John Kunzler
Managing Director, Risk and Error Management, Marsh UK
Victoria Prescott
Senior Vice President, Risk and Error Management, Marsh UK
Storing and transferring both paper and digital data and records can present risks to law firms if not managed properly.
The transition from hard copy files to electronic records is a significant step for law firms, one that can enhance efficiency and accessibility and ensure compliance with legal and regulatory requirements. Below are key considerations to keep in mind during this process, particularly regarding file retention and server considerations.
1. Regulatory requirements
Firms should appreciate the minimum regulatory requirements e, for example anti-money laundering (AML) has prescribed periods for record retention:
Your responsibilities under money laundering supervision - GOV.UK (www.gov.uk)
2. File retention periods
Under the Latent Damage Act, liability can extend beyond the standard six years to a maximum of 15 years. Some claims may arise within this timeframe, and it is prudent to retain relevant documents. You can consider different retention policies dependent on practice area, as some areas run a greater risk of claims arising outside the normal six-year primary limitation period.
Special cases: For files involving minors or trusts, longer retention periods may be warranted. Similarly, liability under a deed is typically 12 years, making a 15-year retention period for such files reasonable. Also, there may, theoretically, be a risk of extended limitation periods under the Building Safety Act 2022 (15 to 30 years, depending on when the cause of action arose). Claims under the Civil Liability (Contribution) Act 1978 may be possible against clients, or even the firm, for up to two years after a judgment on historic matters, although it is unlikely that a direct claim would be made, and there might be challenges.
Industry standards: While HMRC suggests a standard limitation of six years plus one (total of seven years), some law firms opt for longer retention periods, such as 16 years, to cover different limitation arguments. The Law Society provides guidance on specific practice areas, for example, its guidance on file management when closing:
File closure management | The Law Society
3. Original documents
Original documents must be treated with utmost care and consideration. Unless explicitly stated otherwise in the retainer agreement or agreed upon with the client, it is essential that original documents are returned to the client. Additionally, it is important to obtain confirmation of receipt from the client, ensuring there is a clear and comprehensive record of all items returned.
4. Data minimisation and justification
Minimum necessary data: Only retain personal data that is essential for the firm’s operations. This aligns with data protection principles and reduces the risk of unnecessary exposure.
5. Security considerations
Data security standards: The security measures applied to retained data must meet or exceed the standards of current systems. Legacy data stored on outdated servers or software may be vulnerable to breaches.
Access control: Ensure that retained data is kept offline from other systems and is not accessible to current users without proper authorisation. Implement a formal process for access requests, requiring appropriate sign-off.
Learning from incidents: The case of Tuckers, which faced a fine due to a data breach involving legacy data, underscores the importance of robust security measures. The Information Commissioner’s Office (ICO) highlighted the firm’s failure to implement basic security protocols, including multi-factor authentication (MFA), patch management, and encryption of personal data, which are all part of the 12 key cyber controls.
6. Costs of storage
Initial setup costs: Assess the costs associated with acquiring the necessary hardware and software for electronic storage, including servers, cloud storage solutions, and document management systems. Factor in the costs of scanning hard copy documents and converting them into electronic formats.
Ongoing storage costs: Evaluate the costs associated with different storage options. Cloud storage may offer scalability and flexibility, but ongoing subscription fees can accumulate. On-premises storage may require significant upfront investment, but could lead to lower long-term costs. Consider the costs of maintaining and upgrading storage systems, including software updates and technical support.
Data management costs: Implementing a document management system (DMS) can streamline file retrieval and management, but may involve licensing fees and training costs for staff. Ensure that robust backup solutions are in place to protect against data loss, which may involve additional costs for backup software or cloud services.
Compliance and security costs: Allocate budget for compliance-related expenses, such as audits, legal consultations, and training on data protection regulations. Invest in security solutions to protect stored data, including encryption and intrusion detection systems.
Scalability and future costs: Plan for future growth and the potential increase in storage needs. Choose scalable solutions that can accommodate expanding data without incurring excessive costs. Regularly review storage costs and usage to identify opportunities for optimisation.
7. Implementation of best practices
Regular audits: Conduct regular audits of data retention and security practices to ensure compliance with legal requirements and industry standards.
Training and awareness: Provide training for staff on data protection, retention policies, and security measures to foster a culture of compliance and vigilance.
If you have questions about data and records storage and transfer, please contact your Marsh representative.
Nam Qureshi, Vice President, UK FINPRO, Marsh
MARSH
3rd Floor, 45 Church Street, Birmingham, B3 2RT
T: +44 (0) 121 626 7909
M: +44 (0) 7825 100 997