publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/503802
ILTA WHITE PAPER: APRIL 2015 WWW.ILTANET.ORG 29 ARE YOU THE WEAK LINK IN YOUR CLIENT'S IG PROGRAM? it has been destroyed if an opposing party asks for it. This consistently applied destruction under a company policy is okay; case law supports this. But, if a law firm still has a copy of the client's information, the firm's over-retention undermines the client's efforts to diligently manage and protect that data throughout the information life cycle. Poor information governance puts both the client and your firm at risk. WHY IMPLEMENT IG? An IG program should establish the process by which companies retain information, whether to comply with record-keeping statutes or to meet business needs. If the information is shown to be relevant to anticipated litigation or investigation, the company might have to preserve and possibly produce it. Otherwise, it's usually in the best interest of the company to dispose of information systematically in accordance with their written IG policies. IG programs also cover sensitive, protected, confidential information (SPCI) by specifying the storage location and access and security controls. Personally identifiable information, such as a full name and Social Security number, is classified as a high risk, which demands application of more security controls, both electronic and physical. This might be done in the client environment; however, some law firms have failed to embrace and practice such security measures. THE WEAK LINK Client-generated information often accumulates within law firm computer systems and box storage without any plan to determine what happens to that information after the case is over or the client has moved on. That can be problematic if your firm is served a third-party subpoena requiring the production of certain documents (or attendance at a hearing). For example, when I was practicing law, I needed a copy of an agreement signed both by my client and a third party. My client could not locate the agreement, and the third-party company had gone into bankruptcy. I searched bankruptcy court records, which mentioned the agreement, so I contacted the bankruptcy attorney to obtain a copy. At first, the attorney responded by invoking attorney-client privilege and then claimed it was a work product. However, neither was the case. The attorney had not drafted the agreement, and this was a signed final copy, so the document was already in circulation, eliminating it from being privileged communication or protected work product. That's where the law firm becomes the client's weakest link: If the opposing party cannot get information from the company because it was defensibly destroyed under a retention policy, they can get it from the company's law firm — current or former. RISKS TO THE FIRM Not only is information retention an issue for the client, it's an expensive oversight for the firm. The cost of storing and maintaining client information is prohibitive. A recent Gartner study revealed that 20 percent of the IT budget is consumed by storage costs, and every gigabyte of data that can be removed from a law firm's storage saves an average of $18,000. IDC estimated that enterprise data growth will average 50 percent each year through 2016. That makes the prospect of searching data for useful information even more prohibitive. The biggest reason law firms should dispose of unnecessary data is the cost of retrieval. Should your firm be required to supply data to another law firm or a court, the cost associated with recovering the data, including attorney review, is staggering — one gigabyte of data gathered through e-discovery costs $5,000 to $30,000, according to a study by the Minnesota Journal of Law, Science and Technology. Removing unnecessary information makes good business sense. HANDLING CLIENT INFORMATION Just like a business, your law firm should have a process for handling client-generated information for the short-term and at a defined end point. There are two ways to handle client information: • Follow the client's retention schedule • Release information back to the client