The need for records management policies
The Panama papers and Paradise papers cyberattacks against law firms. The issues of data harvesting emerging from the Cambridge Analytica scandal. The volume of reported data breaches. Cyber-attacks and data breaches are becoming more inevitable as increasingly high quantities of information is stored electronically. In addition, GDPR has introduced requirements to notify the relevant supervisory authorities and individuals who may be adversely impacted much more promptly (within 72 hours of becoming aware).
As a result, there is a greater need for stronger controls around data security, both within your organisation and for companies holding your data. A robust records management policy forms an integral part of your company’s ability to understand what information is available, where it is and in what format it is being held. Most importantly, it sets a clear framework on how that data is handled, managed and stored.
You may have agreements in place with your external partners on how they manage and handle your data and historically companies may have relied on this without too much further investigation.
However, if you have ever been involved in handling the fall out of a data breach by one of your suppliers, you will appreciate the pressures of trying to assess the potential risk and exposure the breach might have on your company. All of which must be done within very tight timescales if you need to notify the authorities and individuals concerned.
Using legal spend management software to improve data security
One tool which can help (both with an immediate investigation and with any future risk assessments) but is often overlooked for this purpose is a legal spend management system (like BusyLamp). Integrated legal spend and matter management software can provide a wealth of information to help legal operations understand and manage the data that the law firms are holding for you and can support you in building a records inventory.
Legal spend management tools can provide clarity on;
- Which external law firms are being used,
- What type of work outside counsel are undertaking, and
- Who at the law firms has worked on the matter and therefore had access to your data.
For an immediate investigation, knowing what data has been shared with your law firm is vitally important. Access to the matter details in your legal spend management system will provide you with a good starting point to gather information. Basic information will include the name of the law firm and the person(s) in your firm who may be working on the matter(s). It will also provide a contact point at the law firm. Finally, based on the type of work being carried out, you will have a rough idea of the type of documents that might have been shared with the firm.
If you are looking to assess the risks of sharing your data both now and in the future, legal spend management software will provide details of the number of times your company has used the firm. With this you can assess the risks and controls that are in place with all of your outside counsel and carry out any appropriate system security assessments. You can also more easily check that the law firms have implemented and are complying with your own records management and records retention policies.
The amount and sensitivity of the data that is sent to your law firms is often determined by the type of work that is being undertaken and most companies will generally share similar types of data for specific categories of work with their external partners. As an example, for an employment issue, details about the employee and the grievance will be shared with the external counsel. Using the information in a legal spend management system about the types of work being undertaken by the law firms will help you to not only assess the risks and controls that each law firm has in place to protect your data, but also to consider the best and most appropriate ways to transfer your data. Furthermore, it can help you build your records inventories.
Finally, as law firms record the time that a timekeeper spends working on a matter, invoice data captured by e-billing software will allow you to see who at the firm has had access to your information.
Knowing and understanding the type and volume of data that your company has shared with your law firms will help you a) respond to and manage any data breach or data loss, and b) understand the potential risks that your data is exposed to. This knowledge will in turn help you assess whether you are using the best legal technology for sharing your data and that the processes you have in place to transfer your data are appropriate.
Iain MacDonald, Independent Legal Operations Consultant