Increased news coverage and public awareness of data collection and data breaches has led to increased discussions within the legal profession about data management and data retention practices; however, the attorney’s responsibilities regarding proper data handling are nothing new.
Data is the organization's currency and protection of that data is one of the most basic organizational's duties. To fulfill this basic – yet broad – duty, the importance of information governance becomes self-evident:
In the past, handling data has been lax. Locking the filing cabinets and doors - perhaps adding a "Privileged and Confidential" stamp on some files - was "high security." To the extent written guidelines discussed document handling or security, these were put in a drawer, under the mistaken belief that someone else was in charge or that "of course, everything is safe here." True, those were simpler times, when a client's documents may be put in boxes, locked in a file cabinet. Even with the initial advent of computers and email, things didn't initially change that much
Such attitudes belong to a by-gone era and continuing to treat information governance as anything less than a critical business function is living in a fantasy land that will imperil your client's interests and could expose your firm to malpractice claims and civil suits. In this modern age, the competent attorneys and organizations need to follow at a bare minimum the following set of rules - on both their client's data as well as that they consider their own.
Due to the special nature of the attorney-client relationship, attorneys are faced with a variety of obligations arising from various sources. The Rules of Professional Conduct, laws regarding fiduciary duties, judicial orders (e.g., protective orders), contractual agreements, and internal firm policies and procedures, all impose obligations on a organization's management of data.
Data mapping requires an in-depth analysis of the sources and types of information an organization handles, the various places that information resides, the life-cycle of the information, and the ways data is sent out of the firm or inside the firm promulgating, and hiding, in various silos. The process of data mapping:
*Duplicative data can be replicated to multiple places and can be sent outside of a firm with little effort.
*In theory data mapping is a simple task, but with data capable of being stored in multiple locations and the ability of users to attach any file to an email outside the firm, the map can get messy due to a lack of appropriate governance practices.
*Additionally, with modern technology, data can be maintained in unexpected and hard-to identify locations. For instance, most organizations now use Voice-over-Internet-Protocol for their phone networks, which means voicemails are recorded not to a reusable tape but to an electronic server - sometimes being auto forwarded to the users’ emails; without identifying that server and determining any back-up procedures or retention policies in place, it may be impossible to say how long voicemails could remain retrievable.
*Data becomes outdated, but outdated data doesn't disappear
*Versioning drafts of documents or data sets are hugely important (recovering from mistake in a later version or to reutilize a stricken clause in a different document)
*Multiple versions in an unstructured environment (outside a DMS), can lead to wasted time integrating changes from multiple reviewers, using the wrong version, or lost work.
*Depending on IT competency/security, the various tools individual firm employees are using might not be known to the people creating the data map.
As law libraries across the country epitomize, having all the information amassed in one place doesn't do a lot of good without an efficient means of finding the few pieces of data when you need them. For most organizations, this means implementing a Document Management System and corresponding policies to centralize, categorize, and index (i.e., make searchable) all the documents in a firm.
It is important to note that while the best method of applying each rule - and some of the benefits/risks may vary depending on a firm's size and the type of practice - each rule is applicable and will benefit everyone in your organization.
1 https://www.moundcotton.com/newsletters/summer-2018/a-brave-new-world-cybersecurity-and-the-potential-for-legal-malpractice-claims/ - Refers to case Millard v. Doran, No. 153262/2016 (Sup. Ct. N.Y. Cty.).