I had an interesting discussion recently with Peter Baumann. Peter is the CEO and founder of data privacy and governance software provider ActiveNav. According to its website, ActiveNav, founded in 2008, helps “privacy and compliance teams quickly identify, inventory and map sensitive data.”
Peter’s present goal is to develop solutions that address what he calls the “elephant in the room .”That is businesses having and maintaining too much unstructured that they really shouldn’t.
According to the Company, ActiveNav is on a crusade “of achieving Zero Dark Data™ across all types of repositories.” In Peter’s world, Zero Dark Data means unstructured data) and he wants to eradicate as much of it as he can. Pretty lofty long term goal.
80% of data in most business organizations is unstructured and all but ignored
In the meantime, Peter is passionate about the need to wipe out unstructured data that’s not necessary. He says 80% of data in most business organizations is unstructured and all but ignored. That’s because it’s hard to find. It’s hard to know who has it. And it’s hard to determine what needs to be retained.
Peter agrees that unstructured data is a particular problem for law firms. in the first place, too many law firms have no retention policy for themselves or have one that’s way too long. Despite this, lawyers frequently advise clients to develop sound retention policies tied to actual needs. And clients are advised that those policies be rigorously enforced.
But too few law firms, says Peter, follow their own advice. The unstructured data problem is further compounded by the fact that most lawyers are pack rats. They never want to throw things away: I might need that ten year old file someday, and we need to keep it! (Someday typically never comes; even if it does, the file either can’t be found or the advice and information contained in it are outdated).
And since lawyers’ time is critical–especially billable time–most lawyers don’t want to spend it reviewing, sorting, and disposing of unnecessary unstructured data. In addition, as Peter charitably put it, “law firms are not always on the forefront of tech .” Put all this together, and you have a perfect storm of risk for law firms if their systems are breached.
Law firms rely on end-users to find, label, and deal with unstructured data. And it just doesn’t work,
Peter also notes that most law firms and, for that matter, businesses rely on end-users to find, label, and deal with unstructured data. And it just doesn’t work, especially for lawyers. What’s needed are tools that can automate the entire process. These are the kind of tools ActiuvNave endeavors to provide. Tools that help remove the burden of remediation of unstructured data from the end-use with tech tools. What’s needed, Peter says, is an “easy button.”
So what’s the so what for law firms? Why should they care about unstructured data? After all, they say most of the material is confidential. It is not likely ever to be discoverable, so finding and deciding whether to keep it is not that critical.
Not so, says Peter. The most significant danger to law firms is being hacked, and their security breached. Law firm files are full of sensitive and private information. A breach means all this data– such as PII, intellectual property, financial, and other sensitive information–could be publically revealed. Revealing this information would be devastating to a firm’s reputation and business, not to mention the clients’ business. As I often remind lawyers when I give talks on cybersecurity, do you really want to have to call your client and tell them the information with which the law firm was entrusted is now publically available? Remember the Panama papers scandal?
And make no mistake, a breach not only triggers notice requirements for the firm, but it may also require the client to give notice. A breach also brings significant privacy litigation and regulatory issues into play. These issues are not only embarrassing, they create liablity for all involved. And make no mistake. The bad guys certainly know all about the unstructured data in law firms, where to find it, and its value.
Also don’t forget that even if a breach occurs and the sensitive material is not revealed right off the bat, the bad guys may demand ransomware. Ransomware leads to significant financial exposure and ramifications and ethical dilemmas for a firm. Do you pay the ransom? What duties do you owe your client to pay and notify? These are dilemmas that most managing partners would just as soon not face.
There’s another risk in today’s environment for firms that don’t put in place controls and safeguards to deal with unstructured data. More and more clients are demanding that the firm has certain cybersecurity protections in place as a condition of hiring a law firm. Firms may not get hired if those protections are not present and demonstrable.
No one has or will take the time to figure out what data is there, whether it might be helpful in the future, and then classify it so it can be found
Beyond the liability and breach issue, there is another problem with law firms’ unstructured data. If the data is not labeled or classified in a way it can be found, it’s really useless for all practical purposes. There is no need to retain data that can’t be found and used. Most law firms, for example, recognize the need to have active past efforts files so that previous work can be found and resued. Today, those files are digital, and their data is mainly unstructured.
But no one has or will take the time to figure out what data is there, whether it might be helpful in the future, and then classify it so it can be found. Since the past work can’t be easily found and used, in the end, the client ends up paying more for something to be recreated. So a tool that automates this entire process (which ActiveNav claims to have) would be invaluable.
So there are many good reasons, says Peter, for law firms to get with the rest of the world and start dealing with their unstructured data. Automation can help, but at the end of the day, firm management needs to be educated about the problem and commit to deal with it.