This is it. 2020 is almost over and we look forward to 2021 with hope that it will bring a return to normalcy rather than magnify the crazy year we have just had! The New Year is a time of new beginnings, creating resolutions, and enjoying the chance for a fresh start. What are your cybersecurity resolutions for 2021?
Although it can be a controversial topic, have you considered destroying your files?
I will admit it, I am a packrat when it comes to my personal files – I recently discovered a file folder with paystubs from part-time jobs while I was a teenager.
Often the easiest course of action is to do nothing. Destroying files requires time and effort. But you should still do it!
A significant factor is the cost of responding to a data beach – often measured in cost per record format. In its 2020 Cost of a Data Breach Report IBM Security reported the average cost per record was $146 and that cost increased to $162 per record if the breach was caused by a malicious attack. Put quite simply, the more files you have – whether paper or electronic – the more you will spend if there is a breach.
But beyond the cost in the event of a data breach, what value is held in those files? Assuming there is value in them, how long would it take you to locate that information? What is the value of your time and that of your employees as compared to the value of information in the file? And how much are you spending in storage space and security measures for those old physical and electronic files?
Much digital ink has been spilled on the topic of employee time spend searching for information over the past two decades, kicked off by an IDC study in 2001. Those studies have found somewhere between 30 minutes and 2 ½ hours per day are spent searching. It would stand to reason that the less information you store, the less time will be spent searching, saving time and money for your firm.
Of course we cannot destroy files right away. NC ethics opinion RPC 209 instructs attorneys to retain files for 6 years unless the client consents to an earlier destruction time. Rule 1.15-3 designates a similar period for financial records. We have also written on the topic previously and even have a toolkit available to help you. Even with an earlier destruction time allowed, it is likely prudent to retain files until at least any applicable statutes of repose have run. And there is some information – such as basic identifying information – that you probably should retain longer to ensure you can complete a meaningful conflict of interest check in the future.
Finally, many modern approaches to privacy such as the California Consumer Privacy Act and the European Union’s General Data Protection Regulation require data to be destroyed when it is no longer required for the purpose for which it was originally collected and once legally required retention periods have elapsed. This is an over-simplification of those regulations, but the trend remains that modern privacy laws increasingly place an emphasis on destroying data rather than retaining it.
So as the clock creeps closer to 11:59:59pm this December 31st, consider a resolution to begin thinking of data retention not as a minimum time to keep files, but rather as their expiration date calling for their destruction absent a compelling reason to keep them longer. We may just find that we save time, save money, and have a happier and less cluttered law firm life!
Thank you for joining me on this journey we began in April. I hope this series has helped you identify steps you can start taking to protect yourself and the practice you have worked so hard to build!
About the Author
Patrick is the Vice President of Enterprise and Operational Risk Management at Lawyers Mutual as well as filling the roles of Corporate Secretary and Director of Information Security. He is an NCSB board certified specialist in Privacy & Information Security Law and has been designated a Fellow of Information Privacy and a Privacy Law Specialist by the IAPP. He is always happy to talk about his collection of tinfoil hats or to discuss risk management advice and resources that you may find helpful - you may reach him at 800.662.8843 or firstname.lastname@example.org.