive (shred, drill through, or crush) or erase the data (preferably using a DoD 5220.22-M wipe method using at least seven random patterns of 0s and 1s). While many organizations have cradle-to-grave management for laptops and desktops, most fail to check for non-standard digital storage (e.g., copier HDDs, Multi-Function Device (MFD) printers, smart devices, etc.) Your firm should also wipe portable media devices between use; accidentally allowing attorney B to see something from attorney A’s case is a quick and often overlooked way to destroy ethical walls.
According to SANS, metadata is “Data that defines or describes another piece of data”. Metadata can be found most everywhere: in emails, Word documents, even in photographs. However, we find that firms rarely manage metadata which could reveal sensitive data they may not have intended to divulge. These digital files can contain information about who created a file, when or where it was created, when or if it was modified, and a shocking trove of other potentially sensitive data. Eric Christensen of Kraft Kennedy published a rather good article about the dangers of metadata which can be found on the firm’s website at https://www.kraftkennedy.com/whats-hiding-documents-dangers-metadata/.
Sometimes your data retention policies must also specify that some data should be retained in special cases. For example, if you have a security incident you may have statutory or regulatory requirements to keep that data indefinitely. Of course, any data currently under legal hold will also have its own unique retention requirements. There are some other types of data that you must be careful about deleting. Take for example the Sarah Palin email hack in 2008 when she was a vice-presidential candidate. Her personal Yahoo! account was comprimised by University of Tennessee student David Kernell. Mr. Kernell admitted to deleting his browsing history from his computer out of panic, eventually leading to a conviction including ‘obstruction of justice’ among his other counts.
- Roles and responsibilities
In many policies, organizations will have a phrase like, “once the laptop is returned the company will delete data from the drive…” but who is ‘the company’? In practice, tasks that are not explicitly assigned to a team or title are generally assumed to be the ever-present “someone else’s” responsibility. To fix this, every policy and procedure must clearly define roles and every subsequent “must” or “shall” requirement should be clearly assigned to one of those roles. So, if our earlier example were changed to read “once the laptop is returned Information Technology will delete data from the drive…” there is a clear accountability for the task.
In conclusion, data retention policies can be tricky but is not impossible; as Seth Moulton once said, “good policy is grounded in a robust set of facts and data.” While there are several considerations to be accounted for in a digitally connected workplace, a little forethought can do much to help govern how your firm manages its data and how (or whether) that data should be retained. By carefully evaluating your firm’s needs you can help protect its data and avoid the penalties and problems that could otherwise result from the explosion of data in the 21st century law firm.
#InformationGovernanceorCompliance#Retention