Some things, despite huge technological advances, never really change. When it comes to storing records, the rows of filing cabinets may be disappearing as attorneys go digital, but law firms still keep a lot of stuff. The largest players buy space by the petabyte: That's 1,048,576 gigabytes. Many law firms, it seems, are pack rats.
The days of keeping every document forever are fading. One driver is price. Even as the cost for a gigabyte of storage fell from about $1,000 in 1994 to 3 cents in 2014, the total amount companies spent storing digital information continued to climb (doubling between 2000 and 2010 alone) because they are storing so much more now. And, to make matters worse, the amount of data created is on pace to double every two years.
The second driver may be more frightening: It no longer works to throw every scrap of data a law firm receives into a local database and assume it's secure. Keeping files forever can increase risks for both firms and their clients, and in 2011 the FBI began meeting with top law firms to discuss the problem of computer security. "Attackers figured out it's a 'target-rich environment,' " says Serge Jorgensen, founder and CTO for the cybersecurity consultancy The Sylint Group, headquartered in Florida. "If I [as a hacker] want to know about intellectual property, instead of breaking into any company with an R&D division, I will go to its IP lawyers. And, chances are they'll have less protection, with old data and new data commingled throughout the system."
In many cases, experts say, it's in a firm's best interest to store less data - and store what it does keep smarter. But first the firm must overhaul the way it manages data. And though the records management and IT staffers at firms likely have ideas about how to handle information, experts say practicing attorneys often get in the way.
"Lawyers tend to be really siloed," says Jorgensen. "If I were to set up a process for a law firm, any AmLaw 100 - or even any law firm above a partner or two - what you run into is that every partner does something different. They manage their data on their own."
The key is to get all attorneys in a firm on the same page, so they manage their files in a consistent way, says Jorgensen. He and other experts agree that law firms generally lag behind other industries when it comes to "information governance," the new field concerned with managing all of an enterprise's data and documents. (See "Ruling Your Information" in last month's Tech for an introduction to information governance.)
By leaving loads of information connected to local computers and easily accessible to attorneys, firms are putting data within easy reach of hackers. They also may be violating ethics and confidentiality rules.
Taming the Beast
Limiting what data professionals call the "life cycle" of records is crucial, says Charlene Wacenske, the San Francisco-
based firmwide records manager at Morrison & Foerster. Eventually, despite protests from senior partners, some records should be deleted. "It is changing, the pack-rat thing," Wacenske says. "Everyone gets it. Everyone understands the need for good hygiene around destruction, and returning things back to the clients. The last thing you want is the client destroying [a document], but [then] whoever is suing them comes to you, because you didn't destroy it."
The best way to safeguard data from prying eyes is instituting a records retention-and-destruction plan. This can be challenging for law firms because many of the records they hoard are "unstructured data." Unstructured data, for those of us who don't sling zeroes and ones for a living, is everything that's not in the fields or columns of a database. That includes individual PDFs, word-processing documents, images, videos, and much of the daily business of firms. It also includes the types of files that people tend to forget can include important information, like emails and instant messages. "Practically everything we have of note is in some sort of unstructured data," says Hoyt Kesterson, senior security architect at the consulting firm Terra Verde in Scottsdale, Arizona. A strong case-management tool is a good place to start, notes Jorgensen, though it doesn't solve the larger storage and security problem.
Once firms have catalogued their unstructured data, attorneys and IT professionals should judge whether records from specific cases or clients are confidential or sensitive and, most important, whether cases fall under any regulatory schemes such as HIPAA (Health Insurance Portability and Accountability Act (Pub. L. No. 104-191)) or HITECH (Health Information Technology for Economic and Clinical Health Act (Pub. L. No. 111-5)). Services such as Web-based RulesMapper can help ensure that retention policies match the various legal requirements of all the different jurisdictions. Case-management software often has built-in features to help in classification, tagging all emails or documents with a matching case ID.
The Road to Deletion
Once you've determined whether there are any legal reasons to safely maintain a document, and you've talked to clients about any needs they may have, it's time to figure out how long the data should be kept.
"Oftentimes, rather than talking about deletion - because that gets lawyers all fired up - I talk about moving into an archive," says Jorgensen. Moving documents to an offline archive that is disconnected from attorneys' computers may be a bit annoying, as lawyers will no longer have instant access to the records, but it will be significantly safer, Jorgensen says. Some records-management companies, like Iron Mountain, will take care of the entire process and move data to off-site facilities with perks such as on-demand scanning and file retrieval.
Records managers also can easily track how often archived documents have been accessed (if ever). After a document has been sitting around for several years, Jorgensen often recommends to attorneys: "If you still don't look at this for another year after that, maybe we'll slide it out." Then he places it on tape, an even more secure medium. After no one looks at it for another year or two, he'll destroy it - with the permission of the firm and client.
David Ferry writes from San Francisco about the law, social issues, and technology.