Why Your Law Firm Needs a Data Retention Protection Policy

For any law firm, consistent access to critical documents and data is always a major concern. To this end, many firms have established a strong data protection policy (DPP) that defines how firms will store, transmit, and eventually dispose of their important files.

In this article, we’ll cover the basics of what a data protection policy is, some of the compliance requirements law firms need to meet when handling sensitive data, and some tips for creating a strong DPP.

What Is a Data Protection Policy?

A data protection policy is a formal document used by an organization to standardize how members of that organization will store, transmit, use, monitor, manage, and eventually dispose of protected data. In law firms, “protected data” could include, but not necessarily be limited to, items such as:

  • The firm’s financial data
  • Client financial data
  • Case documents
  • Client documents (like wills, power of attorney docs, etc.)
  • Other personally identifiable information (PII) of clients, like names, addresses, and social security numbers that may be on file

In short, if it could be considered a “sensitive” file, then it should be included in your firm’s data protection policy. For law firms, organizations that by necessity often handle extremely sensitive information and must comply with discovery and disclosure rules for cases—losing documents and data can be an enormous issue for any legal practice.

Law Firm Compliance Requirements

What kind of protections do law firms need to take? This can be a tough question to answer, as data security standards for businesses vary from one state to another. While legal degrees require years of dedicated study, cybersecurity isn’t typically a required course. As noted by Cybersecurity Guide, a resource that lists cybersecurity programs available in each state, “As the minimum requirement for practicing law, law school J.D. curriculum does not usually include courses specific to cybersecurity law.”

Even in pre-law preparation, there isn’t an emphasis on cybersecurity. The American Bar Association (ABA) states that “You may choose to major in subjects that are considered to be traditional preparation for law schools, such as history, English, philosophy, political science, economics or business, or you may focus your undergraduate studies in areas as diverse as art, music, science and mathematics, computer science, engineering, nursing or education.”

The ABA doesn’t really emphasize any specific type of course to prepare students for law school, and law schools don’t necessarily teach cybersecurity—though there are some schools that do offer cybersecurity law courses that may teach some of the basics for those who wish to specialize. For example, if a student were to go beyond their Doctor of Jurisprudence degree to pursue a Master of Laws degree (LL.M.), they could specialize in cybersecurity law and would likely take cybersecurity-related courses to give them the mastery of cybersecurity concepts needed to parse cybersecurity-related issues.

However, there are some applicable standards and broad legal requirements for businesses of all types that can also apply to law firms. One example would be New York’s General Business (GBS) Chapter 20, Article 39-F Section 899-BB, which requires businesses to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.” To help you prepare your own law firm’s data protection policy, here are a few basic requirements that any DPP document should cover:

Data Storage

How will the law firm store the data it needs to operate as a legal practice? How will sensitive client data-at-rest (i.e., in storage) be protected from illicit access and accidental exposure?

Common data storage security measures that could be considered reasonable may include:

  • Implementing a network firewall to prevent outside access to law firm data storage media
  • Using data encryption on stored data to make the information unreadable to unauthorized users who don’t have the encryption key
  • Installing antivirus/antimalware and monitoring solutions such as security information and event management (SIEM) tools to guard against malware intrusions
  • Incorporating a remote data backup solution to prevent the loss of critical files in case of a disastrous event (power loss, damage to storage media, ransomware attacks, etc.)

Data Transmission

How does the law firm handle moving data from storage to another location, such as a lawyer’s laptop or to a client? Who has access to sensitive information and how are identities verified before any data is transmitted?

Data being transmitted is at risk of being intercepted or even being sent to the wrong party. So, a data protection plan should include:

  • Measures to verify the identities of anyone accessing protected information
  • Solutions to prevent the interception of transmitted data (such as VPNs with encryption for data-in-flight
  • Guidelines for verifying that any outgoing communications are only being sent to the correct parties

Data Compromise Response

  • If a data breach occurs, how will your firm respond to it and notify any affected parties? New York’s SHIELD Act specifically requires businesses to disclose any breaches “in the most expedient time possible and without unreasonable delay, consistent with the general needs of law enforcement.”
  • So, it’s important to have a solution for monitoring data breaches that can determine what data was compromised. This way, your firm can accurately target notifications to the affected clients.
  • Additionally, it’s important to have an incident response plan that details roles and responsibilities for the whole of the law firm—including who to report to (such as your network security vendor), what each person should do to help contain the breach, and how to use any data breach remediation tools that may be available.  

Benefits of Having a Data Retention Policy in Place

Establishing a data retention policy—and following through with setting up the IT assets and resources needed to follow it—can have several positive impacts for a law firm. Some of these potential benefits include:

  • Providing Some Protection Against Malpractice Lawsuits. Unfortunately, legal malpractice suits are a fact of life for any law firm—regardless of how successful and scrupulously correct their actions are. Some sources, like CNA’s Tips to Assist in Avoiding a Malpractice Claim state that “the likelihood of a private practice attorney being sued for malpractice in a given year runs between 4 and 17 percent.” Having complete records of work performed for a client—including all case documentation, billable work hour records, and other data—can be critical in successfully defending a malpractice case.
  • Compliance with New York State Bar Ethical Requirements. The New York State Bar Association (NYSBA) states that: “With certain important exceptions, a lawyer has no ethical duty to retain closed client files… for an indefinite period.” However, “a lawyer has an ethical duty to retain for seven years certain books and records concerning an attorney-client relationship, and any documents otherwise required by law to maintain.” In short, outside of a few types of documents that have an intrinsic value (such as wills or deeds), law firms don’t have to keep records indefinitely, but they do need to maintain them for at least seven years post the end of the attorney-client relationship. Having a data retention policy in place can help ensure that these ethical standards are met consistently across the entirety of the practice.
  • Providing Protection Against Data Loss Incidents. Having data backup and business continuity/disaster recovery solutions in place as part of a data retention policy can help to protect the firm against data loss incidents caused by cybercrime, human error, acts of nature, and other disastrous circumstances. This goes beyond protecting legal documentation needed for cases—it can also protect important billing information, payroll information, and other data needed to keep the firm’s business operations running smoothly.

These are a few of the potential benefits of having a robust data retention policy and the resources needed to make it a reality.

Data Retention Best Practices

When creating a data retention policy, it’s important to follow a few basic “best practices” to help ensure that the policy is able to comprehensively cover all of the data files that the practice needs to preserve for both client work and internal business operations.

Some common best practices include:

  • Communicating Data Retention Policy Standards to All Members of the Firm. If a company has a data retention policy, but nobody knows what’s in it, does it really help? The short answer is “not really.” To help ensure that the guidelines in your policy are followed, it’s important to communicate them to everyone in the firm—from the partner lawyers, to the paralegals and even front-office staff who might come into contact with mundane documents when processing potential clients. When everyone knows what’s expected of them under the policy, your firm will have a much easier time of enforcing the guidelines in it. Your firm may also benefit from creating a formal document detailing your data retention policy, its requirements for each role within the firm, tools available for following the policy, and any consequences for breaches of the retention policy.
  • Use a Data Retention Policy Template. It can help to follow a set format for your data retention policy. The NYSBA has a template example of a data retention policy document that law firms can easily adapt to their needs. While it doesn’t cover every potential application and requirement for every type of legal practice in NYC, it helps by creating a baseline that you can expand upon as needed!
  • Comprehensive Data Deconstruction Solutions. When data files are no longer needed, it’s important to dispose of them in a way that prevents their recovery by any third party who could potentially use them for malicious activity. So, acquiring a comprehensive IT asset disposition (ITAD) solution can be an important part of legal document management. While paper files could be shredded, pulped, or burned beyond any reasonable risk of reassembly, it can be surprisingly difficult to extirpate data from a hard drive on a computer. When a file is “deleted” from a hard drive, that doesn’t necessarily mean the information is gone. Instead, the computer simply frees up whatever section of the hard drive was being used to store that data to be written over by new data. So, to protect that data from being accessed, it’s necessary to ensure that the data on the disk is actually written over with junk code—or to physically destroy the hard drive completely to prevent data recovery.
  • Secure Remote Access Solutions. Here’s a scenario to think about: A lawyer is arguing a case before the court, and while preparing their documentation, they realize that an important file is missing from their laptop that they need when making their presentation. How can you ensure that they can get this file without having to delay proceedings (possibly irritating the court officers) or making do without (potentially compromising their case)? One solution would be to allow the attorney in question remote access to a database with important case files and data so they could download it to their laptop using the courtroom’s Wi-Fi network. However, when allowing access to sensitive files remotely, it’s important to prevent unauthorized access. This is where secure remote access solutions can help.

 5 Tips for Developing a Data Protection Policy for Your Legal Practice

What can you do to make your data protection policy as strong as possible for your law firm? Here are a few tips to get you started:

1. Start by Examining Existing Data Security Standards

Before creating your data protection policy document, take some time to investigate existing data security standards to get an idea for the specific kinds of protections and policies your firm will need.

Some good examples of where to start include:

  • The Payment Card Industry’s Data Security Standard (PCI). Governed by the PCI Security Standards Council (PCI SSC), this data security standard provides a specific overview of how to protect payment card information and cardholder data. Law firms can apply many of the standards listed by the PCI SSC to the protection of their client’s financial information and other personally identifiable information.
  • The European Union’s General Data Protection Regulation (GDPR). This EU law protects the data privacy of EU citizens and is applicable to any organization that collects and processes the personal data of EU citizens. The specific guidelines of GDPR can be useful for helping your firm establish data access controls that make providing clients with necessary information easier.
  • The Health Insurance Portability and Accountability Act (HIPAA). While specific to the healthcare industry, the guidelines of HIPAA can be useful for establishing what a “reasonable” measure to protect data privacy and accessibility is.
  • The National Institute of Standards and Technology (NIST) Cybersecurity Framework. The NIST cybersecurity framework establishes a clear set of standards for developing organizational understanding of cybersecurity management, protecting data, detecting security incidents, responding to said incidents, and recovering from breaches. The framework also separates organizational cybersecurity management into four distinct tiers (partial implementation, risk informed, repeatable processes, and adaptive cybersecurity management) and defines each one to make it easier to see where there may be room to improve your law firm’s data protection.

These are just a few of the different data security standards that you could examine. There are many others out there that you may find helpful for creating a data protection policy.

2. Don’t Forget About Data Security in the Cloud

Remote data backups and other cloud-based solutions can be invaluable for law firms by providing easy access to software and services that would be cost-prohibitive or impractical to handle with IT assets owned by the firm. However, not all cloud solution vendors have strong cybersecurity measures in place to protect your firm’s data.

When contracting with a vendor for cloud-based services, it’s important to verify what kind of cybersecurity measures they use to prevent illicit access to your firm’s data and to avoid data loss events on their end.

3. Take an Inventory of Your IT Assets and Data

Before implementing a data security plan of any kind, it’s important to know what needs protecting. To this end, it is vital to conduct a thorough audit of your IT assets and data when setting up your security policy documents.

Without a complete audit of your data and IT assets, there may be items missing from your data protection policy—leaving them unaccounted for and more vulnerable than other assets.

4. Define Clear Roles and Responsibilities for Every Member of the Firm

Everyone from the partners in the firm to the paralegals, front office staff, and even the summer associates should have some idea of what they need to do to protect firm and client data.

So, it’s important to define clear roles and responsibilities for every member of the firm in your DPP documentation (and make sure they are communicated clearly). For example, everyone should know what kind of data they’re allowed to access, what to do if they suspect a data breach, and how to verify identities when sending replies to emails requesting protected information (to avoid potential phishing scams).

5. Review Local Legislation for Business Cybersecurity Requirements

Data security and privacy requirements may vary from one jurisdiction to the next. So, it’s important to check your firm’s local legislation for any laws pertaining to cybersecurity requirements.

Searching the local legislator’s website for key terms like data security, cybersecurity, data breach notification, and information security can be a good start. Additionally, you could contact local regulatory bodies directly to ask for information about your jurisdiction’s specific requirements.

These are just a few tips that you could follow when creating a data protection policy for your law firm. If you need help managing IT or cybersecurity for your law firm, reach out to Converged Technology Group for information and support!

Start Building a Data Retention Strategy Now!

Does your law firm need help setting up the tech required to make a top-notch data retention policy? Converged Technology Group is here to help! Our IT support for legal firms is designed to address all of your legal IT needs so you can focus on growing your practice instead of fiddling with your IT platform!

Reach out to us today to get started!

Email Us

(631) 468-5770