How should a law firm handle client files and PII when a matter closes or a client requests their file back?
When a legal matter closes or a client asks for their file back, a law firm faces two parallel obligations: deliver the client’s property promptly and continue protecting the personal information the file contains. Handling both well comes down to a defensible, repeatable process rather than ad hoc decisions.
Clarify ownership and what is returned
A client file typically belongs to the client, and most professional-conduct rules require firms to surrender it on request. Before releasing anything, confirm the requester’s identity and authority. Distinguish the client’s materials (correspondence, executed documents, evidence, work product the client paid for) from the firm’s internal administrative records, such as billing and conflict-check data, which the firm generally retains. Document what was returned, to whom, and when.
Apply a retention schedule, not “keep everything”
Closing a matter is the trigger to apply your retention schedule, not a reason to ignore it. Set retention periods based on legal, regulatory, malpractice-limitation, and business needs, and start the clock from a defined event (usually matter closure). A schedule prevents both premature destruction of records you may still need and the indefinite hoarding of sensitive data, which only increases risk and storage cost.
Watch for legal holds. If any litigation, audit, or investigation is reasonably anticipated, suspend disposition for the affected records until the hold lifts.
Protect PII in transit and at rest
Files often contain Social Security numbers, financial data, health information, and other PII. Treat that information as a risk to be managed across its full life cycle, consistent with recognized privacy and records frameworks.
- Return or transfer files through secure channels (encrypted media, encrypted transfer, or tracked delivery), never unsecured email.
- Limit access to authorized staff and keep a transfer log.
- Redact third-party PII that is not the requesting client’s to receive.
- Keep a verifiable copy of what you delivered if you may need to evidence the transfer later.
Dispose securely when retention ends
When the retention period expires and no hold applies, destroy records using methods appropriate to the medium: cross-cut shredding for paper and certified, verifiable wiping or destruction for digital media. Record the destruction (what, when, method, authorization) so disposal is defensible.
For broader guidance, see the privacy and PII topic hub.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- ISO 15489-1 Records management — ISO
How to cite this page
APA
RM University Editorial. (2026). How should a law firm handle client files and PII when a matter closes or a client requests their file back?. Records Management University. https://www.recordsmgmt.org/questions/how-law-firm-handle-client-files-pii-when-matter-closes/
MLA
RM University Editorial. "How should a law firm handle client files and PII when a matter closes or a client requests their file back?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-law-firm-handle-client-files-pii-when-matter-closes/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?