Law firms manage a lot of confidential and private information – and that makes secure document shredding a critical part of their information security policy. Whether documents are paper or digital, it is important to understand all the legalities around collection, storage, and destruction.
The challenge in this industry is all the different rules that must be followed for specific document types and jurisdictions. The information security laws and standards that apply to law firms include the Sarbanes-Oxley Act, the US Patriot Act, PCI Security Standards, and Identity Theft Penalty Enhancement Act. In addition to these, there are also state and professional regulations to follow as well as mandates that require companies to provide a notification in the case of a personal information breach. Clients may have specific retention requirements as well, depending on the industry.
Here are 4 different types of documents that law firms collect that contain personally identifiable records and must be protected throughout their lifetime.
Case files: Case files contain a range of documents including client and witness depositions, discovery documents, correspondence, and police reports. Whether or not you can securely dispose of a case file depends on whether documents may be needed in the future. Wills and real estate transactions are examples of documents that should not be destroyed.
Financial information: How long organizations keep client credit reports, company data, and other financial records can depend on the jurisdiction. It’s important to know what you’re required to keep and for how long. Check regulations in your state and the industry. Check also if it is acceptable to scan documents into PDFs to satisfy storage requirements.
Legal information: Law firms often have a lot of old legal reference materials in storage. But firms may be able to purge files. The discerning factor is whether out-dated legal materials may still be relevant to cases. Research case law collections of legal materials in other legal libraries. If your firm can access them, securely destroy old legal materials.
HR records: The law firm’s own HR department will have files on employees that contain private information such as performance evaluations, salary levels, and private reports. Documentation about hiring, evaluating and discharging employees should be retained for a period of time that follows all laws and company policies.
Keeping paper and digital information organized, accurate and secure is essential – and a comprehensive document management process will help. For secure storage and eventual destruction, partner with a trustworthy document management company that has a secure chain of custody including locked security consoles, 24-hour monitored warehouses, quality customer service, security-trained professionals, powerful industrial grade shredding and destruction machines for both paper and hard drives and e-media, and for record keeping a Certificate of Destruction issued after every shred.
Since up to 25% of information breaches are caused by employee error or negligence, it’s also a good idea to enforce policies including a Clean Desk Policy and a shredding policy that stipulates all documents are destroyed when no longer needed.