Risk Update

IG and Records Risk — Data Retention Policy Management, Matter Mobility, Client File Transfers, and Information Governance

Implementing Law Firm Data Retention Policies Is Getting Harder” —

  • “In recent years, firms’ ability to securely store data has turned into a multi-front battle. As many firms now face tighter budgets, coupled with bigger threats of breaches, proliferating data privacy laws and growing regulators’ scrutiny, putting in place thorough data retention policies is becoming vital.”
  • “But while more firms are dedicating the resources needed to draft these policies, the road to actual implementation is still long way away, with experts noting that many are just beginning to embark on it.”
  • “‘A lot of very complicated things are going on within a law firm, just by the nature of the client base that they have and the nature of litigation being between a day or two to five or six years of potential information,’ said Dave Ruel, head of product at Hanzo. He added, ‘I think it’s just difficult for them to put any kind of retention policy in place and try to adhere to that because it would almost be matter by matter.'”
  • “In fact, the road to implementation can be long and bumpy for many reasons. For many firms, getting the buy-in from an organization’s stakeholders, as well as the budget and resources to undertake the data mapping process, is often intimidating.”
  • “Of course, the burden of setting up thorough retention policies isn’t falling evenly on all the firms or organizations. ‘A smaller to a midsized law firm that retains data in maybe a client communication portal, a secure cloud archive and a complex system is going to have a much easier time creating a data map and data retention policy than, say, a corporation that has order histories, credit card processing, customer service reports, their internal files, their HR files,’ Miller noted.”
  • “And those firms and organizations that span across countries—and their respective, sometimes conflicting, data privacy laws—face additional headaches.”
  • “‘When you’re a multinational, you also have to deal with different retention policies,’ Ruel noted, adding ‘you can’t do a one-size-fits-all retention policy for many companies. It just doesn’t work.'”

Streamlining your firm’s handling of matter mobility” —

  • “But how do you ensure that offboarding and onboarding are performed as efficiently and compliantly as possible? The answer is that firms should develop policies, systems, processes and procedures for both.”
  • “The first rule of offboarding, which should be enshrined in policy, is that the firm does not take action until it receives proper notification from the client of its intention to move.”
  • “Thereafter, the first process is to make sure the client does not owe the firm money. You must then gather all the client’s records and data, which might be held in a number of places and formats. Senior members of the firm must then review the materials for transfer.”
  • “The key tasks are removing anything commercially sensitive, as well as anything that might embarrass the firm – like derogatory remarks and bad language. You will also need to copy anything that could be needed to defend a potential future action against the firm by the departing client.”
  • “The firm needs rules and processes around who, at what level, makes these decisions and enacts them. And records must be kept of all the decisions and actions taken.”
  • “Thereafter, firms receiving data have an equal need of policies and processes. They should ensure that anything received is held in an interim location before ingestion into the firm’s systems, so that conflict and regulatory checks can happen.”
  • “To optimise the efficiency of all this activity, firms should institute the right governance measures, procedures and controls, and embrace all the available opportunities for automation.”