Human error is the biggest known cause of data breaches across all business sectors, according to research. Accidental loss, misplacement and damage of documents can have catastrophic results for the legal profession, so secure data storage is essential.
The Information Commissioner's Office (ICO) found that the legal sector was responsible for 8% of the 3,263 data incidents reported in the last quarter of 2018-19.
Aside from 'other non-cyber' incidents, the most common cause of a data breach was data posted or faxed to the incorrect recipient, accounting for 16% of cases. Next was data emailed to the incorrect recipient, at 12%.
Sarah Coates-Madden, Dispute Resolution Solicitor at Bhayani Law said: "Confidentiality is one of the key duties that solicitors owe to their clients. It is bigger than GDPR and has been around for much longer."
"In my experience, most solicitors take this very seriously, as not only does it affect their clients, it affects their own professional reputation and credibility, and that of their firm."
What are the consequences of data breaches?
Losing sensitive records puts law firms at risk of breaching GDPR - the latest data protection regulations - and receiving a fine of up to 20 million Euros (£17.7 million) or 4% of turnover.
Sarah added: "The documents might contain very personal medical information or financial information that the client doesn't want disclosed to others.
"The documents might be commercially sensitive and could fall into the wrong hands, causing damage to the client's business."
Lost files could also compromise court cases if the client needed the records to prove their position.
Sarah: "The firms I've worked for have always treated confidentiality as a priority and have become increasingly stringent about training and policies on, say, the careful use of email and the practice of taking files out of the office, to reduce the likelihood of accidental breaches."
"I think the most important thing is that firms learn from mistakes and put measures in place to prevent the same thing happening again."
What documents do law firms need to store?
To comply with GDPR requirements, law firms should keep any client records in a secure storage environment. Firms must get their client's consent before storing the files. They should also inform clients about how long the documents will be stored for and what will happen to them once the time requirement has expired.
Client documents can include, but are not limited to:
- copies of documents provided by the client to prove their identity
- correspondence between the client and the solicitor
- correspondence between the solicitor and the opposition/experts/agents/barristers/the court or tribunal
- any relevant deeds
- leases (either copies or originals)
- any documentary evidence that might be relevant such as the client's photographs, letters and emails (electronic or hard copies)
Sarah continued: "Law firms will usually have client care letters or 'terms of business' documents which explain that their data will be stored by the firm. Firms should not be keeping personal data longer than needed and should periodically review and erase it."
How should documents be stored?
Without an organised system in place, it's easy for files to be mishandled. Heaps of paper take up office space and make finding the records difficult and time-consuming.
Sarah added: "Despite most firms having clear policies and procedures about the use of client's information and give staff training, accidents unfortunately happen."
Although storing files online is convenient, there are certain drawbacks to only keeping digital versions of court documents.
"In court proceedings, an original document will always be preferred as evidence over a copy or scanned version." said Sarah.
"In an ideal world, from the court's point of view, a physical copy of everything should be kept. There are also practical issues of being able to retrieve them in the future if technology changes or fails."
However, if you have limited space for what physical copies you can store, Sarah suggests prioritising:
- house deeds (where a property is still unregistered)
- other agreements
- original scale plans
- other documents with original signatures
Companies choosing to keep sensitive data online need the correct software and up-to-date technology to avoid falling victim to cyber-crime.
Jonathan Richardson, managing director at secure archiving specialist Russell Richardson said: "Law firms storing files online need to be aware of the different fraudulent methods that they could be susceptible to. Any staff with access to the documents must also have data security training."
Research from 2017 found that 43% of law firms were moving to a cloud provider, but 44% had experienced an attempted cyber-attack over the year.
Jonathan continued: "Storing records in a secure archiving facility might be more suitable for firms without the required time or knowledge on how to protect online files from cyber-crime."
Archiving facilities constantly monitor records using CCTV and limit access to security-checked staff members only.
"An off-site storage facility can increase productivity because it allows the solicitors to focus on client services and any other usual duties, instead of following a time-consuming document management method." Jonathan said.
Documents can easily be retrieved from a storage facility and for enhanced security, a scanning system logs when they are moved or retrieved by staff.
How long should documents be stored?
Firms have a range of time requirements to consider when managing records.
Sarah said: "The standard limitation period in most cases is six years but some files may need to be kept longer. For example, it may be better for a file for the purchase of land to be kept for 12 years, because the limitation period for some claims in relation to land is 12 years."
Any original records provided by clients such as passports and other identification documents should be returned to them as soon as possible.
"Some types of matters might have more claims likely to arise outside of the usual six years. For example, in connection with a possible personal injury claim by a minor (minors have up to three years from turning 18 to bring a claim)." Sarah continued.
Until the limitation period has passed under the Limitation Act 1980 for clients to make a claim against the firm for negligence or breach of contract, all relevant files should be kept.
The Money Laundering Regulations, mortgage lender requirements and any other exceptional circumstances may warrant keeping files longer than usual.
Sarah said: "I can't think of anything we would dispose of immediately after use unless we had undertaken, as part of a settlement or other agreement, to destroy a document or item."
"And if we had perhaps inadvertently been sent something by another party in error and they asked us to destroy it."
Once the files have been preserved for the required amount of time, they must be destroyed effectively.
Jonathan added: "Documents can't just be thrown away. They must be shredded so that they are unrecognisable. Otherwise, the law firm could become victim to 'dumpster diving', where criminals search through bins for valuable information."
Law firms have a big responsibility to protect their client's data as well as the company from litigation and fines. Creating a secure storage process protects sensitive documents from human error, theft and online fraud. Using an off-site archiving service also clears space, allowing businesses to operate more efficiently.