Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1480787
69 I L T A N E T . O R G H ow well is your firm coping with the growing pressures to manage data retention and disposition cost effectively and compliantly? In this article, Chris Giles and Kandace Donovan explore the issues in more depth, point out the dangers, and suggest what best practice in data lifecycle management can look like. Something that comes up a lot when we talk to law firms is that they don't have problems any more with data retention and disposition. COVID gave them the chance to digitally transform processes and scan their existing paper records. Scanning has vastly reduced the volume of physical records storage. Therefore, the firm's storage costs are now much more manageable. The problem has gone away. Or has it? We believe it's a mistake to assume that all the firm's issues around data retention and disposition can be resolved by scanning. It's certainly the case that in the last few years the costs of physical storage have become uncomfortably high. Some big London law firms, for instance, are reportedly spending around £1m on storage annually. But the bad news for firms that have scanned their documents is that the costs of electronic storage are also creeping up. In particular, as firms look to transition from on- premise servers to cloud-based document management systems, they're finding that electronic data storage costs can also be prohibitively high. In particular it can cost firms a lot of money just to move from a maintenance model to a cloud-based subscription. This should increasingly propel firms to try to reduce their cost base by reducing the amount of data held. As well, this inconvenient truth about storage costs crashes hard up against the fact that – traditionally, at least – lawyers are believed to be very much in favor of keeping everything forever. Ironically this stems from their supposedly risk-averse natures. The irony lies in the fact that, as we'll see, increasingly there's actually as much risk, if not more, attached to keeping data as there is to getting rid of it. So, this article is about why firms need to adopt a more organized, balanced and long-term approach to data retention and disposition, why that's so hard, and how to get it done. The drivers of destruction We've already covered cost as a major reason why law firms ought to be rationalizing the amount of data they keep. Firms of every size, in every country and location, are facing mounting storage bills. But there are also other costs that can result from a lack of systematic data retention and disposition. For one thing, when your excess storage is electronic, there's a heightened risk that the firm will be the victim of a cyberattack – simply because the attack surface is larger. And be in no doubt that the costs of a data breach can be considerable when they include lost productivity, ransomware payments (often more than one per breach), regulatory fines and the costs of hiring specialist data security experts so it doesn't happen again. Not to mention the reputational damage. You might also argue that a data breach is more about data security than data management. But tell that to Tuckers Solicitors LLP, a UK criminal law firm with around 150 lawyers that was the subject of a ransomware attack in 2020. The attack led to the content of 60 court bundles – including medical files, witness and victim statements, and names and addresses – being published on the dark web. 1 The UK regulator (the Information Commissioners Office) decided that Tuckers was liable for a fine because it had been negligent in implementing the appropriate technical and organizational measures, rendering