Law firms, by nature, create and curate a significant volume of unstructured data containing highly sensitive information pertaining to clients, matters, and employees. It isn’t a surprise to learn that the targeting of law firms by bad actors has seen a significant uptick. In the past decade, 80 of the 100 biggest law firms (by revenue) have been hacked, according to cybersecurity firm Mandiant.
With the complex federal and state laws regulating the collection, use, processing, and disclosure of sensitive data such as personal information identifiers (PII), payment card information (PCI), and personal health information (PHI), law firms are struggling to properly identify, classify and remediate sensitive data in adherence to their data protection policies and commitments to client data processing and storage standards.
If firms fall short of these standards, they are no longer compliant with the rules of professional responsibility and can be open to fines, sanctions, and lawsuits.
Data Organization vs Optimization
Firm information and records management teams have been tasked with the organization, management, and retention of client matters within the firm. This is a significant undertaking; particularly as new client matters are created daily both through organic growth and through the onboarding of new firm lawyers and the matters, they bring with them.
Some firms have repositories which are very well organized by client matter ID (or similar), containing all relevant matter data, whilst others are improperly organized with data stored in incorrect repositories and may even contain matters that have reached the end of life according to firm retention and disposition policies. Even within the most well-organized firm, there is often an abundance of ROT (redundant, obsolete, trivial) data as well as firm work product which should be stored within the firm’s DMS (document management system) and associated to the correct client matter. Both scenarios can lead to inefficiencies and missed billable opportunities yet, firms don’t have the time or resources to manually reconcile and remediate data.
Like many organizations, firms often have well defined retention policies, i.e. ten (10) years from matter close date, yet the ability to accurately identify data associated to a closed matter and execute the appropriate remediation, including deletion or delivery of client matter data back to the client, can lead to continued storage, backup and management of data that is no longer relevant to the firm and can pose a risk if accessed inappropriately or as part of a data breach.
Law firms, leveraging Enterprise Insights’ metadata scan, gain immediate visibility across various data sources containing client matters as well as operational data. The interactive dashboards take the firm’s data from organization to optimization through evidence-based decision making and the ability to take action on aged, ROT, and risk data.
When ready, the firm can also use the Enterprise Insights results to define and support their strategy for the ingest and content level analysis within Comply360. Comply360 can identify firm data that is not currently assigned to specific users, clients, or client matters. Through the ingest, analysis and classification process, Comply360 is also able to identify client matter data that may have been saved to various data sources. We’ve found through past engagements that that there are often exact copies of files saved within multiple repositories, the deduplication by location capabilities within Comply360 will provide storage optimization and cost savings as well as efficiency when searching for files.
Comply360’s ability to scan the firm’s DMS and compare the results of the identified client matter, identifying data that is missing from the DMS, and execute a process to move those files from the network or cloud storage location(s) to the DMS. This provides the firm with confidence that the DMS has all relevant client matter files. The accuracy and precision of data identification and classification also enables for the segmentation of client matter data into actionable classes by location, matter ID, and/or project code increasing efficiency, optimization, and reconciliation with the firm’s DMS and/or other data management tools.
In addition to the identification of client matters, the Comply360 risk models identify other sensitive data (PII, PCI, PHI, Financial), properly classifying it for the process engine to then take action (tag, secure, move/migrate, delete). The platform’s ability to apply bulk policy application through automation and/or manual examination via the CDMHub ensures continuous governance and compliance and provides the firm with defensible data management practices while mitigating risk.
Through the deployment of the Classify360 platform, law firms can trust that the sensitive information pertaining to their clients, matters, and their employees is properly identified, classified, and managed in accordance with their policies for data governance and compliance. Get started today to better understand, handle, and protect your valuable unstructured data.