A paralegal leaves your firm. She returns her laptop. Someone wipes it with the built-in factory reset, lists it on eBay for $200, and moves on. Six months later, a buyer recovers client files from that drive using free software. That scenario isn’t theoretical - it’s how data breaches happen at small law firms every day.
The Problem: Devices Come and Go. Client Data Stays Behind.
Most small law firms have invested real energy in software security - password managers, antivirus, maybe even multi-factor authentication (MFA). That’s good. But the physical lifecycle of the devices running that software rarely gets the same attention.
Think about every device that touches client data at your firm: laptops, tablets, smartphones, external hard drives, even printers with onboard storage. Now think about what happens when those devices reach the end of their useful life. Is there a written process for decommissioning them? Does someone verify that data has been destroyed - not just deleted - before the device leaves the building? Can your firm produce documentation proving it?
For most small firms, the honest answer is no.
The problem gets worse when you factor in bring-your-own-device (BYOD) arrangements. A senior associate uses her personal MacBook for three years. She stores client documents in a local folder, logs into firm email, maybe even downloads deposition files. When she leaves - voluntarily or not - your firm has no technical ability to wipe that device. The data stays on her machine indefinitely, and you have no record it was ever there.
This isn’t a software problem. It’s a lifecycle problem. And it starts at procurement, not disposal.
Why This Matters for Law Firms
Attorneys have some of the most clearly articulated data security obligations in any profession. American Bar Association (ABA) Model Rule 1.6 requires lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Every state bar has adopted a version of this rule.
“Reasonable efforts” isn’t a vague standard - state bar ethics opinions have interpreted it to include basic security practices like encryption, access controls, and secure data destruction. The California State Bar has been explicit: competence under Business and Professions Code Section 6068 now includes technological competence.
If a retired device surfaces with unencrypted client files and results in a bar complaint, “we did a factory reset” is not a defense. Bars have imposed discipline for exactly this kind of negligence.
There’s also civil exposure to consider. If your firm handles matters involving health information, you may have obligations under the Health Insurance Portability and Accountability Act (HIPAA). If you work with financial data, the Gramm-Leach-Bliley Act (GLBA) may apply. California’s Consumer Privacy Act (CCPA) adds another layer. These carry real fines and reputational damage that small firms simply can’t absorb.
Here’s the question worth sitting with: if a regulatory investigator asked you today to produce documentation showing how your firm handles device disposal, what would you hand them?
How to Build a Law Firm Device Lifecycle Policy
A proper device lifecycle policy has four stages. None of them are optional.
1. Procurement Standards
Define what devices are approved for firm use before someone shows up with a personal Chromebook and starts accessing your document management system. Your procurement standard should specify operating system requirements, minimum hardware specs, and whether personal devices are permitted at all - and under what conditions.
If you allow BYOD, your policy needs to require mobile device management (MDM) enrollment as a condition of access. MDM software lets your IT team enforce encryption, remotely wipe devices, and maintain an inventory of what’s connected to your systems. Without it, you’re extending trust with no controls.
2. Configuration Baselines
Every firm device should be configured to the same security baseline before it’s handed to a user. That means full-disk encryption enabled from day one - FileVault on Macs, BitLocker on Windows machines. It means automatic screen lock, endpoint protection software, and MFA configured for all firm accounts.
Why does day-one encryption matter so much? Because encryption at rest only protects data if it was active when the data was written. If a device spent two years unencrypted and someone enables encryption on the last day before decommissioning, the files already on that drive may not be fully protected. Retroactive assumptions about encryption are dangerous. Don’t make them.
3. Refresh Schedules
Devices get old. Old devices get insecure. Establish a replacement cycle - typically three to five years for laptops - so you’re not running attorneys on machines that no longer receive security patches. Patch support windows for operating systems are finite, and running unsupported software is a compliance exposure, not just a performance annoyance.
4. Certified Data Destruction and Documentation
This is the step most firms skip entirely, and it’s the one that creates breach liability.
When a device is retired, the data must be destroyed - not deleted, not reformatted, destroyed. For solid-state drives (SSDs), NIST Special Publication 800-88 recommends cryptographic erasure or physical destruction, because traditional overwriting techniques don’t work reliably on SSDs. For spinning hard drives, overwriting tools like DBAN can be effective, but physical shredding is the gold standard.
Use a vendor that provides a Certificate of Destruction with the device serial number, destruction method, and date. Keep those certificates. They’re your evidence of due diligence if a data incident is ever investigated.
Maintain a device inventory log from the moment a device enters the firm to the moment it’s destroyed. Serial number, assigned user, data types stored, and disposition method. A simple spreadsheet works. The habit is what matters.
What to Look for in an IT Partner
Not every IT provider understands legal industry obligations. When you’re evaluating a managed IT services provider for device lifecycle support, ask these specific questions:
- Do you maintain a device inventory on our behalf, and how is it updated?
- What’s your process for decommissioning retired devices - do you provide Certificates of Destruction?
- Can you deploy and manage MDM for both firm-issued and personal devices?
- Are your configuration baselines aligned with NIST or Center for Internet Security (CIS) benchmarks?
- Have you worked with law firms before, and do you understand ABA and California bar security obligations?
A provider who can answer those questions specifically - not generically - is worth talking to further. A provider who pivots to “we handle everything, don’t worry” is telling you something important about how they work.
The Bottom Line
Small law firms spend years building client trust. A single retired laptop sold without proper data destruction can undo that in an afternoon. A device lifecycle policy isn’t a luxury for large firms with dedicated IT departments - it’s a basic competence requirement that your bar association, your clients, and basic common sense all expect. Start with procurement standards, lock down BYOD, and never let a device leave without a Certificate of Destruction.
Frequently Asked Questions
What does “secure data destruction” actually mean for a law firm’s old laptops?
Secure data destruction means making data unrecoverable by any technically feasible method - not just deleted or reformatted. For solid-state drives, NIST SP 800-88 recommends cryptographic erasure (using the drive’s built-in encryption key to render data inaccessible) or physical destruction. For traditional hard drives, multi-pass overwriting software or physical shredding are both acceptable. A Certificate of Destruction from a qualified vendor documents that the process was completed.
Is factory resetting a device before donating it enough to protect client data?
No. A standard factory reset removes the operating system and user-visible files, but it doesn’t overwrite the underlying data on the drive. Free data recovery tools can restore files from a factory-reset device in minutes. For any device that ever held client information, you need a dedicated data destruction process - not a reset.
What should a BYOD policy for a small law firm actually include?
At minimum, a BYOD policy should require MDM enrollment as a condition of accessing any firm system, mandate full-disk encryption on personal devices, specify which applications and storage locations may be used for client data, and grant the firm the right to remotely wipe firm-related data if the device is lost, stolen, or the employee departs. The policy should be signed by every employee and reviewed annually.
How long should a law firm keep records of device disposal?
There’s no single universal requirement, but most security frameworks and legal industry guidance recommend retaining device disposition records for a minimum of five to seven years. California’s CCPA and bar ethics rules both contemplate the ability to demonstrate reasonable security practices after the fact. Keeping Certificates of Destruction tied to your device inventory log gives you exactly that documentation trail.
If you’re working through law firm device security policy challenges at your firm, let’s talk. One82 works exclusively with CPA firms, law firms, and financial advisory companies in the Bay Area - we know your world.