Data Retention

How to Implement a Thorough Data Retention Policy

The evidence shows that major players in the legal field have been surprisingly slow to commit to a comprehensive data retention policy. The American Bar Association’s 2017 Legal Technology Survey Report found that only 60% of respondents “have a policy to manage retention of information/data held by the firm.” For firms with fewer than 50 employees, the numbers are even lower: 45% for solo respondents, 57% for firms of 10-49 employees, and 53% for firms of 2-9 employees.

A substandard data retention policy is risky in any field, but especially when it comes to legal work. Firms must ensure that former employees don’t have access to data when they leave, data is organized and stored securely, and workers have consistent standards for the use of personal devices.

Here are five steps for the implementation of a thorough data retention policy:

1. Conduct a data audit.

Data oversight is one of the most important components of retention, though it can be challenging to track who is storing and interacting with content. Take stock of where data is and how this varies on a departmental basis. Data might be housed in the cloud, on-premise, and in the form of print documents. Ensure employees are held accountable for the data they produce and its proper storage.

2. Simplify data classification.

Many data classification protocols are complex and don’t always yield practical results. Rather than create many granular classifications, firms should create unilateral standards for protection. Whether the data is client-facing or financial, it should be housed on a secure platform with access controls to limit the number of end-user touchpoints.

3. Outline retention rules.

Poorly rendered “bring your own device” (BYOD) policies can make it difficult to track where data lives. As of now, only 42% of firms have taken the first step and written specific BYOD policies. If possible, prioritize retention rules that move data offline and to secure environments.

4. Implement the policy.

From transmitting sensitive data over public WiFi networks to storing unsecured data on personal devices, vulnerabilities abound. To keep clients safe and avoid a data catastrophe, businesses within the legal sector must communicate the value of a data retention policy to their employees. The policy should detail the life cycle of closed-case data. By communicating these expectations, employees are more likely to engage in compliant behavior.

5. Audit the processes.

Following the implementation of a data retention policy, conduct an annual audit. This allows time to review current processes, address systemic concerns (if any arise), and amend policies to account for organizational changes, personnel growth, etc. Audits also provide an opportunity to reward employees for compliant behavior.

These five steps can serve as a guide for companies working to implement data retention policies. Don’t fall prey to the possibility of losing track of company data and who has it. Keep clients safe and take protection seriously.

About Jeffery Lauria

Jeffery Lauria
As Vice President of Technology, Jeffery Lauria is responsible for managing iCorps' client accounts and technology partnerships. Jeffery ensures iCorps' competencies represent the most innovative technologies so that our clients are positioned for optimal efficiency and enterprise-level security. His leadership in migrating clients to Microsoft's Office 365 suite and Azure platform have contributed to iCorps' success as a top cloud partner in the Northeast. His passion for helping organizations work more productively through the use of technology is recognized and appreciated by iCorps' clients across all industries. Jeffery is a highly accomplished Information Security Executive whose experience spans over twenty years in all facets of information technology. He participates actively in the IT community focusing on cloud services, security and IT governance. Jeffery's certifications include CISSP, CGEIT, CISA, CRISC, CCISO, CCSK and MCSE.

Check Also

Referral

Your Referral Network is Broken

So, your referral network is broken. But starting to fix it is one of the best decisions you will make for your law firm.