“The State of Information Governance and the Disconnect Between Policy and Reality” —
- “Law firms are playing a game of catch up as the sheer volume of data, both in hard copy and electronic form, they routinely handle continues to skyrocket exponentially. To further complicate matters, most of this data is sensitive and/or confidential, driving the emergence of firms adopting robust information governance (IG) policies/strategies. Chief legal officers rank key components of a comprehensive IG program, such as cybersecurity, regulatory compliance, and data privacy as the most important issues they face year over year, according to the 2023 ACC CLO Survey.”
- “Implementing an information governance policy in a law firm involves navigating a myriad of complexities, including:
- Diverse Data Sources: Law firms handle diverse data types, including legal documents, client records, emails, and multimedia files, each with unique governance requirements.
- Regulatory Compliance: Law firms must comply with an array of regulations such as GDPR, CCPA, HIPAA, and legal industry-specific guidelines, adding layers of complexity to IG implementation.
- Client Confidentiality: Preserving client confidentiality is paramount for law firms, necessitating robust data protection measures and access controls.
- Legacy Systems: Law firms often grapple with legacy systems and disparate data repositories, making data discovery and management challenging.
- Collaboration Requirements: Legal professionals collaborate extensively, requiring seamless data sharing while ensuring data security and compliance.”
- “However, while most firms now recognize the importance of having an IG policy in place, there’s an industry-wide gap between policy and implementation—and that’s exactly what we found in the Mattern 2024 Information Governance (IG) Report with survey results from 50 law firms, ranging in size from 21 to 3,000 attorneys.”
- “The report takes a deep dive into the practices and policies law firms have related to information governance and provides a representative industry-wide benchmark for firm self-assessment, in the context of answering the question: What are our peer firms doing in this area?”
- “The responses show that despite a growing heightened awareness and steady momentum in recent years toward the development and implementation of IG policies across law firms of all sizes, there is still plenty of work to be done to achieve defensible IG programs, and the road to that goal is not without its fair share of challenges.”
- “Enforcement/compliance is clearly the biggest challenge, at firms of all sizes. Overall, only 4% of all respondent firms reported strict compliance with their IG policies (9% of large firms and 0% of small firms), with nearly half the respondent firms reporting ‘substantial non-compliance.'”
- “These staggering compliance marks are evidence of having an IG policy and/or an in-house position dedicated to records/IG, while undoubtedly a step in the right direction, just scratches the surface. Although mandating strict adherence to any/all IG policies/procedures may seem like an easy fix, taking a step back reveals the lack of enforcement/compliance is far more complex than that and is driven by other IG related variables.”
- “Policy exceptions are a threshold concern. Over 30% of firms, both large and small, reported an endemic culture of granting exceptions to their IG policies/processes. Exceptions inherently introduce the proverbial slippery slope, but a closer look reveals it is even more problematic, with inconsistency across why exceptions are being granted, by whom, for how long, and at what frequency those exceptions are being reviewed for merit.”
- “Data organization is a common challenge as well. Twenty-seven percent of firms indicated they have no formal structure in place for network share drive content. A lack of meaningful folder taxonomy perpetuates poor IG practices, in so much that information cannot be associated with specific clients or matters for the application of appropriate retention schedules and/or ethical walls. Remediating information in network shares is a daunting task exacerbating the issue and associated risks.”
- “Additionally, independent of how well a firm’s data is structured, there is the constant struggle regarding retention. Retention is relevant to a wide array of data repositories.”
- “Further complicating matters, a significant percentage of firms, both large and small (56%), indicated they currently have no strategy in place for limiting data sprawl. Responses regarding what to keep and for how long differed greatly, but a common theme did emerge. The most common retention schedule currently adopted by firms, of any size, regardless of the type of record it is or where it is stored is unlimited. They have no retention schedule in place.”
“ChatGPT’s hallucinations draw EU privacy complaint” —
- “ChatGPT’s ‘hallucinating’ and making up of information breaches European Union privacy rules, according to a complaint filed by privacy group noyb to the Austrian data protection authority.”
- “Noyb, a Vienna-based non-profit founded by activist Max Schrems, said its complaint was triggered by ChatGPT’s failure to supply Schrems’ correct birthday, making a wild guess instead. The chatbot doesn’t tell users that it doesn’t have the correct data to answer a request. “
- “A person’s date of birth is personal data under the GDPR which sets various requirements for how personal data should be handled.”
- “Noyb claims that the chatbot’s behavior violates the General Data Protection Regulation (GDPR) on privacy, the accuracy of information as well as the right to correct inaccurate information. It also argues that the AI firm refused to correct or delete wrong answers, and won’t disclose any information about the data processed, its sources or recipients.”
- “‘It’s clear that companies are currently unable to make chatbots like ChatGPT comply with EU law, when processing data about individuals,’ said Maartje de Graaf, noyb’s data protection lawyer. ‘If a system cannot produce accurate and transparent results, it cannot be used to generate data about individuals. The technology has to follow the legal requirements, not the other way around,’ she said.”
- “The New York Times previously reported that ‘chatbots invent information at least 3 percent of the time — and as high as 27 percent.'”
- “Noyb is now asking the Austrian authority to investigate OpenAI to check on the accuracy of the personal data it handles to fuel its large language models. They also ask the authority to ensure that the company complies with the complainant’s request to access their own personal data.”
- “Violating the EU’s GDPR can lead to a penalty of up to 4 percent of a company’s global revenue.”