How To Start Drafting an Electronic Document Retention Policy
I suspect more than a few law firms, particularly in the solo/small firm space, have yet to take the necessary time to draft and write up a well-thought-out Electronic Document Retention and Destruction policy. It really is an easy task to overlook, if for no other reason than the low cost of digital storage space that makes it so easy to view that automatic backup process as the de facto plan by default. However, a de facto plan of “keeping everything forever” has consequences. Here are just a few that immediately come to mind:
In contrast to the paper world, it’s too easy to copy, forward, and download e-documents, which makes document control ever harder as e-document storage grows in size. Lawyers are to prevent unauthorized access to information relating to the representation of a client, which means the more digital data you keep, the more you stand to lose should a cyber breach ever occur. Potential conflict problems can arise as a result of maintaining and thus having access to confidential information on all past clients. And finally, as the sheer volume of any long-term digital storage space continues to grow over the years, finding and retrieving specific e-documents becomes ever more cumbersome.
If you count yourself a member of the group that could benefit from moving away from a de facto keep everything plan, I offer the following considerations as part of the process of drafting an electronic document retention policy. You will need to:
- Identify the types of data and e-documents you receive, use, and store and then determine what you want to keep long-term and what you don’t. Think about all aspects of your business to include payroll, bank accounts, client files, email accounts, employment records, etc.
- Establish retention schedules for each type of document or data set.
- Standardize file naming and storage protocols and define long-term storage formats keeping in mind that you will need to be able to access the data years down the road and have the ability to provide client data to any client who asks in a useable format for them.
- Follow statutes or rules regarding required record retention for various types of records such as employment records, trust account records, or business records.
- Involve a person trained in computer technology from the outset so that you know what data is being stored and where. Heaven forbid that files only stored on mobile or home-based devices get overlooked.
- Know the physical limitations of your network and equipment. For example, can your system’s memory accommodate the retention policy and the necessary applications to implement it? You may need to consider a cloud-based storage solution or invest in additional hardware.
- Make sure the policy is litigation neutral. There should be no distinction or exception in the policy as to the treatment of documents that may be helpful or damaging in some future claim.
- Identify the method by which the electronic document retention policy is to be monitored and enforced. For example, you might establish a system of random checks of a limited number of computers and mobile devices in order to monitor attorney and staff compliance.
- Include provisions for updating procedures when you upgrade hardware or purchase additional technologies (e.g. purchasing tablets for the first time).
- Establish procedures that are forward-looking and include provisions that focus on business continuity planning given that power outages, cybercrime, floods, and fires happen.
- Address when and how data is to be destroyed when retention periods have been reached or when updating servers, computers, mobile devices, and the like.
- Establish procedures that include a provision for excluding from destruction documents that are relevant or may be potentially relevant to claims, accidents, complaints, or other events that could lead to litigation in the future.
- Establish a closed client file folder so all closed digital files can be stored in one location by destruction date.
- Establish a backup process for all active and closed digital files.
- Ensure that all firm members and staff know about the policy and understand it. Make certain all are aware of the legal ramifications of destroying or overwriting information if the firm is ever involved in or has notice of a lawsuit, audit, or investigation. Most importantly, include a provision that ensures that appropriate staff and attorneys are properly and timely notified of any notice of claim, investigation, audit, or lawsuit in order to avoid spoliation or accidental destruction of electronic evidence.
- And finally, keep records that document the design, development, implementation, and enforcement of the policy.
Authored by: Mark Bassingthwaighte, Risk Manager
Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, an attorney’s professional liability insurance carrier. In his tenure with the company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented over 550 continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.