Last week’s post explored why law firms need data security policies.  Before we move on, I’d be remiss if I didn’t mention another policy that’s absolutely crucial for the law firm’s data security posture – a records management policy, coupled with an up-to-date and legally validated records retention schedule.

What does a records retention schedule have to do with data security?  Simply this – keeping data without a legal or business reason exacerbates data security exposures.

Breached systems frequently contain many times more data than was needed for retention compliance or any valid business or operational purpose.  This unnecessary data multiplies the number of those whose confidential or protected information is compromised, and can also have exponential impact once breached, passing a tipping point on lasting reputational damage or on the economic viability of claims against the firm.

It’s not possible for a breach to compromise the security of information that no longer exists, having already been compliantly disposed of once its legally required retention and business value have expired.

But surely most every law firm has a records retention schedule in place for its records of client matters and firm administration, right?  Actually, far too few firms do.

Only 60% of the law firms responding to the 2017 ABA Legal Technology Survey have a formal policy or process to manage retention of data held by the firm, and only 40% have an official records retention schedule.  As you might expect, firm size has an impact on whether the firm has a retention schedule in place:

  • 29% of solo practitioners;
  • 32% of firms of 2-9 lawyers;
  • 40% of 10-49 lawyer firms;
  • 52% of 50-99 lawyer firms; and
  • 76% of 100-499 lawyer firms.

Law firms without a records retention schedule conceivably could dispose of some records prematurely.  But it’s far more likely that firms without a retention schedule will retain records indefinitely, far beyond any mandated or prudent retention period.  The result?  A firm buried under a mountain of unnecessary information, with increased storage costs for hardcopy records, increased IT expense for storing unnecessary data on premises or in the Cloud, sluggish or overwhelmed computer systems, challenges in accomplishing system data backup, unnecessarily complicated data migrations for system upgrades, day-to-day difficulty in finding needed information … and beyond all of that, heightened data security exposures for confidential client information and employee personal data.

Some lawyers may believe that their clients expect the firm to be the permanent repository for any and all records of past representations.  Odds are that (1) this has never actually been discussed with the client, and (2) many, if not most, clients have no such wish.  As with most challenges in defining the attorney/client relationship, engagement letters are an ideal vehicle for clarifying expectations on retention of client records.

But regardless, there’s really no sensible reason for a law firm not to have a records retention schedule, with a records management policy to help implement and enforce it.  And if a law firm needs yet another compelling reason to establish and follow a records retention schedule, then look no further than the firm’s data security.

View Original Source
Photo of Peter Sloan Peter Sloan

Peter advises clients on how best to retain, secure, preserve, and dispose of information. He helps clients throughout the United States create, validate, and update retention schedules; implement compliant information management policies and processes; and defensibly dispose of information. Peter also counsels clients on data security compliance and breach response readiness, and he works with clients to manage data breach response.

Peter has served clients across a broad range of industries, including:

  • Financial Services (national and state-chartered banks, investment companies, investment advisers, broker-dealers, tax preparation companies, insurance companies, and government-sponsored enterprises)
  • Health Care (health systems and hospitals, physician practices, pharmacy and pharmacy benefit management companies, pharmaceutical and biotechnology firms, and medical equipment manufacturers)
  • Energy (power and gas utilities, power transmission companies, oil and gas pipeline companies, and exploration and production companies)
  • Higher Education
  • Engineering and Construction
  • Manufacturing
  • Retail
  • Technology
  • Transportation