Category: Records Management and Retention

Proper Destruction of Client Files

PA has long required that client files be disposed of in a manner which preserves confidentiality. That means shredding or burning. Many attorneys don’t like that answer when they contact me for guidance.

Now we can add Federal law to the mix. On June 1, 2005, the Federal Trade Commission published in the Federal Register [69 Fed. Reg.6901] the Disposal Rule under the Fair Credit Reporting Act FACTA

In an effort to protect the privacy of consumer information and reduce the risk of fraud and identity theft, this federal rule requires businesses to take appropriate measures to dispose of sensitive information held in records.

The Disposal Rule applies to:
· Consumer reporting companies
· Lenders
· Employers
· Landlords
· Government agencies
· Mortgage brokers
· Automobile dealers
· Attorneys or private investigators
· Debt collectors
· Individuals who obtain a credit report on prospective nannies, contractors, or tenants
· Entities that maintain information in consumer reports as part of their role as service providers to other organizations covered by the Rule.

What is ‘proper’ disposal?
The Disposal Rule requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to:

· Burn, pulverize, or shred papers so that the information cannot be read or reconstructed;

· Destroy or erase electronic files or media containing information so that the information cannot be read or reconstructed;

· Conduct due diligence and hire a document destruction contractor to dispose of material .

Due diligence could include:

o Reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule;

o Obtaining information about the disposal company from several references;

o Requiring that the disposal company be certified by a recognized trade association;

o Reviewing and evaluating the disposal company’s information security policies or procedures.

My appreciation to J.R. Phelps, my counterpart at the Florida Bar Association, for passing along this information.


To return to the main page of the blog, click here. To return to the blog Index, click here.

E-Discovery Amendments to Federal Rules of Civil Procedure

I have been passing along articles as I find them to PA Bar Association members and private clients. I believe those of you who are loyal subscribers should also have access to the materials that cross my desk.

Most recently I’ve come across an article by Michael Gifford on the web site of Howard & Howard. Also, an article in PDF on the web site of Foley & Lardner.

You can read full details and always see the latest and greatest rules at the U.S. Courts Federal Rulemaking site. This site provides access to the national and local rules currently in effect in the federal courts, as well as background information on the federal rules and the rulemaking process.

You may want to check out the K&L Gates electronic discovery law Blog.

Finally (for now) you may want to check out an article written by Willow Grove, Montgomery County, PA attorney Howard J. Bashman entitled Commentary: What Do the Federal Appellate Procedure Rule Changes Mean for You? which appeared on


To return to the main page of the blog, click here. To return to the blog Index, click here.

The Client’s File

I am frequently contacted through the PBA Hot Line by attorneys who want to know what constitutes a client file. Specifically, this query occurs when they are asked by the client to release a file to another attorney. Issues such as retaining liens, charging liens, charging the client for duplicating, and what specifically constitutes the file are frequent topics of discussion. And I must say that attorneys rarely agree with what I have to say. I often wonder why they bother to call when all they really want is confirmation of what they want to do; they seem to always want to disregard anything which is not in total agreement with their way of thinking. Often I refer them on to the Ethics Hotline at the Bar Association, with the hope they will argue less and listen more to that source.

The simple fact is that the client owns their file. And that includes all the writings, including your work product, found in the file. Culling is not permissible before releasing the file. I had one attorney respond in dismay, “Oh my God, I have handwritten notes in there saying I thought the client was a nut case! Surely you can’t mean that can’t be removed from the file?” Well, technically, no it can’t.

What about if the client hasn’t paid the bill? Well, in PA you can indeed have a retaining lien against the file. But if retaining the file will cause serious prejudice against the client, you must release it. You also can’t hold onto any part of the client’s file which the client has paid for. So for example, if the client paid for a corporate kit, although that is considered part of the file, and in fact may be the part that provides you with some leverage in getting your bills paid, you cannot hold it despite other outstanding bills.

What if you’re absolutely sure that the client has every meaningful paper in the file already, because you have a copy of the transmittal letters sending them. Must you still turn over the file? Yes.

What if you’re relatively sure that the client is transferring the file to another attorney because of unhappiness with your representation, and further you are afraid it may result in a malpractice action; can you charge to make a duplicate copy of the file to retain to protect yourself? No.

If you have a hard copy of every single email and document in the file, must you turn over an electronic copy as well if it exists? Yes! Electronic records are considered a part of the file. Absent a consistent records management policy which compels and directs the firm to destroy electronic copies consistently for valid business reasons — with communication to the client so as to develop realistic expectations — the firm must turn over electronic records as well. See a recent New Hampshire Bar Association Ethics Opinion 2005-06/3 on the subject.

Law firms need to figure out what tools they will utilize to quickly identify client documents maintained on their computer system — emails, spreadsheets, PDFs, etc — and how they will in turn deliver them in an electronic format. And further, law firms need to be careful about what becomes part of the client’s file which might eventually be an embarrassment to the firm if seen by the client.


To return to the main page of the blog, click here. To return to the blog Index, click here.

EDDs Impact on Records Management Policies

Electronic Data Discovery isn’t just a topic for trial attorneys. It has a profound impact on law firm records management and retention policies. And it has an equally profound impact on your clients. If you don’t “get it” you will not adequately protect your firm. And you are definately missing opportunities to serve your clients.

What are we talking about here? We’re talking about having a well-developed and scrupulously followed policy which covers retention and destruction of both paper and electronic documents, from email to memos, financial information, correspondence, and everything in between. Sloppy habits in following a policy, documenting actions, or having no policy at all, may result in huge jury verdicts against your firm or your client.

Of course I’m referring to Zubalake I, up through the recent April, 2005 verdict of $29.3 million. I’ve lost track, was this Zubalake IV, V, or VI? Again in May, 2005, a jury awarded Coleman Holdings $1.45 billion (yes, that’s billion, not million) against Morgan Stanley, because Morgan Stanley had improperly destroyed emails.

I am still astounded at the number of law firms which do not have any records management and destruction policy in place. Not even a bad one. This is as dangerous a business practice as not backing up computer data. It is inevitable that eventually this strategy will come back to bite a firm in the metaphoric glutes.

I know you have a lot on your plate, but this piece of administration isn’t something you can / should put off any longer. Need help? It’s out there. First, take a look at some of the articles on records management on my consulting web site. In particular, start with Developing a Records Management Policy, and then read Managing the Mountain of Paper: Records Management in the Law Firm. The latter article will provide links to resources which can assist you in developing your own policy.

Of course, Pennsylvania attorneys who are PBA members can contact me on the Law Practice Management Hot Line for a specimen policy and lots of additional information, to make this task a lot less labor intensive.


To return to the main page of the blog, click here. To return to the blog Index, click here.

FTC Disposal Rule and the Impact on Computer Disposal

For many firms and businesses, the new Federal Trade Commission’s Disposal Rule 16 CFR Part 682, which went into effect June 1, 2005, slipped in under the radar screen. Prior to this Rule, clearing of a computer’s hard drive before the computer was donated, sold or discarded was ethically required by lawyers in order to safeguard client confidentiality. Now it’s required by law for all businesses, including law firms and lawyers, to take reasonable measures to dispose of sensitive information derived from credit reports and background checks so that the information cannot practicably be read or reconstructed.

The Rule applies to both digital and paper media, and requires implementing and monitoring compliance with disposal policies and procedures. So if your firm, and if your clients, do not have records management and retention policies in place, it’s likcly you and/or your clients will run afoul of this law eventually.

Comments to the Rule suggest utilizing disc wiping utilities, but also suggest physical destruction of the hard drive as a cheaper alternative.

See my previous post entitled Disposing of Unwanted Computer Equipment for additional regulations, and links to disc wiping utilities.


To return to the main page of the blog, click here. To return to the blog Index, click here.

Average Cost is $97,000 to Clean Infected PCs From Zotob Worm

Fewer businesses fell victim to the Zotob worm that struck corporate networks than previous attacks, according to an article in CNet News, but those it hit paid dearly, according to a new survey. Cybertrust, which released the results of a 700-company study Wednesday, identified that Zotob’s victims included cable news station CNN, TV network ABC, The New York Times and DaimlerChrysler.

Zotob was less widespread, in part, because it targeted only PCs running Windows 2000, an older version of the software. The worm exploited a hole in the operating system’s plug-and-play feature, and let attackers take control of infected machines while spying on users.

A full 26 percent of Zotob victims told the firm that infections occurred because they had no firewall in place. The average cost of recovering from a Zotob infection was $97,000, Cybertrust said. For 61 percent of victims, cleanup required more than 80 hours of work.

As mentioned in previous posts and cited in numerous articles in CNet News and other sources, the incentive for these attacks is no longer about young hackers exercising their nerd muscles and feeding their egos. It’s about seeking confidential information and financial gain. In fact, the article points out that the two men arrested in Turkey for allegedly unleashing Zotob and other worms are thought to be part of a credit card fraud ring.

It’s unbelievable to me, given what we know about today’s computing environment, that major corporations could have computers exposed with no firewall protection. Don’t let this happen at your firm. You have an obligation under the Rules of Professional Conduct to safeguard confidential client information.

In fact, I recently came across an Opinion which specifically spelled out “reasonable” steps to take to safeguard electronic information. (See State Bar of Arizona Opinion 05-04 [July 2005].) Among the reasonable steps suggested are use of anti-virus, firewall, and anti-spyware software, as well as regular back-up, use of passwords, and encryption. I will add that the back-up should be stored off-site.


To return to the main page of the blog, click here. To return to the blog Index, click here.

How Conversant Are You in Technology Issues?

A article just appearing in the ABA Journal E-Report reports that the Judicial Conference of the United States, the administrative policy arm of the federal courts, adopted new e-discovery rules at a meeting of the Judicial Conference on Sept. 20th. The rules will govern discovery of electronic communications, including e-mails and digitally stored documents.

The rules must still be approved by the U.S. Supreme Court, though this is considered a formality. Then, if Congress does not disapprove them, they are expected to take effect by Dec. 1, 2006.

One of the very first articles I wrote in early March, 1999 for the Pennsylvania Bar Association was entitled Hop On Board or Get Off the Tracks. In early January, 2005 I wrote another article entitled Are You E-Ready for Your E-Future? Here are a few relevant words from 1999:

The next decade and beyond may be painful for many of the attorneys who are of the baby boom generation or older. By and large, these are the practitioners who have not yet embraced technology as an integral part of their practice strategy. As a result, they are becoming woefully unprepared to compete with their peers. . . . Get on board by getting up to speed, get off the tracks and be quickly bypassed by your peers, or become road kill – it’s your choice.

In 2005 I continued the dialog as follows:

For most of you out there, you didn’t learn e-Filing until the bankruptcy (and select other) courts made you. I talk almost every week with at least one attorney who still has no computer anywhere in the office, or refuses to use email and the internet because it is “too dangerous.”

E-Discovery, for example, impacts not only those of you who have a litigation practice, but also each and every one of your client’s records management policies, particularly with respect to electronic records management. What do you know about this? These “e” products and services are not just tools for you to use. They are impacting your clients in very
real ways, and you may be missing the boat in recognizing new opportunities to counsel them. But if you don’t understand these tools and services, and use them, you won’t realize their potential impact on your clients

What I wrote in 1999 is just as valid and timely today; maybe more so. Many firms—with no correlation to size of the firm—have become extremely adept at using these tools. Their success has inspired and accelerated their desire to use and try more tools. So the gap will widen further. As more of your peers move forward using technology tools, those of you who resist will become further behind. Less able to compete. A dinosaur awaiting extinction. . . .Don’t wait until your very existence is threatened. Don’t wait until the courts or clients force you to embrace technology, and then react. Be proactive.

Now, almost a year after my most recent writing on this subject, yet more of you will be forced to come into the 21st century—some of you will be dragged kicking and screaming all the way—by building an awareness of the impact and use of technology in today’s business environment. “These rules represent another reminder to practitioners that one either needs to feel conversant on electronic issues oneself, or you better get somebody to help you,” says Phoenix lawyer Patricia Lee Refo, a former chair of the ABA Litigation Section.

Need help getting up to speed? Well, start by actually touching your mouse. 🙂 Get professional training so you can use the software you already have. For help specifically in the electronic discovery area, see my post on that topic.


To return to the main page of the blog, click here. To return to the blog Index, click here.

Electronic Discovery A to Z

Peg Duncan, Director, Business Opportunities and Emerging Technologies, Information Management Branch, Federal Department of Justice has created a list of readings on Electronic Discovery which is a supplement to the September 2005 issue of LAWPRO Magazine.

This is the most comprehensive resource I have seen to date. Just about anything you would want to know about E-Discovery can be found on this list. Even specimen request forms in PDF format are included. Links are provided to every single resource referenced. It is available here.


To return to the main page of the blog, click here. To return to the blog Index, click here.

Safeguarding Client Information

Just yesterday I received a copy of Formal Opinion 05-04 (July 2005) of the State Bar of Arizona concerning an attorney’s obligations to safeguard electronic client information, from hacking and viruses, and for recovery purposes. It’s a fascinating read. There’s nothing in there which surprised me by any means, other than the fact that a state has put in writing that reasonable care includes the use of currently-updated virus protection software, firewall and spyware software, as well as back-up performed on a regular basis, and stored off-site. (Click here to read a relevant article.)

If nothing else, Hurricane Katrina has caused law firms across the nation to focus again on their Disaster Recovery Plans, and specifically on how effective their back-up strategy is. When a disaster of this magnitude hits, having a back-up off-site at your home just doesn’t do it. Many firms suffered loss of both office and home locations, and therefore found themselves with no back-up at all.

A cry for help arrived on the listserv for me and my fellow law practice managers across the state asking what a firm can and should do when it has no information left whatsoever. Just imagine not knowing who your clients are, how to contact them, what deadlines and appointments are coming up. Don’t even think about collecting on open bills or paying outstanding bills. These firms have literally nothing. They are starting from scratch. And the question is where do they start when there is not even a scrap of paper left.

I have always been a big proponent of Application Service Providers (“ASPs”) for a variety of reasons; disaster prevention and recovery being very high on the list. I have also been a big proponent of on-line back-up as an additional safety measure. They’re offered by companies which are just another type of ASP delivering a focused application. There are many reputable players to select from. (Click here to read an article on ASP’s.)

If you need some assistance getting started, you might find this article helpful, as well as the others linked to in this post. Then contact your state bar’s law practice management advisor for further assistance if you’re not sure how to proceed.

The important thing to remember is you shouldn’t wait until a disaster hits your firm or region before dusting off your Disaster Recovery Plan, or even creating one. Do it now. While the magnitude of this disaster reminds you regularly on the evening news what can happen if you don’t.


To return to the main page of the blog, click here. To return to the blog Index, click here.

WordPress Themes