Document and File Security: Fulfilling Your Duty to Preserve

  • June 19, 2008
  • Edward Poll

The ethical duties of lawyers to their clients are paramount, and one of the most important is the responsibility to protect and preserve client property.

Chapter VIII of the Canadian Bar Association's Code of Professional Conduct, which deals with the preservation of clients' property, requires lawyers to "take the same care that a careful and prudent owner would" in safeguarding money, securities and such chattel as jewelry.

Equally important is the fact that, apart from these obvious valuables, Chapter VII defines client property to include "original documents such as wills, title deeds, minute books, licences, certificates, etc., [as well as] other papers such as clients' correspondence files, reports, invoices, etc." Such document property must be placed "in safekeeping separate and apart from the lawyer's own property" so that it can be "promptly accounted for, or delivered to, or to the order of, the client."

Know the Physical Risks

An attorney can reasonably be expected to take precautions against the likelihood of harm to client documents. But what should that entail? Take, for example, the risk of fire. If you are a lawyer in leased office space, are you or your landlord responsible for obtaining fire insurance? How about specialized coverage for earthquakes, floods and hurricanes? Is client property covered? Do you have a complete inventory of the client property you maintain? Do you know the value of the client property and files in order to effectively insure them? If you don't store client property and files offsite in a secure location, do you keep it in a locked, watertight and fireproof safe on the premises?

Every potential physical risk—from a natural disaster or terrorist attack, to a burst water pipe or an improperly wired electrical outlet—brings home the importance of file management and record security for every law firm. Make it a point to back up all computer data and store important records and documents offsite. Everything you save on the computer should be backed-up on a regular basis. This also applies to crucial paper records such as master files, time and billing records, court dates and appointments, wills, powers of attorney and corporate records.

The frequency of computer back-ups depends on how much work you produce between back-ups and how much you can afford to lose. You should store all important data and paper backups at a secure and specially designed location.

Develop a Comprehensive Plan

In most law firms, the protection and storing of paper records and electronic files are interrelated, but each involves different security and maintenance concerns. All files and data should be part of a comprehensive document management approach, which emphasizes those files and data that are most important to preserve and recover first in the event of a disaster.

For paper documents, many firms (especially larger ones) rely on outside document management and storage companies to handle archiving and security of files. This often involves the low-tech use of traditional “bankers' boxes”, but even these items should be labeled and stored according to some standardized system that is part of your document management strategy. You should store on your own database the inventory system for your file boxes, and not rely on the storage vendor. Consider moving to the use of bar codes rather than coding by hand—your storage vendor should be able to work with you to achieve this.

There are a variety of low cost technologies that allow a law office to enjoy the best of paper's advantages while reducing the record storage burden. You can, for example, image all old files and then destroy everything but original documents. Some photocopy machines allow documents to be scanned without charge if paper is not used to print the image. The scanned documents are then stored on disks that are electronically searchable. The result: storage costs are lower, documents can be found faster, security is enhanced, and the paper and paperless concepts coexist.

Electronic Security

The starting point for electronic data and file security is to really understand the technological environment in which your firm works and the way that environment is managed. The natural assumption is that technology is up to date, and that it is being properly backed up and archived. However, you need to test that assumption by asking these specific questions:

It is a given that every law firm should be backing up electronic data regularly—every day, if at all possible—and storing backup data files offsite. This site should preferably be in another city or region, to mitigate the impact of widespread disaster. It also goes without saying that you should have clear requirements for what is backed up and how often the backup procedure is done. There are, however, a variety of considerations that enter into how and by whom backup is done, in addition to concerns about how backup files are stored:

  • Do you have an accurate inventory of all the computers and software you're using? Every firm should have documentation of all installed computer programs, the computers each program is installed on, the users of each program, and the whereabouts of backup disks and instruction manuals.

  • Are you relying on proprietary, hard to replace hardware and software? If so, you may find it extremely difficult to get replacements if disaster strikes.

  • What are your service level agreements (SLAs) with your IT vendors? SLAs specify such considerations as uptime percentage, redundancy, contact points, industry best standards practices, and availability of financing for quick replacement ordering.

  • Are all your software licenses current and comprehensive? Pay careful attention to whether any licenses are site-specific (which may preclude their use at a backup recovery center), or whether there are limitations on the number of backup copies you can make. Make sure you also understand your transfer rights to a different entity (for example, a different law firm that is temporarily assisting you in restarting you practice).

  • People: Establish detailed procedures for your internal IT staff. Have multiple people trained in backup procedures and storage in case one or more key players are out sick, on vacation, or rendered incapacitated in event of a disaster. Make sure no member of your internal IT staff is taking backup files home—this can create a nightmare of security problems if a disk or laptop computer is lost or stolen.

  • Testing: You should regularly verify your backups and test your ability to restore files. Make sure the entire procedure works: physical transfer from the backup storage facility, as well as electronic transfer over the Internet. Examine data security and encryption procedures to ensure that the electronic transmittal of backup files is protected from hackers or other security breaches.

  • Storage: There are numerous practical considerations in evaluating the competency of your data storage facility beyond the requirements of their physical location:

    Make sure the storage facility is temperature and humidity controlled, and is protected against both fire and electronic contamination.

    Your data protection vendor should provide you with software that helps you to manage your storage inventory and to integrate it with the vendor's own filing system.

    Verify all performance standards of the vendor: data integrity, delivery speed, access (are they available 24/7, every day of the year?).

    Make special arrangements for rush service or other recovery considerations in the event of a disaster.

    Ensure that you can regularly visit the facility, both to make sure that it is well organized and to meet the people on whom your continuation as a firm may well depend.

Duty of Competence

Paper files and electronic files have different security challenges, but not mutually exclusive ones. This is important to remember when so many pundits assert that microfilm, digital tapes, disks, online databases and computer hard drives represent the future of information management in a law office. Hard copies of files all are or soon will be obsolete as archiving tools, according to this school of thought.

Well, paper is not dead. We seem to have more of it than ever before, and most people's emotional attachment to tactile paper will prove hard to overcome. Paper also has practical security advantages. Unlike a digital file, for example, paper cannot be imperceptibly altered.

But the real point is not whether paper or digital has the advantage for files and client records—it's that the lawyer must take all due care to preserve them. Document and file security should be conceived and carried out in the context of a comprehensive plan that addresses every aspect of technology safeguards, disaster preparedness planning, and record security. Failure to have such a plan is a failure in the overall duty to act competently in the best interests of a client. 

Edward Poll ( is a certified management consultant and coach in Los Angeles who coaches attorneys and law firms on how to deliver their services more profitably. He is the author of Attorney and Law Firm Guide to the Business of Law: Planning and Operating for Survival and Growth, 2nd ed. (ABA, 2002), Collecting Your Fee: Getting Paid from Intake to Invoice (ABA, 2003) and, most recently, Selling Your Law Practice: The Profitable Exit Strategy (LawBiz, 2005).