5 Things Your Law Firm’s Data Retention Policy Needs
For any organization, consistent access to critical documents and data is always a major concern. For law firms, the ability to access legal documents and maintain them for as long as their clients and the court system needs them to is paramount to success.
Let’s go over the basics of data retention policies for law firms—what they are, how they can help your firm, some best practices to follow, and what the most important data retention requirements are for law firms in the New York area.
What Is a Data Retention Policy?
A data retention policy is your organization’s guiding document for explaining how data should be classified and stored, how long it should be kept, and even when and how it should be destroyed/disposed of when it is no longer needed.
It combines data storage and retrieval, data security, and IT asset disposition (ITAD) measures as necessary to comply with state, federal, and industry regulations to protect the interests of your business. For law firms, organizations that by necessity often handle extremely sensitive information and must comply with discovery and disclosure rules for cases—losing documents and data can be an enormous issue for any legal practice.
Benefits of Having a Data Retention Policy in Place
Establishing a data retention policy—and following through with setting up the IT assets and resources needed to follow it—can have several positive impacts for a law firm. Some of these potential benefits include:
- Providing Some Protection Against Malpractice Lawsuits. Unfortunately, legal malpractice suits are a fact of life for any law firm—regardless of how successful and scrupulously correct their actions are. Some sources, like CNA’s Tips to Assist in Avoiding a Malpractice Claim state that “the likelihood of a private practice attorney being sued for malpractice in a given year runs between 4 and 17 percent.” Having complete records of work performed for a client—including all case documentation, billable work hour records, and other data—can be critical in successfully defending a malpractice case.
- Compliance with New York State Bar Ethical Requirements. The New York State Bar Association (NYSBA) states that: “With certain important exceptions, a lawyer has no ethical duty to retain closed client files… for an indefinite period.” However, “a lawyer has an ethical duty to retain for seven years certain books and records concerning an attorney-client relationship, and any documents otherwise required by law to maintain.” In short, outside of a few types of documents that have an intrinsic value (such as wills or deeds), law firms don’t have to keep records indefinitely, but they do need to maintain them for at least seven years post the end of the attorney-client relationship. Having a data retention policy in place can help ensure that these ethical standards are met consistently across the entirety of the practice.
- Providing Protection Against Data Loss Incidents. Having data backup and business continuity/disaster recovery solutions in place as part of a data retention policy can help to protect the firm against data loss incidents caused by cybercrime, human error, acts of nature, and other disastrous circumstances. This goes beyond protecting legal documentation needed for cases—it can also protect important billing information, payroll information, and other data needed to keep the firm’s business operations running smoothly.
These are a few of the potential benefits of having a robust data retention policy and the resources needed to make it a reality.
Data Retention Best Practices
When creating a data retention policy, it’s important to follow a few basic “best practices” to help ensure that the policy is able to comprehensively cover all of the data files that the practice needs to preserve for both client work and internal business operations.
Some common best practices include:
- Classifying All Data Held by the Firm. Different types of documents and data will have varying retention requirements. For example, documents with intrinsic value need to be preserved indefinitely by the law firm to maintain ethical and legal compliance requirements. On the other hand, other documents that lack intrinsic value need only be preserved for a set period (seven years in New York per the NYSBA ethical opinion cited earlier). Accurately classifying all data processed and stored by the firm is critical for establishing the correct data retention period applied to each file. Additionally, it’s important to sort data by its level of confidentiality—public, internal, restricted, etc.—so you can apply the appropriate data security protections.
- Periodically Reviewing the Retention Policy. As data retention standards (and the available tools to enact your policy) change, it may prove necessary to reexamine your firm’s data retention policy and make adjustments as needed. For example, if a ruling sets a precedent that demonstrates a particular type of document would have intrinsic value, then the way that kind of document is handled in the future would change. Or, a new platform, technology, or vendor may come along that can provide a better solution for managing your electronic document storage and disposition. In that case, modifying your policy to include that solution could help you improve your data retention.
- Communicating Data Retention Policy Standards to All Members of the Firm. If a company has a data retention policy, but nobody knows what’s in it, does it really help? The short answer is “not really.” To help ensure that the guidelines in your policy are followed, it’s important to communicate them to everyone in the firm—from the partner lawyers, to the paralegals and even front-office staff who might come into contact with mundane documents when processing potential clients. When everyone knows what’s expected of them under the policy, your firm will have a much easier time of enforcing the guidelines in it. Your firm may also benefit from creating a formal document detailing your data retention policy, its requirements for each role within the firm, tools available for following the policy, and any consequences for breaches of the retention policy.
- Use a Data Retention Policy Template. It can help to follow a set format for your data retention policy. The NYSBA has a template example of a data retention policy document that law firms can easily adapt to their needs. While it doesn’t cover every potential application and requirement for every type of legal practice in NYC, it helps by creating a baseline that you can expand upon as needed!
5 Things Your Law Firm’s Data Retention Policy Needs
So, now that we’ve covered a few best practices for implementing a data retention policy, what do you need to make your own firm’s policy effective? Here are a few things that any legal practice will need to ensure the efficacy of their data retention policy:
1. A Remote Data Backup Solution
One of the most important things a law firm can do to prevent the loss of important data and documents is to establish a remote data backup solution as soon as possible. With copies of all important files stored in a location separate from the law firm’s primary data center, it is possible to recover files that would otherwise be lost to a catastrophic event.
For example, say that a new paralegal accidentally hits the wrong button on his computer workstation and deletes an entire client case file. If there is no backup of that data, then it will all be lost—potentially leading to the need to request a continuance from the court to get the time needed to reassemble all of the documents and data lost.
With a remote data backup, your team could simply redownload the files from the remote server and continue operations as normal.
2. Strong Cybersecurity Measures
In a perfect world, your firm wouldn’t need to be on guard against cybercriminals, but there are many who would be interested in stealing or compromising the sensitive information your firm maintains. Whether the motive is profit, interference with a particular case, or just for the cybercriminal’s own amusement doesn’t matter. Regardless of the motive, it’s imperative to take all reasonable precautions to protect the integrity and confidentiality of your firm’s data.
Security measures such as data encryption, role-based access to sensitive data, and multi-factor authentication (MFA) can help to protect your firm’s data from illicit access by a malicious actor.
3. A Plan of Action to Cover Data Loss Events
If the worst happens and an important file that needed to be preserved is lost or compromised, what’s the plan of action to address the issue? A data retention policy should have a section detailing what any given member of the law firm should do in case of a data loss or data breach event.
This can help to prevent confusion later on by giving each person a roadmap explaining their role and responsibility in a data retention-related emergency. This includes creating a consistent method for notifying clients of data loss events (including the routine destruction of obsolescent data files so the client can personally retain them if they so desire).
4. Comprehensive Data Destruction Solutions
When data files are no longer needed, it’s important to dispose of them in a way that prevents their recovery by any third party who could potentially use them for malicious activity. So, acquiring a comprehensive IT asset disposition (ITAD) solution can be an important part of legal document management.
While paper files could be shredded, pulped, or burned beyond any reasonable risk of reassembly, it can be surprisingly difficult to extirpate data from a hard drive on a computer. When a file is “deleted” from a hard drive, that doesn’t necessarily mean the information is gone. Instead, the computer simply frees up whatever section of the hard drive was being used to store that data to be written over by new data.
So, to protect that data from being accessed, it’s necessary to ensure that the data on the disk is actually written over with junk code—or to physically destroy the hard drive completely to prevent data recovery.
5. Secure Remote Access Solutions
Here’s a scenario to think about: A lawyer is arguing a case before the court, and while preparing their documentation, they realize that an important file is missing from their laptop that they need when making their presentation. How can you ensure that they can get this file without having to delay proceedings (possibly irritating the court officers) or making do without (potentially compromising their case)?
One solution would be to allow the attorney in question remote access to a database with important case files and data so they could download it to their laptop using the courtroom’s Wi-Fi network. However, when allowing access to sensitive files remotely, it’s important to prevent unauthorized access. This is where secure remote access solutions can help.
Start Building a Data Retention Strategy Now!
Does your law firm need help setting up the tech required to make a top-notch data retention policy? Converged Technology Group is here to help! Our IT support for legal firms is designed to address all of your legal IT needs so you can focus on growing your practice instead of fiddling with your IT platform!
Reach out to us today to get started!