File Retention Is a Cybersecurity Issue

I wonder sometimes if lawyers think file retention and document management policies and procedures are old-fashioned practice management notions that lawyers don’t really need to worry about anymore, especially for those paperless offices where electronic storage is cheap. Out of sight is out of mind. It certainly is a policy and procedure that can get put off for more emergent demands. Some law offices have continued the tradition of many small firm practitioners of just keeping everything under the sun for the life of the firm and not worrying about it until the very end.


That’s definitely an old-fashioned way of dealing with the issue, and it doesn’t address the cybersecurity risk and data privacy issues raised by unrestricted retention. As a cybersecurity expert said recently “If you don’t have it, they can’t hack, encrypt, ransom or plunder it.” The General Data Protection Regulation (GDPR), effective in the EU May 2018 and arguably applicable to any firm marketing to and/or serving clients in the EU, as well as various new and old U.S. state laws with similar data privacy requirements, lend weight to that argument. The rule of thumb, in a most general sense, is to keep only what you need, only when you need it, and get rid of it securely as soon as you don’t need it. (This is, of course, a wild oversimplification of data privacy rules and the GDPR, only covering one aspect of them, and not to be taken as the only obligations present in the mentioned rules.)

The question then becomes how can a law firm reduce risk and comply with these many rules, as well as the ethical obligations to protect client confidences? They can implement and improve their document retention policy. A healthy firm file retention policy and closing file procedure commonly looks something like this:

  • We keep IOLTA records for five years because applicable Rules of Professional Conduct require it. (Check state rules because they vary, but many states require retaining IOLTA records for five or seven years).
  • For client files, we have set retention periods for certain types of cases or clients. We keep most types of files for seven years. For minor clients, we keep it to the age of majority plus three years to account for statutes of limitations. We have a “weird file exception” that applies when the managing partner decides a case or client is concerning and needs to be kept longer.
  • After a client gets a result, we notify the client of the result in a letter, reminding them of future actions they will want or need to take, and that we are closing their file. We return all originals to clients. We give clients a copy of the file when requested.
  • We cull the file of duplicates and anything that isn’t part of the file. Enumerate typical things that need to be retained—and those that do not need to be retained—after closing a file.
  • We shred or permanently delete private information we culled.
  • If the firm keeps paper, we store the paper file in X locked cabinet(s) in Y order (for example, by file number or alphabetically by client’s last name).
  • If the firm is paperless or less-paper, we scan the file, review the scan for accuracy before we shred the paper file, and shred any paper version once it is verified. An important part of the policy is determining where you keep the electronic version, to keep it backed up and uncorrupted but also secure and inaccessible to hackers. Some store it unconnected to the internet. Others store it in the cloud after careful vetting and monitoring of the cloud vendor.
  • On the destruction date, we review the file one more time, then we shred or permanently delete the file. Review of a file before destruction should be supervised by lawyers, but shredding old files is a good job for a temporary worker or summer intern.
  • We wipe clean all laptops, scanners, printers, and other devices data can be stored on before we get rid of them.
  • We notify clients of our data retention policy at the beginning and end of representation. Our notification includes information about how to get a copy of your file and how we store electronic data and keep it secure.

Give your policy (or non-policy) a checkup, using these generalized parameters and your own state ethics rules and data privacy rules. Finish with the ever-important question “Is the policy being followed?” The best policy in the world is for naught if it isn’t applied. Then get to work honing and “shredding” physically and electronically. #ShredOldFiles!

About the Author

Charity Anastasio is a practice management advisor for the American Immigration Lawyers Association. Charity is in leadership at the ABA Law Practice Division and spoke at the ABA TECHSHOW 2019 (and will again in 2020). Find her on Twitter @charityanas.

Send this to a friend