P2P

51 I L T A N E T . O R G efficient to impose their own internal "gold standard" on how data is handled, retained and secured by their organization, than to juggle requirements jurisdiction by jurisdiction. Naturally, their gold standard meets (or maybe even exceeds) the highest regulatory requirement – usually considered to be GDPR. Naturally too, these clients will mandate that their suppliers – including their lawyers – adopt and adhere to their gold standard, which will typically cover why data is being collected, what's being done with it, for how long it can be held before destruction, and how it's destroyed. And if further proof were needed that US firms can no longer afford to be cavalier about data, know that in a precedent setting case, on 27 March 2023 New York's Attorney General secured a fine of USD$200k from a large New York/New England firm for a 2021 data breach that compromised the private medical records of nearly 115,000 patients, including dates of birth, social security numbers, health insurance information and medical histories. The firm's Microsoft Exchange email server was hacked. Microsoft issued patches but the firm didn't apply them soon enough. Consequently, tens of thousands of files were stolen from the firm's systems. The breach violated state law and, because of the firm's relationship with healthcare clients, it breached HIPAA too. 5 Nor was the firm fined only. It also had to undertake to adopt six additional information security measures mandated by the New York Attorney General. The sixth of these requires the firm to update "its data collection and retention practices, including only collecting data to the minimum extent necessary to perform legitimate business functions and permanently deleting all such data when there is no longer a reasonable business or legal purpose to retain such information." 6 The firm has also had to go through the excruciating process of notifying the 114,979 affected individuals. Five step plan To confront and mitigate the risks of excess information retention and haphazard disposition, it's time for firms to act coherently and systematically. This will decrease the likelihood of falling foul of regulators, hackers and clients (in relation to OCG breaches), increase the efficiency of systems, and save money on storage costs. It may seem overwhelming, especially if you have decades-worth of different types of data, in diverse physical and electronic systems, in different practice areas, in need of different treatments and residing in different jurisdictions. But the journey of a thousand miles starts with one step. Accordingly, we recommend that firms embark on a logical, efficient and pragmatic five-step approach. These steps are: 1. Identify and build a committee 2. Understand what data you have and where it is 3. Develop a retention and disposition policy 4. Execute the policy 5. Get destruction decisions across the line Each one is explained in greater detail below. Lasting change To achieve systematic and consistently successful data minimization, the bottom line is that you need buy-in and cooperation from across the firm. This requires cross– departmental engagement from key stakeholders – hence the need to convene a representative data steering committee. To get the appropriate coverage this should include heads of departments or practice groups, the CIO, CISO, General Counsel, DPO and, of course, the Director of Information Governance. The committee is the reference point for all subsequent activity. Moreover, when committee members understand the issues and are on-

• Cover