Make sure your firm has, and adheres to, an appropriate data retention policy.
In its code of conduct, the American Bar Association (ABA) has published general guidelines on how long attorneys should hold documents (see Model Rule 1.15, 1.16 (d) and DR 2-110 (A)(2)). Unlike most businesses, which typically retain documents for seven to 10 years, law firms have complex retention policies because of their fiduciary duty to store, manage and maintain certain types of documents, such as wills and living trusts, for specific periods of time.
The duties can also vary according to the type of law practiced and the jurisdiction where the firm operates. Above and beyond the ABA rules, for example, each state has model rules on records to retain and for how long.
An important part of data security is carefully monitoring when documents and email may be deleted, because hackers can’t steal data that your firm no longer has. Another benefit is that it limits the information that may be subject to a discovery motion. If your firm retains information beyond what’s required, it can create additional risks.
Your retention policy should also follow best practices about data storage. Sensitive data should never be transferred onto thumb drives, which someone can easily drop in their pocket and walk out the door. Nor should it be kept on the hard drives of attorneys’ individual PCs. Rather, sensitive data should be stored only on secure servers at the firm or your vendor.