Cybersecurity best practice for retaining and deleting electronic files

Law firms handle a vast amount of sensitive client information, making them prime targets for cyber-attacks. Protecting client data is paramount. An effective control in managing this risk is the deidentification or deletion of data once it is no longer required.

In February 2024, the Victoria Legal Services Board + Commissioner (VLSB+C) introduced their Minimum Cybersecurity Expectations, outlining how law firms were to retain electronic files and data beyond the minimum required period.

The impact of the Minimum Cybersecurity Expectations is that law firms should no longer hold onto client data indefinitely without adequate reason. This reflects the Australian Privacy Principles and issues raised by the Privacy Act Review.

The Australian Privacy Principles (APPs) under the Privacy Act, particularly APP 11, mandate that entities take reasonable steps to protect personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.

When personal information is no longer needed, it must be destroyed or de-identified. The 2023 Privacy Act Review Report proposes significant changes to enhance data retention and deletion practices, aiming to foster a culture where personal information is deleted once it is no longer required.

The Legal Profession Uniform Law Australian Solicitors’ Conduct Rules 2015 (Rule 14.2) allows solicitors to destroy client documents after seven years, unless there are client instructions or legal obligations to the contrary. In cases where the possibility of litigation may extend beyond the seven years, longer retention periods may be necessary.

The VLSB+C Expectations stipulate that law practices should review client files and data regularly (they recommend every two years) to determine whether it is necessary or advisable to retain the files or data beyond the minimum required period. Retaining client files indefinitely without good reason may be deemed unprofessional conduct or professional misconduct.

Create or update your data retention and deletion policy

Establish and document minimum and maximum retention periods for all types of client data and records. Clearly specify time periods in your data retention and deletion policy. For example, some files may be designated for deletion after seven years, while others may need to be kept longer than seven years, such as wills and binding financial agreements. Justify the retention duration for specific types of client data.

Implement a regular review schedule

Set up a regular review cycle, such as every two years, to assess whether retained files are still necessary. Regular reviews ensure compliance with VLSB+C Expectations and mitigate the risk of data being retained unnecessarily.

Obtain client consent and instructions

Document client instructions regarding the retention or destruction of their documents. Respect client preferences unless overriding legal obligations exist. Where possible, to get off risk, give a copy of the information to the client and then delete the data. One possibility might be to return a binding child support agreement once the youngest child reaches 19 years of age.

Automated notification processes

Use software solutions that notify the firm when data reaches the end of its retention period. Automation reduces human error and assists in compliance with regulatory requirements.

Secure data disposal

Ensure data disposal methods are secure and irreversible by using digital shredding software or certified data destruction services. This is crucial for protecting against unauthorised access or data breaches. Ensure that copies or backups are also securely deleted. If you use a practice management system with online data storage capabilities, ensure that your solution provider truly deletes – and not just archives – the data when you delete it from your account.

Detailed documentation and tracking

Maintain comprehensive logs of data retention and destruction activities. Documentation should include what data was deleted, when and by whom. This provides an audit trail for compliance purposes.

Regular training and awareness

Conduct regular training sessions for staff on data retention policies, cybersecurity best practices and the importance of data privacy. Informed staff can help prevent inadvertent breaches or non-compliance.

Appoint a compliance officer

Designate a member of the firm as the data compliance officer. This individual should monitor and stay updated on changes in legal and regulatory requirements regarding data retention and destruction. Ensure policies and procedures are adjusted accordingly to maintain compliance.

Law firms should review and update their data retention and deletion policies immediately to ensure that they are compliant with the VLSB+C Minimum Cybersecurity Expectations. By embracing proactive risk management, law firms are better placed to maintain client trust, uphold legal and ethical standards, and help minimise the risk of sensitive data being exposed in the event of a data breach.

• Review and update your policies to reflect the VLSB+C Minimum Cybersecurity Expectations and other applicable regulatory requirements.
• Retention periods must be allocated to client data types and reasons for the retention periods given.
• Establish a procedure for regular data reviews to ensure compliance and appoint a staff member to administer the process.