Hidden Risk of Hoarding ROT

To borrow a phrase from Shakespeare, something is rotten in law firms – and that something is ROT: redundant, obsolete, and trivial data.

Law firms today are sitting on heaps of matter and client files, drafts, emails, research, and physical evidence that no longer serve a legal or business purpose but continue to occupy space across DMS platforms, shared drives, email archives, and, in the case of physical records, office rooms and offsite storage. This accumulation doesn’t just inflate storage costs: it expands the firm’s attack surface at a moment when cybercriminals increasingly view law firms as high-value targets. 

The move to cloud storage over the past decade has only raised the significance of the problem. The days when hard drives in the on-prem file server would run out of free space – thus requiring users to delete at least some of their files – have been replaced by a seemingly limitless expanse of cloud storage, which only encourages lawyers and staff to keep everything “just in case.” But that “limitless” storage is an illusion, and firms can end up paying a princely sum every month for terabytes of material that should have been defensibly disposed of years ago.  Addressing this challenge demands a cultural shift within firms and a governance framework that treats data lifecycle management as a core component of risk mitigation. 

Why lawyers hold on to everything

ROT doesn’t accumulate because lawyers are careless. It accumulates because the incentives in legal practice reward retention rather than deletion.  When a matter closes, lawyers often leave behind a trail of drafts, research, correspondence, and templates. Even when the work is complete, the instinct is to keep everything “just in case”. In a profession built on precedent, the logic is perfectly sound: a document that has served a useful purpose today might still be helpful in a future matter. 

But when every lawyer in a firm follows the same instinct, the cumulative effect becomes enormous. ROT begins to masquerade as institutional knowledge, even though much of it is outdated or duplicative. And when that clutter contains personal data, privileged information, or regulated content, it becomes a compliance minefield – not to mention a cybersecurity risk. These risks are not theoretical. The Panama Papers leak – one of the most consequential data breaches in modern history – was made possible because a law firm held onto sensitive documents far longer than necessary. ROT isn’t just a nuisance – it’s a systemic vulnerability. And the more that outdated content lingers unchecked, the more it creates blind spots that make it more complicated for firms to understand their actual exposure. 

Policy meets practice 

To get ahead of the problem, firms need retention and disposition policies that are clear, defensible, and aligned with regulatory obligations. These policies must define what constitutes a record of enduring value, how long different categories of documents must be retained, and when information becomes redundant or obsolete. They also need to specify how and when it should be disposed of. 

The compliance department must be the key party involved in developing these policies, and they should take their cues from existing directives where the firm does business. Efforts in the United States will follow state-level directives, such as the California Consumer Privacy Act, rather than in areas like EMEA, where mandates like the EU GDPR hold sway. At the same time, policies must also take customer requirements and outside counsel guidelines into consideration. 

Once defined, the compliance team should work closely with the information governance team to match up policies with the data and systems that they have in place – in other words, ensuring that policies are clear and well defined – and put into practice rather than merely being aspirational guidelines. 

Make compliance a two-way conversation

Policies enable firms to wrap their arms around the problem ROT represents. But policies alone rarely change behavior – especially the underlying behavior that leads to ROT in the first place.  Lawyers need to understand why the retention and disposition rules enforced by the firm exist and how they protect the firm and its clients. Without that context, even the most carefully drafted retention schedule becomes background noise. 

This is where the education piece comes into play: explaining the security risks of ROT and how non-compliance with retention policies can create serious liabilities for the firm. There should also be guidance on what kind of “alerts” end users should expect – for example, letting them know that they will receive advanced notification six weeks before disposition of content within a matter takes place. 

The dialogue with end users shouldn’t stop there; it should continue with that initial education and awareness piece. The compliance and governance teams should engage with users regularly to inform them of changes to policies (due to new or existing regulations) to provide transparency and clarity, and avoid ambiguity.

Cutting through the backlog 

Establishing clearly defined policies and putting them in place for all new content is a solid start, but that doesn’t automatically take care of the existing piles of obsolete content within the firm.  This highlights a practical challenge around tackling ROT: it’s not realistic to ask an associate to sift through years of accumulated files manually. The sheer volume of data and the fear of deleting something important can lead to high stress levels. 

Fortunately, this is where technology is rapidly evolving to meaningfully change the equation. AI capabilities in the DMS are approaching a stage where they can analyze stored content, generate a detailed audit of content the firm actually holds, and classify content by type.  

For instance, they can help identify documents that are older than a defined threshold, classify them accordingly, and distinguish between materials that require long-term retention – such as wills, which may need to be preserved for nearly a century – and those that do not. They can also surface documents containing personal data that should have been deleted long ago under EU-GDPR, FINRA, or other US state-level regulatory directives that have strict requirements around how long data can be retained. 

This process of analysis and identification can also include large files that have been provided as part of a case. These can include high-definition images, medical imaging data, or massive CAD files if it’s a case involving a faulty construction. If no longer needed, these files can be disposed of – freeing up a significant amount of valuable storage space for the firm.  This level of automated classification is critical for cutting ROT down to size. Without it, firms will feel overwhelmed and risk non-compliance repercussions.

Keep ROT from becoming a structural risk

ROT will always accumulate in a law firm. The nature of legal work – matter-based, compliance-driven, and documentation-heavy – makes it inevitable. But it doesn’t have to become a structural risk. Firms that treat data lifecycle management as a strategic priority can reduce exposure, control costs, and strengthen their cybersecurity posture.

Clear retention rules, consistent communication, and intelligent automation form the backbone of that effort. The goal isn’t to eliminate ROT  – it’s to keep it from becoming the subsequent avoidable breach, regulatory failure, or reputational crisis. Done well, it’s the difference between a firm weighed down by its data and one that is faster, lighter, and positioned to operate with far less risk.