Last week’s post explored why law firms need data security policies. Before we move on, I’d be remiss if I didn’t mention another policy that’s absolutely crucial for the law firm’s data security posture – a records management policy, coupled with an up-to-date and legally validated records retention schedule.
What does a records retention schedule have to do with data security? Simply this – keeping data without a legal or business reason exacerbates data security exposures.
Breached systems frequently contain many times more data than was needed for retention compliance or any valid business or operational purpose. This unnecessary data multiplies the number of those whose confidential or protected information is compromised, and can also have exponential impact once breached, passing a tipping point on lasting reputational damage or on the economic viability of claims against the firm.
It’s not possible for a breach to compromise the security of information that no longer exists, having already been compliantly disposed of once its legally required retention and business value have expired.
But surely most every law firm has a records retention schedule in place for its records of client matters and firm administration, right? Actually, far too few firms do.
Only 60% of the law firms responding to the 2017 ABA Legal Technology Survey have a formal policy or process to manage retention of data held by the firm, and only 40% have an official records retention schedule. As you might expect, firm size has an impact on whether the firm has a retention schedule in place:
- 29% of solo practitioners;
- 32% of firms of 2-9 lawyers;
- 40% of 10-49 lawyer firms;
- 52% of 50-99 lawyer firms; and
- 76% of 100-499 lawyer firms.
Law firms without a records retention schedule conceivably could dispose of some records prematurely. But it’s far more likely that firms without a retention schedule will retain records indefinitely, far beyond any mandated or prudent retention period. The result? A firm buried under a mountain of unnecessary information, with increased storage costs for hardcopy records, increased IT expense for storing unnecessary data on premises or in the Cloud, sluggish or overwhelmed computer systems, challenges in accomplishing system data backup, unnecessarily complicated data migrations for system upgrades, day-to-day difficulty in finding needed information … and beyond all of that, heightened data security exposures for confidential client information and employee personal data.
Some lawyers may believe that their clients expect the firm to be the permanent repository for any and all records of past representations. Odds are that (1) this has never actually been discussed with the client, and (2) many, if not most, clients have no such wish. As with most challenges in defining the attorney/client relationship, engagement letters are an ideal vehicle for clarifying expectations on retention of client records.
But regardless, there’s really no sensible reason for a law firm not to have a records retention schedule, with a records management policy to help implement and enforce it. And if a law firm needs yet another compelling reason to establish and follow a records retention schedule, then look no further than the firm’s data security.