Legal Document Storage Explained
Understanding legal documents storage is imperative for organizations that work extensively with sensitive and private client information. Longevity or the "long arm" of legal records law refers to the fact that certain records must be kept until after a case statute of limitations expiration date or other legal expiration date. Failure to do so may theoretically lead to a subsequent lawsuit. For this reason among others, it is essential that these documents be securely stored and protected.
All legal documents do not require long term storage, however and only those that are legal office originals must be protected from loss, damage or theft . Copies of applications, supporting documents, evidence, transcriptions and other information do not need the same level of protection. Many legal documents must be kept by statute for many years. Original testaments should be stored in fire and theft proof containers and transferred to a secure but easily accessible storage location once final distribution has occurred. All maintains-in-trust documents such as certificates of deposit or insurance policies should be stored in a vault. Those records that you do retain in a secure storage facility should be properly indexed for quick identification to lower retrieval charges.
Choosing the Right Storage Method
Consider the following storage options:
Physical Filing Systems
First, you can consider maintaining a physical filing system. A filing system can help you to keep your documents in the correct order. Many people still prefer paper over digital, as paper records do not suffer from server or data crashes. Furthermore, a printed document is not susceptible to hackers or malware.
The downside, however, is that maintaining a physical filing system can be time consuming. In the event of a fire or flood, physical files can also be vulnerable to damages, and large amounts of storage space may be needed to keep potentially hundreds of boxes of files.
Off-site Storage
A second option would be to put paper files in an off-site storage facility. Off-site storage facilities are often climate controlled to prevent damage to the documents. These facilities typically have high security systems to prevent unauthorized access, as well.
Some providers even offer shredding services to assist with the disposal of old files that are no longer needed. This option also allows you to minimize the amount of records you keep on the premises, allowing you to use that space for other important tasks.
Digital storage
Digital storage options include desktop backup, external hard drives and cloud storage. The cloud is a popular choice among many companies for data storage. Cloud storage has its benefits, such as being both accessible and secure. Some cloud storage options can automatically back up your data to prevent loss.
However, the downside to cloud storage is the lack of privacy. Information uploaded to the cloud, once deleted, cannot be retrieved. Additionally, many of these cloud options do not come with insurance in case of loss, theft or damage.
Digital Documents
A fourth option is maintaining digital records. You can digitize physical files by using a scanner, then uploading the document to your computer. Digitizing documents can save money on office supplies, storage costs and even utilities. This process also saves time, as information is more easily accessible.
Not to mention, digitized documents cannot be spilled on, misplaced or damaged by natural disasters. Digital storage is also environmentally friendly, as 8.9 billion trees are cut down every single year for paper purposes.
When choosing the right storage solution for your firm, consider which options work best for you.
Security Protocols for Document Storage
The security of legal documents extends beyond backup; it gives firms peace of mind that the data contained within will be kept private and only accessed by authorized personnel. Consider physical, digital, and environmental security when storing documents —these will help ensure compliance and avoid costly security breaches.
Cybersecurity
The security of documents is only as safe as the weakest link in security. If your firm’s information security practices are poor, your secured documents will be vulnerable to cyberattacks. Here are some key security measures:
Access control ensures that only those with the appropriate permissions can access data when they need it. Security procedures focus on the steps to verify a person’s identity, which includes:
A firm should not only restrict document access by employee title, but also by the document type itself. Accessing private client records should be restricted to those employees who absolutely need to view it, such as the case manager and partner. Storing data in a digital format, which has an access control measure embedded, adds another layer of protection. Passwords, two-factor authentication, and financial transactions should have additional layers of security measures.
Environment
Physical environmental controls maintain your documents’ safety by protecting them from natural disasters and security breaches. Firms should consider storing all legal documents in a secure facility that is fortified with:
Continuous, automated data backups, along with firm-wide data security training, are essential for organizational safety.
Legal Requirements for Document Storage
A range of regulatory requirements require the secure storage of sensitive legal documents. First and foremost is the UK GDPR, which came into force as part of the data protection law framework on 1st January 2018. According to the ICO, personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Beyond the general requirements for the proper storage and management of data, there are also a number of industry-specific regulations such as the (UK) Financial Services and Markets Act 2000 (Regulated Activities) Order 2001, which obliges businesses regulated by the FSA to maintain anti-money laundering records for at least five years. Similar regulations apply to businesses in the financial services sector regulated by the FCA.
To ensure compliance with regulatory requirements for the storage and management of legal documents, businesses should keep the following best practices in mind:
• Use a trusted cloud storage provider. Make sure that all data is encrypted both before and after upload. Tier 1 cloud data centres are the safest option.
• Maintain a secure password policy. Your password policy should include a minimum password length and periodic password changes. As a matter of principle, a 16-character minimum password length is considered to be effective . This presents no burden to users because almost all modern applications accept the longest key lengths without additional validation. Passwords should also be changed every 90 days, and login attempts should be limited to 3 to 5 tries before a system lockout is triggered. Users who reach their limit should have to wait 20-30 minutes before trying again.
• Encrypt data before you upload it to your cloud solution. This will not only make it impossible for any employee (or hacker) to access the document, it will also provide the data with a digital fingerprint, making it easy to locate and confirm the document’s authenticity. It is especially important to remember to encrypt documents if they contain sensitive information regarding third parties (such as confidential personal information), and/or otherwise fall within your local laws’ definition of "personal data".
• Make a backup copy of your data, and store it on an enclosed server. You should also destroy all backup copies of your data after you reach the end of your data retention period (and in accordance with your privacy notice). With superseded printouts, you should destroy copies once you have stored the data in a digital format and backed up the data properly.
• Store backup copies on an offline server. Unless there are reasons not to, all backup copies should be properly arranged. Ideally, backup copies should be stored on a server that is not networked (i.e. discretely labelled) and on a remote physical computer.
Retention and Destruction of Documents
One of the essential components of a document security system is a client’s document retention and disposal policy. Having a well-defined policy in place removes subjectivity and establishes certainty when making decisions about a particular document or piece of data.
I have repeatedly recommended that clients keep documents for a minimum of 5 years after a matter ends, but not all clients agree with this policy. And, in fact, court rules of a number of foreign countries require clients to keep documents for significant periods beyond 5 years. So, unless a client’s policy is different than 5 years, each client should be asked if it agrees with a 5-year retention policy. In my experience, most clients (90%+) do. But, the nature of the document will often dictate how long it is retained. Thus, as part of the implementation of the policy, client’s should also designate which handling processes are required for various document types.
Firms must strike the right balance between maintaining a secure system that protects its documents for the appropriate period of time and ensuring that the system does not unnecessarily burden the firm. With careful planning, there should be little, if any, burden on the firm of maintaining a document retention and disposal policy.
Once established, the policy requires staff to manage the clean up of files and materials without exception. Adhering to this requirement requires both staff and management to buy into the policy. This does not mean management dictates the terms, but rather, both management and staff discuss and define the role the policy will play in protecting both client and firm information.
Utilizing Technology for Document Storage
With the increasing demands placed on law firms, small and large alike, technology has become indispensable not only to streamline legal workflows but also as a best practice to increase returns on firm investments. For this reason, leveraging technology can be a great benefit, fundamentally changing the way you do business. Take, for example, the case of a law firm that manages and stores work product for hundreds of clients. Even with the best of processes or policies in place, the physical documentation required to implement those policies is cumbersome and time-consuming. Consider an investigation firm collecting documents for evidence purposes; they often find themselves associating a unique document identifier to images, paperwork, or other physical documents. By associating identifiers with key metadata fields , content can be leveraged to directly manage and search for relevant data—instead of relying on an intermediary. In this way, this intermediary can then revert to its intended purpose, supporting the needs of the law firm and its clients—by maintaining the work product it has been assigned. The result? Increased efficiency through the reduction of administrative time, organizational streamlining by reducing complication in procedures, and quicker accessibility to relevant data. The overall efficiency gains can add up quickly, especially for smaller firms that usually have fewer resources than larger firms. Technology helps level the playing field and improves the bottom line. Optimizing workflows and processes with technology shows law firms a return on their investment that helps both clients and the firms themselves.