With almost all legal and accountancy firms having gone fully digital, it’s safe to say that this most critical asset sits almost entirely on their IT systems. Of course, this has real benefits for business efficiency and flexible working, but most firms do not have a good understanding of where their different types of data sit (although many don’t realise it).
The problems created by digitisation of data
To understand the problem, let’s draw an analogy with old fashioned paper filing. Your documents will have been kept in labelled files, in locked cabinets and only certain people would have had access. This is largely replicated in the digital era with file system folders and permissions – so far so good.
However, consider more sensitive documents – those relating to highly sensitive cases or perhaps documents relating to staff remuneration. If you were to access these in the paper days, you would have followed some strict procedures – like not removing the document from a secure room, not taking copies or sending them by normal post or fax. This was often obvious due to the physical security procedures around the filing and people would then know how to handle the document. Would the same be the case for digital data?
Compounding the issue is that in the digital world the same data will often sit in multiple locations – for example it could be stored in a case management system, a copy downloaded to a shared folder and then a copy sent via email – so potentially one document could easily be in three locations, possibly more. Most firms have little idea where copies of data sit or any way of tracking it.
Why unclassified data is a hidden risk to your firm and why AI has just made it worse
Imagine a document relating to a sensitive legal case or perhaps a spreadsheet relating to a client’s payroll. A member of staff needs to print it for an urgent meeting whilst working from home at short notice for a client meeting. To get it printed they email it to their personal email address. Whilst it may seem obvious whilst reading this that this is unacceptable, to a member of staff who is working outside of the office and with a word document that looks like any other, they may have lost the context that would make this obvious to them. This is a common issue that many firms are not aware is happening.
With generative AI on the rise in the workplace, the risks around lack of context on data is magnified exponentially. AI agents have none of the context around your data that even a junior employee will have. If it has access to data then it’s fair game for it to process it should it need to in order to follow its instructions. This raises the challenge of AI generated content containing references to confidential or sensitive data and being distributed to people who should not be viewing it.
What are firms doing about this?
The reality is that in SME professional services firms properly managing and accurately classifying data is often viewed as an administrative task rather than a strategic one. With most firms experiencing time and resource pressures, it is therefore not prioritised as billing time and meeting client deadlines take up most capacity.
In fact creating a simple data classification framework is relatively straightforward and most businesses will have the technical tools to implement controls to enforce it both in their Microsoft software and their case management systems.
Check out our article on how to create a data classification framework to learn more.
