Technology Circuit

How to Build a Resilient Law Firm Document Retention Policy


As a law firm, you collect an inordinate number of documents. From case files to consent forms, agreements, bills, and deeds, the average law firm sits on a mountain of sensitive, private files. So, how do you store, secure, and delete those files appropriately? Chances are, your firm has a blend of document types. You may still have a few dusty old boxes stuffed with paper files in manila folders, and you almost certainly have a wealth of digital files trapped in various technologies in your increasingly-important legal tech stack. This can make developing a robust retention policy tricky.

Where do you begin?

Unfortunately, document retention policies aren’t necessarily clear-cut. Between the Canadian Bar Association, client needs, and regulatory bodies, trying to pin down an accurate retention policy can be confusing, time-consuming, and resource-drenching. Don’t worry. By aligning with IT experts, a comprehensive retention policy that keeps your files safe, secure, and free from regulatory wrath is within reach.

Understanding Document Retention in a Law Firm Context

You need a document retention policy. Document retention strategies safeguard against malpractice cases and discovery rules and help you attract privacy-savvy clients (92% of Canadians worry about their data privacy) in a competitive legal landscape. In addition, the regulatory atmosphere surrounding data retention is growing at a rapid rate—with over 115 data privacy omnibus bills enacted to-date.

There is no single, unified source that dictates how long legal documents must be retained. Section 23 of The Law Society of Upper Canada’s Bylaws states that you must retain certain financial documents (e.g., general account receipts, fees books, copies of tenant withdrawals, book of duplicate cash receipts, etc.) for a period of no less than 6 years. Other financial documents (e.g., client trust ledgers, property records, monthly trust comparisons, etc.) must be kept for a period of no less than 10 years. In addition, the Income Tax Act requires records and books to be kept for at least 6 years past the taxation year of said records. Already, things are getting tricky. There’s diversity in document retention guidelines based on document type and differing regulatory guidelines. Keep in mind this is only for financial documents.

For this post, we won’t dive into every unique local, provincial, and federal guideline surrounding document retention in Canada. It’s an exhaustive list. But, it’s important to note that document retention isn’t solely valuable for regulatory purposes. Establishing a document retention policy helps you navigate the Mergers & Acquisitions (M&A) landscape, avoid security breaches, and provide clients with a minimal-risk approach to practicing law.

The CBA suggests that privacy class actions are intensifying in Canada, with many notable rulings since 2012.

So, how do you build a comprehensive document retention policy? And how do you keep your files secure in an ecosystem where 9 in 10 Canadian lawyers are desperate for increased cybersecurity resilience?

Creating a Document Retention Strategy

Let’s cut to the chase: you cannot build a resilient document retention policy without digital solutions.

Storing critical case files in discrete, off-site “hidden” locations isn’t going to cut it. Not only does this process cost a significant amount of money, but it doesn’t account for all of your digital files, which are likely close to overtaking your physical documents.

Document retention strategies require intense collaboration with IT experts. For small and mid-market firms, that IT support may be outsourced. For massive firms, there is likely a blend of on-site and outsourced IT that should be brought together under one common banner. As a baseline, your document retention strategy should involve a cloud storage solution with world-class security safeguards and around-the-clock security monitoring. The average cost of a data breach in Canada is over $4.5 million, so security should be front-of-mind and baked into your document retention policy from square one.

You also need well-defined document definitions and standards that align with local, regional, and federal law. Typically, this involves deeply-rooted policies and litigation hold policies that ensure documents are retained based on document type, nature, and sensitivity. It’s important to note that document retention strategies should be long-term solutions. There’s a good (almost certain) chance that you will upgrade systems and migrate data before certain documents hit their end-of-life phase. After all, 10 years is an extremely long time in today’s digital landscape.

Finally, you should develop a well-rounded document deletion program that ensures the right documents are deleted at the right time. This part is the trickiest. The litigation landscape surrounding document deletion is intense, and any deletion policies that are improperly architected can swiftly result in serious financial consequences.

The Tricky “Deletion” Problem

How do you know when to delete documents? In many industries, the answer to this question is straight-forward. In law, it’s tricky. There are hundreds of converging regulatory guidelines and laws surrounding document deletion in the legal space, and there are plenty of nuances that go outside of regulatory boundaries. As an example, criminal firms may want to hold onto documents for the entire life of their client. Shredding files that could potentially help in a habeas corpus petition could leave you vulnerable. So, there’s a layer of firm-specific nuance that you need to apply to any document deletion policy.

Again, we highly recommend that you work with your IT partner to discuss the details of your deletion policy. They can help you understand the costs, consequences, and benefits to document deletion on a granular level. We also recommend discussing the methods of deletion with your providers. Many firms start with digitization and then move to automated deletion policies built into their cloud or software solutions. This process requires digitization, so it’s an IT-centric process.

Vertex: An IT Partner You Can Trust To Build a Resilient Document Retention Policy

At Vertex, we help small and mid-market law firms manage their IT landscape. From fully-managed IT to cloud solutions and customized deliveries, we bridge digital solutions to firm needs. Here’s the simple truth: document retention policies require a convergence of legal expertise and IT experience. Contact us to learn how we can help you build an industry-leading retention policy.