It is an understatement to say that a lot of information exchanges hands in the legal process. Electronic evidence just piles up during the e-discovery process for lawsuits and regulatory investigations. Lawyers preserve and gather facts and information from clients. Opposing counsel and government regulators also demand that the parties share information with them throughout the e-discovery process. Imagine the volume of information that is gathered, duplicated and shared during legal proceedings for a large corporation over say a 5 year period. It is astronomical. Many law firms and corporations house 10s of terabytes (a unit of information equal to one million million) of information in their e-discovery infrastructure. After cases end, much of this sensitive data sits around in various storage buckets, creating risks for unauthorized access and non-compliance with policies and privacy regulations.

|

Hoarding Not Good in Cyber-threat Environment

So what happens to all of this legal information once a case is closed? And where is it all stored? How secure is it, and who has access to it? This is where the lawyer genetic disposition to hoard and keep all the information in legal matters comes into play. Many lawyers want to keep everything because they fear they will be asked for it at a later time by a judge, regulator or client. Yet, courts regularly uphold destruction of information done consistently under a reasonable records retention program. Records retention programs establish how organizations manage the lifecycle of their information assets, including destroying information that has been retained for the period of time required to meet legal and business mandates. At law firms, partners have fallen into the habit of keeping client data for years so clients have to come to them if the information is needed in a new matter, which the firm would like to handle. Yet, surely a trusted advisor relationship is a better form of business development.

The hoarding impulse is understandable given the risk management charter that dominates lawyer thinking. But there are new information breach risks to balance in the cyber-threat and privacy laden regulatory environment lawyers operate in today. Legal information is sensitive by definition – it's the last information you want made public. Litigation information frequently includes personal information like phone numbers, credit card numbers or health information that is all subject to regulatory protection. Sony, JPMorgan Chase, and Target — the list of big business hit by hackers goes on and on. Client data can also be at risk in the coffers of ill-prepared law firms storing their data with inadequate security. These days' cyber criminals demand ransom money to unlock data they have taken captive. Bad actors hack information to gain an advantage in business dealings. And government regulators impose financial penalties for not taking proper care of personal under the bewildering the myriad of global data protection laws. Given the risks hackers and privacy regulations pose for businesses, it's time to get serious about applying basic information governance to legacy information stockpiles.