Law firms are entrusted with some of the most sensitive information imaginable. From client communications and financial records to litigation documents and confidential business information, attorneys have an ethical and professional obligation to protect the data in their care - an obligation codified under ABA Model Rule 1.6(c), which requires lawyers to make reasonable efforts to prevent unauthorized access to or disclosure of client information.
While most firms invest heavily in cybersecurity, such as firewalls, encryption, and secure networks, many overlook a critical vulnerability: the disposal of outdated electronic devices.
Computers, servers, hard drives, copiers, and other office equipment can contain years of confidential information. If these devices are not properly destroyed or sanitized before disposal, law firms may unknowingly expose themselves - and their clients - to significant risks.
The Hidden Threat in Retired Technology
Many legal professionals assume that deleting files or reformatting a hard drive removes sensitive information. Unfortunately, that’s often not the case.
On traditional hard drives, the “delete” function typically removes only the file’s index entry - a pointer that tells the operating system where the data lives. The data itself remains on the drive until it is physically overwritten. Similarly, a standard quick format rewrites only the file system’s table of contents, leaving underlying data intact and accessible with widely available recovery tools. Even a full format, depending on the operating system version, may not fully eliminate recoverable remnants.
Note: Solid-state drives (SSDs) with TRIM enabled behave differently. In this case, deleted data may be purged at the hardware level within seconds. However, TRIM is not universal across all SSD configurations, and recovery specialists can sometimes access data from SSDs under specific conditions. For any device containing privileged client information, certified physical destruction remains the most defensible standard.
Devices that commonly contain confidential client information include:
• Desktop computers
• Laptops
• Servers
• External hard drives
• Backup tapes
• Multifunction printers and copiers
• Smartphones and tablets
• Network storage devices
For law firms, every retired device represents a potential source of exposure if not handled securely.
Why Law Firms Are Attractive Targets
The numbers are stark. The average cost of a data breach for professional services firms, including law firms, reached $5.08 million in 2024, a more than 10% year-over-year increase and 14% above the cross-industry average, according to IBM’s 2024 Cost of a Data Breach Report. Law firm breaches hit record highs in 2024, with 21 incidents documented in just the first five months of that year alone.
A recent survey by Arctic Wolf and Above the Law found that 39% of law firms reported experiencing a security breach in the prior year, and among those that did, 56% lost confidential client data. Ransomware incidents against law firms nearly doubled year-over-year, according to BakerHostetler’s 2026 Data Security Incident Response Report.
Cybercriminals target law firms because they possess highly valuable data, including:
• Client financial records
• Intellectual property
• Corporate transactions
• Real estate documents
• Litigation strategies
• Personal identifying information (PII)
• Employment records
Unlike large corporations that may have dedicated security departments, smaller and mid-sized law firms sometimes operate with limited IT resources. Only 34% of firms report having an incident response plan in place, according to the ABA’s 2023 Legal Technology Survey Report, making proper data management throughout the equipment lifecycle even more critical.
Ethical and Professional Responsibilities
The duty to protect client information does not end when a matter closes or a device is retired. Under ABA Model Rule 1.6(c), attorneys must make reasonable efforts to prevent the inadvertent or unauthorized disclosure of client information - an obligation the ABA has extended explicitly to end-of-life hardware disposal. ABA Formal Opinion 477R provides additional guidance on technology safeguards, including obligations when decommissioning devices that stored privileged materials.
It’s worth noting that ABA Model Rule 1.6 does not scale to firm size. A three-attorney general practice firm retiring a single laptop faces the same ethical obligations as a firm managing hundreds of annual device retirements.
Improper disposal of devices can jeopardize:
• Attorney-client privilege
• Confidentiality obligations under Rule 1.6
• Professional responsibility requirements
• Client trust and firm reputation
Even if a breach results from a device discarded years earlier, the consequences can still be significant. The 2024 Wacks Law Group case, in which a six-attorney firm’s ransomware attack led to a class-action lawsuit partly because of a five-month delay in notifying victims, is a cautionary example of how smaller firms face identical exposure to their larger counterparts.
Common Disposal Mistakes Law Firms Make
Assuming Deletion Equals Destruction
Deleting files removes the file’s reference in the operating system’s index, but the underlying data typically remains on the drive until it is overwritten. On traditional HDDs, this data can remain recoverable for an extended period using off-the-shelf recovery software.
Forgetting About Copiers and Printers
Many modern copiers and multifunction devices contain internal hard drives that store scanned documents, emails, and print jobs - sometimes for the entire life of the device. These are frequently overlooked when retiring office equipment.
Stockpiling Old Equipment
It’s common for firms to store retired devices in closets or storage rooms with the intention of dealing with them “later.” These forgotten devices accumulate silently as security liabilities, holding years of client data without any chain-of-custody accountability.
Using Unverified Disposal Methods
Discarding devices through general recycling programs or office cleanouts may not provide the level of security required for confidential legal information. A high-profile cautionary example: Morgan Stanley paid over $155 million in fines and settlements after hard drives containing sensitive client information ended up on an auction site - not due to hacking, but due to failure to dispose of old devices securely.
How Secure Data Destruction Protects Law Firms
Professional data destruction services ensure that sensitive information is permanently destroyed before devices leave the firm’s control. Common secure destruction methods include:
Physical Hard Drive Destruction
Hard drives and solid-state drives are physically shredded, rendering data unrecoverable. For devices storing privileged communications or active litigation files, physical shredding is generally the preferred standard.
Certified Data Sanitization
For devices intended for reuse or resale, NIST SP 800-88 Rev. 1 certified data wiping procedures can securely remove information while preserving asset value. Note that a standard factory reset does not satisfy NIST or ABA bar compliance standards.
Documented Chain of Custody
Secure providers maintain accountability throughout the collection, transportation, and destruction process.
Certificates of Destruction
Documentation confirms that specific devices were destroyed according to recognized standards. For bar compliance purposes, insist on serialized certificates listing each device’s serial number, make, model, destruction method, and technician ID - not batch certificates covering a date range.
The Importance of Onsite Data Destruction
Many law firms prefer onsite data destruction because the storage media never leaves the office intact. Benefits include:
• Immediate, witnessed verification of destruction
• Reduced chain-of-custody concerns
• Enhanced client confidence
• Greater control over sensitive assets
For firms handling particularly sensitive matters, such as M&A transactions, active litigation, or matters subject to litigation holds, onsite destruction provides an added layer of assurance and documentation.
Responsible Electronics Recycling Matters Too
Once data has been securely destroyed, the remaining equipment should be recycled responsibly. Proper electronics recycling:
• Keeps hazardous materials out of landfills
• Supports environmental sustainability
• Recovers valuable materials for reuse
• Demonstrates responsible corporate stewardship
A qualified electronics recycling partner can provide both certified secure data destruction and environmentally responsible recycling services under a single chain of custody.
Best Practices for Law Firms
To reduce risk, law firms should establish a formal device retirement process that includes:
Inventory Management
Maintain records of all devices being removed from service, including serial numbers and the date of decommissioning.
Litigation Hold Review
Before any device is disposed of, confirm it is not subject to an active or anticipated litigation hold. Under FRCP Rule 37(e), destroying electronically stored information that should have been preserved can result in sanctions, adverse inference instructions, or evidence preclusion.
Scheduled Cleanouts
Avoid allowing outdated equipment to accumulate over time. Establish a regular device retirement cycle aligned with equipment refresh schedules.
Employee Training
Ensure attorneys, paralegals, and administrative staff understand proper disposal procedures and the risks associated with retired devices - including remote work laptops and mobile devices, which are among the fastest-growing categories of unmanaged end-of-life assets.
Partnering with Qualified Providers
Work with data destruction and electronics recycling companies that
understand the documentation requirements of legal professionals.
Maintaining Documentation
Retain serialized Certificates of Destruction and disposal records for a minimum of seven years, or longer as required by applicable bar rules, for future reference and compliance purposes.
Clearly, data security doesn’t end when a device is retired.
For law firms, protecting client confidentiality extends beyond cybersecurity measures and into the physical handling and disposal of electronic equipment. An old hard drive, copier, or server can contain years of sensitive information - and the average cost of a breach, at $5.08 million, dwarfs the investment in proper disposal by orders of magnitude.
By implementing secure data destruction practices and working with a trusted, certified electronics recycling partner, law firms can protect their clients, maintain their professional obligations under ABA Model Rule 1.6, and reduce the risk of costly data breaches.
When it comes to confidential legal information, secure device disposal isn’t simply a best practice - it’s an essential component of responsible client service and bar compliance.