I’ve been thinking this way for awhile now, glad to see the legal industry starting to take a good look at it:
Our teams have led extensive data breach response work, and time and again have encountered vastness of old and unnecessary data, including files with highly detailed personally identifiable information (PII), that continues to live on corporate email stores and computers. In many cases, legal teams are simply unaware that this data exists, and then are left scrambling to deal with the repercussions when a breach, privacy law violation, or litigation event occurs.
If you don’t even know what data you have, or where it’s located, how do you protect it? Simply put, you can’t. The more “stuff” you have laying around, the more likely it is to be breached either by outside forces, accidentally leaked from the inside, or be in violation of privacy laws around the world. Ignorance of the law is one thing, ignorance of what is laying around your own technology infrastructure is yet another way for organizations to get caught with their proverbial pants down.
Be smarter than that.