Over the last few years, many law firms have been on the defense—and we’re not talking about in the courtroom. Legal departments and law firms process many types of sensitive information, including patent disputes, employment contracts, medical records, bank information and even government secrets, making them an enticing target for hackers looking to steal and monetize information. Between 2016 and 2017, every firm assessed by LogicForce was targeted by hackers and 40% of those breached weren’t even aware it happened.
The legal community is charged with the difficult task of protecting their client or business information, and loss or breach of data often leads to reputation damage and can greatly impact an organization’s bottom line. In the American Bar Association’s 2017 TechReport, 38% of respondents said they lost billable hours, and 34% paid consulting fees for repair after a breach. Additionally, 15% had files that were lost or destroyed, and 23% had to replace hardware/software.
These statistics make it increasingly clear that law firms and legal departments within an organization must evaluate and improve their current information governance (IG) policies, practices and enforcement efforts to avoid the consequences of a breach. This includes developing a policy on how to manage the retention of information within their firm, as well as policies on email and internet use, remote access, social media and personal technology use.
An information governance policy will not look the same for every organization and should be appropriately scaled to fit the size and needs of the firm it is created for. Even small and solo law firms should spend time developing a security program that addresses not just the information they hold, but the people handling the information and technology used. Also, the procedures must be followed to ensure information is stored securely.
Unfortunately, while many organizations recognize the need to establish these standards, many are falling short when implementing them. LogicForce’s recent report showed that 95% of firms were not compliant with their data governance and cybersecurity policies. What’s worse—100% of those firms were not compliant with the policy standards of their clients. Often, lack of communication, insufficient training and outdated practices and policies are the culprits.
How can legal professionals safeguard their clients’ information while keeping up with increasing regulations, more information and greater risk? Below are some tips to ensure your firm is up to the challenge.
1. Team up.
Information governance is not a job for just one person. It requires buy-in from members across the organization. Establishing a team of representatives from each department ensures your IG policy covers all the types of information your organization creates, as well as the tools and systems that are used.
2. Understand the risks of the information your organization holds.
What are the potential consequences should the information your organization holds be lost or exposed? Assess the risks for all information types and make sure leadership and team members are aware of risks associated with breaches caused by internal and external sources or by general negligence.
3. Develop an IG policy tailored to your organization.
When creating your IG policy, start by focusing on the most sensitive information. This may include HR records, client files or top-secret business documents. Make sure to address areas where governance may not currently be as present, such as email, social media, shared drives or bring your own devices (BYOD) like phones and tablets.
4. Define and automate retention periods.
A retention schedule sets guidelines for how long information should be kept to ensure compliance and determines when a document can be discarded. Retention will vary depending on information type. There should be procedures in place for regular destruction and what to do in case of an audit or legal hold.
With a digital document management system, legal professionals can automate retention schedules to save valuable time and money. A digital solution should automatically classify information as it is created, and send notifications when information is incomplete or ready for destruction.