Tish is absolutely on point here:
A healthy data posture includes a documented and current information map that says what you have, where it’s stored, and who has access to it. Beyond an information map, you need to be able to collect, search, understand, and protect those data assets that are critical to the operation of your organization. It includes understanding and complying with the relevant rules and regulations that govern your particular industry.
It is not surprising to me any more, but it is still unsettling, how many organizations, including law firms, have no idea what data they have or where it is. That’s not being s responsible steward of what may be other people’s private information.
You can’t protect what you don’t know you have.