Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

LJN NewslettersNewsSections

Physical Data Security, Management and Destruction for Legal IT Professionals

By Michael Chung
October 29, 2007
Lester Schwab Katz & Dwyer, LLP ('LSK&D') is a 65-attorney insurance defense firm based in New York City. As IT director, I oversee all information systems for the firm, managing a relatively lean staff to cover our employees' needs. Our firm's management expects my team to properly manage, backup and destroy information at the appropriate times with effective methods. They are kept informed periodically, but the bulk of the responsibility falls to me and my IT staff to get the job done right.

One of our major concerns has always been the security of our clients' sensitive data. Recently, there have been stories in the news about data media getting lost or exposed, often with damaging or embarrassing consequences. Backup tapes, hard drives, CDs and other sources contain exponentially more data than a box of paper, so we have had to become very focused on how these data storage devices are tracked, stored, managed and disposed of when the time comes. Now that storage is so inexpensive, more data is sitting on a single disk or drive. New terabyte disk drives are setting a new standard for capacity ' but they also send up a huge red flag for risk. What if one terabyte hard drive was to fall into the wrong hands? Imagine the fallout and liability to which a law firm could be vulnerable.

Also, since our firm does insurance defense, we are frequently handling our clients' confidential medical records. Our main compliance consideration with these files is HIPAA (the Health Insurance Portability and Accountability Act of 1996), which requires that we keep the information for seven years to allow for recovery of data; then we need to make sure that the data is destroyed. In addition to medical information, we often have access to private information for defendants, such as Social Security numbers and personal details. In order to comply with HIPAA's 'due diligence' clause and its privacy requirements, we need to erase the data when it's no longer needed.

Read These Next
The DOJ's Corporate Enforcement Policy: One Year Later Image

The DOJ's Criminal Division issued three declinations since the issuance of the revised CEP a year ago. Review of these cases gives insight into DOJ's implementation of the new policy in practice.

Use of Deferred Prosecution Agreements In White Collar Investigations Image

This article discusses the practical and policy reasons for the use of DPAs and NPAs in white-collar criminal investigations, and considers the NDAA's new reporting provision and its relationship with other efforts to enhance transparency in DOJ decision-making.

The DOJ's New Parameters for Evaluating Corporate Compliance Programs Image

The parameters set forth in the DOJ's memorandum have implications not only for the government's evaluation of compliance programs in the context of criminal charging decisions, but also for how defense counsel structure their conference-room advocacy seeking declinations or lesser sanctions in both criminal and civil investigations.

CLE Shouldn't Be the Only Mandatory Training for Attorneys Image

Each stage of an attorney's career offers opportunities for a curriculum that addresses both the individual's and the firm's need to drive success.

A defendant in a patent infringement suit may, during discovery and prior to a <i>Markman</i> hearing, compel the plaintiff to produce claim charts, claim constructions, and element-by-element infringement analyses.