Cyber risk: Is your data retention policy helping or hurting?

By Mark Lanterman

This past June, several U.S. law enforcement agencies were the victims of a largescale data breach resulting in 296 GB of data being stolen. The National Fusion Center Association stated that “dates of the files in the leak actually span nearly 24 years—from August 1996 through June 19, 2020.” The statement went on to say that personally identifying information was leaked along with other types of files.1 The incident was an act of hacktivism and purportedly sought to reveal internal government workings to the public, including details relating to its covid-19 response. 

This incident reveals a critical piece of cybersecurity strategizing that sometimes gets overlooked—the value of the data retention policies. Data retention policies outline what types of data are actively being stored, how long that data should be stored, and how it should be destroyed or relocated at the end of that time. Part of the severity of this attack stems from the fact that these agencies were retaining so much old data—data that should have been periodically audited and reviewed. While data is a critical asset, only retaining what is absolutely necessary mitigates the risks associated with a breach. 

Within the legal community, attorneys are held to a high standard when it comes to protecting client data. And one size does not fit all: It’s complicated knowing when it is appropriate to discard old client files, especially given ethical requirements and the possibility you’ll need certain case files in the future. Depending on the jurisdiction, retention policies—and the length of time attorneys are required to hold on to files—may vary. Furthermore, different types of cases and circumstances require different approaches to file retention. A records retention schedule may spark fears that files will be deleted or discarded before it’s appropriate to do so. But law firms are also likely to run the risk of holding on to more information than necessary, and for an indefinite period of time.

Creating a legally sound records retention and destruction policy better protects clients from having their information compromised. Essentially, the less data a law firm houses on its servers (or in their storerooms, in the case of paper copies), the more able they are to manage and secure that data. Communicating the records retention policy to clients helps to protect against prematurely deleting client information. In the File Retention booklet distributed by Minnesota Lawyers Mutual, it is recommended that a letter notifying the client be sent prior to its scheduled deletion or destruction date: “The letter should tell the client they are welcome to pick up their file, in its entirety, before a certain date and that failure to do so will result in the file being destroyed. It is also a good practice to include a ‘consent to destroy’ form.”2 This measure provides an added layer of caution in executing a firm’s data retention policy while still working to minimize the amount of data that a firm retains on behalf of its clients. 

It should also be noted that the digital destruction of files is more complex than pressing the ‘delete’ button. Best practices should be followed in forensically destroying data, and any files that are deleted should be recorded for future reference. 

While regularly reviewing stored data and creating a record retention policy is important in mitigating the risks associated with data breaches, it remains true that firms are often required to store large amounts of data even for cases that have closed. The key steps in creating a cybersecurity culture focused on protecting client data include: access controls to sensitive data; encryption; and employee education and training about social engineering and the threats associated with the Internet of Things. Appropriate physical security measures should be enacted to best secure physical files and storerooms. While data is a critical asset in any organization, the legal community is especially tasked with safeguarding its data and managing it with the utmost care. Implementing a data retention policy is an important part of that effort. 

1 https://thehackernews.com/2020/06/law-enforcement-data-breach.htm
2 https://www.mlmins.com/Library/File%20Retention%20Booklet.pdf 

MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.