October 26, 2017
Law firms manage a lot of confidential and private information – and that makes secure document shredding a critical part of their information security policy.
But while it is a good business practice to destroy client information when it is no longer needed, it’s also the law. Whether documents are paper or digital, it is important to understand all the legalities around collection, storage, and destruction.
The challenge in this sector is all the different rules that must be followed for specific document types and jurisdictions.
The information security laws and standards that apply to law firms include the Sarbanes-Oxley Act, the U.S. Patriot Act, Payment Card Industry (PCI) Security Standards, and the Identity Theft Penalty Enhancement Act.
There are also state and professional regulations as well as compliance mandates requiring companies to provide notification if a breach of personal information occurs.
Clients may have specific retention requirements too.
Here are the different types of documents that law firms collect that contain personally identifiable records and must be protected throughout their lifetime.
Case files: Case files contain a range of documents including client and witness depositions, discovery documents,correspondence, and police reports. Whether or not you can securely dispose of a case file depends on whether documents may be needed in the future. Wills and real estate transactions are examples of documents that should not be destroyed.
Financial information: How long organizations keep client credit reports, company data, and other financial records can depend on the jurisdiction. It’s important to know what you’re required to keep and for how long. Check regulations in your state and the industry. Check also if it is acceptable to scan documents into PDFs to satisfy storage requirements.
Legal information: Law firms often have a lot of old legal reference materials in storage. But firms may be able to purge files. The discerning factor is whether out-dated legal materials may still be relevant to cases. Research case law collections of legal materials in other legal libraries. If your firm can access them, securely destroy old legal materials.
HR records: The law firm’s own HR department will have files on employees that contain private information such as performance evaluations, salary levels, and private reports. Documentation about hiring, evaluating and discharging employees should be retained for a period of time.
Keeping paper and digital information organized, accurate and secure is the key – and a comprehensive document management process will help. Track every stage of the information cycle from generation and storage to the document destruction process.
For secure destruction, partner with a trustworthy document destruction company that has a secure chain of custody including locked security consoles, security-trained professionals, powerful industrial grade shredding and destruction machines for both paper and hard drives and e-media, and for record keeping, a Certificate of Destruction issued after every shred.
Since up to 25% of information breaches are caused by employee error or negligence, it’s a good idea to embed policies including a Clean Desk Policy and a Shred-it All Policy that stipulates all documents are destroyed when no longer needed.