The uninitiated may be tempted to view data minimisation as a bit of a housekeeping exercise, and not something that should concern the most senior individuals in the firm. However, Chris Giles respectfully disagrees. In this, the first of two articles on data minimisation, he explains why it deserves C-suite attention and a firmwide policy implementation.
Data is everywhere, it’s ubiquitous, and frankly it’s getting out of hand. Around 2.5 quintillion bytes of data are now being generated every day.
In common with all other businesses, law firms must get to grips with data minimisation to contain fast-rising data storage costs. But in addition, mistakes with data have the potential to bring a law firm to its knees, which is why it deserves to be treated as a strategic priority.
Reputation precedes you
From a risk-based perspective, the biggest exposure is in relation to cyberattack. This is a particular threat for law firms because cybercriminals now include you on a shortlist of prime targets. The ABA’s cybersecurity report in 2021 observed that ransomware, in particular, is: “an increasing threat to lawyers and law firms of all sizes”. Microsoft revealed that state-sponsored Chinese hackers have been targeting “US-based universities, defense contractors, law firms and infectious disease researchers”. A lack of systematic data minimisation increases your attractiveness to such criminals because you present a larger, juicier target.
Moreover, cyberattack can be your biggest nightmare. It incurs lost productivity and may entail ransom demands. You’ll likely need to pay cybercrime expert fees, and potentially regulatory and professional fines. But that’s not all.
A New York based entertainment law firm suffered an attack in 2020 when hackers demanded a ransom payment of USD$42 million to prevent the release of confidential information about the firm’s world-famous clients. News outlets subsequently reported that the firm eventually paid out USD$365k. And there’s the rub. The firm wasn’t able to keep its name out of the media and preserve its reputation. High-profile personalities likely won’t be beating a path to their door for some time.
Regulation is proliferating
Law firms with excess data also run an increased risk of regulatory breach. This is heightened by the recent proliferation in data privacy regulation. Taking a cue from the EU’s General Data Protection Regulation (GDPR), which came into force in 2018, data privacy regulation has subsequently been introduced in Brazil and California, and other US states are following suit. The new Canadian Privacy Bill C-27 is due to be enacted this year.
A common denominator of privacy regulation is the requirement that personally identifiable information (PII) is only held for a limited period, meaning to maintain compliance firms need to continually purge their PII data. It’s not widely grasped that GDPR applies to the data of EU citizens held by organisations in any jurisdiction: you don’t have to be an EU-based firm to fall foul of it. And the penalty for breaching GDPR is stiff: firms can be fined up to 4% of global annual revenue or €20m (c.USD$21.5m), whichever is higher.
In 2020, the archive servers of a leading UK criminal law firm were hacked with stolen data including medical files, witness statements and victim and witness names and addresses.
The firm was subsequently fined 3.25% of its annual revenue for breaching GDPR. The regulator made specific mention of poor records keeping and noted that the breach included failing to comply with Article 5(1)(e), which states: “Personal Data shall be[...] kept […] for no longer than is necessary for the purposes for which the personal data are processed”. Better control of data minimisation would have saved this firm a lot of pain.
Client confidence must be maintained
This incident must also have shattered clients’ confidence in the firm’s ability to safeguard their data. Clearly firms need to earn that trust in the first place. Thereafter they must also maintain the ability to comply with client Outside Counsel Guidelines (“OCG”). Given the prevalence of cyberattack, these increasingly mandate how and for how long client data is held. Firms also need to maintain compliance with professional standards in relation to how client data is handled.
It all calls for firms to have firm-wide information governance policies, systems, controls and processes. These are the foundations of a successful, systematic data minimisation and risk mitigation strategy that has the power to make the firm more resilient, to improve efficiency and to yield stronger cost control and competitiveness. But such a strategy will only be instituted and executed with the requisite scope and rigor if individuals at the most senior levels of the firm, including the CIO, CISO, COO, and General Counsel, get involved.
For more on how to instigate a data policy review join our upcoming webinar. We’ll discuss the advantages of a data minimisation strategy, and in particular focus on why this strategy is of particular importance to a CIO, or the IT budget holder within a firm. To register, click here.
Copyright © 2023 Legal IT Professionals. All Rights Reserved.