Law Firm Compliance

Florida Law Firm Data Mapping: What Recommendation 25-1 Requires and How to Do It

Makita Tunsill, JM
Juris Master — Cybersecurity, Privacy & Technology Risk Management | First Step Technology LLC
Published: July 4, 2026
11 min read

The data mapping survey is the second deliverable required by Florida Bar Recommendation 25-1, alongside the cybersecurity maturity assessment, with both due by March 2027. In over a decade of advisory work in cybersecurity and risk management, the data mapping process is consistently the one that produces the most surprises for law firms. Most firms think they know what data they have. The data map reveals they are holding significantly more — in more places, with less control — than they realized.

What a Law Firm Data Mapping Survey Is

A data mapping survey is a documented inventory of what client and organizational data a law firm holds, where that data lives, who has access to it, how it is protected, how long it is retained, and how it is ultimately disposed of. The goal is to make the firm's data landscape visible so it can be managed, protected, and governed in a way that meets both ethical and legal obligations.

The term data mapping comes from the practice of literally mapping data as it flows through an organization — where it enters, where it sits, where it goes, and where it ends. For a law firm, that flow involves intake forms, email communications, document uploads to practice management software, file transfers to clients and courts, cloud storage, third-party tools, and eventually disposition after a matter closes.

The survey is not a technical scan. It does not involve any software running against the firm's systems. It is a structured documentation exercise that requires thoughtful input from firm leadership, the IT contact or MSP, and the attorneys who handle different matter types.

Why Law Firms Need This Specifically

Law firms occupy a unique position in the data landscape. They receive, create, and hold some of the most sensitive personal, financial, health, and commercial information that exists. A client in a personal injury matter shares medical records, accident reports, employment history, and financial disclosures. A client in a family law matter shares income information, tax returns, asset details, and custody-related communications about children. A client in a healthcare regulatory matter shares PHI that the law firm is now handling as a business associate under HIPAA.

That information sits in the firm's systems alongside every other client's data, protected by whatever security controls the firm happens to have in place. Without a data map, the firm does not have a complete picture of what it is responsible for protecting — or what it would need to disclose if a breach occurred.

FIPA and the data map connection: Florida's Information Protection Act requires breach notification to affected individuals within 30 days when personal information is compromised. Personal information under FIPA includes names combined with Social Security numbers, financial account numbers, medical records, and other sensitive categories. A law firm that suffers a breach and has not completed a data map may not know which clients' personal information was in the compromised system, making compliant notification difficult or impossible within the statutory deadline.

What the Data Map Must Document

A complete law firm data mapping survey documents six categories of information for each data type the firm holds:

  1. Data type and sensitivity classification: What category of data is it — personal identifiers, financial records, health information, legal work product, authentication credentials? How sensitive is it and what legal or ethical obligations attach to it?
  2. Storage location and system: Where does this data live — practice management software, cloud file storage, email system, local server, physical files, portable devices? Who operates that system?
  3. Access controls: Who can access this data? What authentication is required? Are access permissions role-based or is access broadly granted?
  4. Retention period: How long does the firm keep this data? Is there a written retention schedule? Is it enforced consistently?
  5. Disposal method: When data reaches the end of its retention period, how is it destroyed? Is there a documented and auditable process for digital and physical data destruction?
  6. Vendor involvement: Which third-party technology providers have access to this data? Under what contractual terms? Do those contracts include breach notification requirements?

The Data Categories Most Law Firms Discover

When conducting data mapping sessions with law firms, certain data categories consistently appear — and certain locations consistently surprise firm leadership. The table below reflects what a typical small to mid-size Florida general practice firm holds:

Data CategoryCommon LocationsRisk LevelFrequent Gap Found
Client PII
(name, SSN, DOB, address)
Practice management, intake forms, email attachmentsHighStored indefinitely, disposal process undefined
Client Financial RecordsEmail, cloud drives, accounting softwareHighNo retention schedule, multiple unsecured copies exist
Health InformationPI and family law matter files, emailHighHIPAA Business Associate obligations unrealized
Active Matter FilesPractice management, shared drives, emailHighAccess not restricted to assigned attorneys and staff
Closed Matter FilesLocal server, external drives, archivesMediumNo retention schedule, stored indefinitely
Authentication CredentialsBrowsers, sticky notes, shared spreadsheetsHighShared passwords, no password manager in use
Client CommunicationsEmail, text messages, client portalHighUnencrypted email used for sensitive document exchange
Employee HR RecordsHR software, email, paper filesMediumAccess not restricted to authorized personnel
Financial and Billing RecordsAccounting software, practice management, emailMediumThird-party billing vendor access not documented
Third-Party DataVarious, often untrackedMediumData received from opposing counsel or courts not inventoried

Shadow IT: The Data Location Most Firms Miss

Shadow IT refers to technology tools and applications that firm employees use without formal approval from firm management or IT. In a law firm context, this typically includes personal Gmail or Dropbox accounts used to send or store client documents, consumer-grade messaging apps used to communicate with clients, AI writing and drafting tools that process client information, and video conferencing tools not approved by the firm's IT policy.

Shadow IT creates data locations that do not appear on any approved system inventory and are not subject to the firm's security controls. Client data that flows through an attorney's personal Gmail account exists outside the firm's backup and access control framework. Client documents stored in a personal Dropbox are not subject to the firm's retention schedule or disposal procedures.

A thorough data mapping process includes a shadow IT discovery component. The question is not whether attorneys and staff are using unapproved tools — they almost universally are — but which tools, what data is flowing through them, and what the firm's documented response is.

How the Data Mapping Process Works

01

Preparation

The advisor reviews any existing system inventory, vendor contract list, and organizational chart provided during the information gathering phase of the maturity assessment. This establishes a starting framework for the mapping session.

02

Facilitated Working Session

The data map is built in a working session with the managing partner and administrator, not through a form the firm fills out independently. The facilitated approach surfaces data the firm does not realize it has because the right questions prompt recollection. A typical session runs 90 to 120 minutes.

03

Vendor and System Cross-Reference

Each data category is cross-referenced against the firm's vendor and system list to identify which providers have access to which data types and whether those relationships are governed by appropriate contractual protections.

04

Shadow IT Review

A structured conversation identifies tools being used outside the approved system list. Each identified shadow IT instance is documented with what data it processes and what the firm's intended response is.

05

Gap Identification

The completed map is reviewed for gaps: data categories without defined retention periods, systems without documented access controls, disposal processes that do not meet NIST 800-88 standards, and vendor relationships without appropriate data protection agreements.

06

Documentation and Report

The completed data map is documented in a format that can be maintained and updated as the firm's systems evolve. The data map summary becomes a section of the overall maturity assessment report and a standalone compliance document the firm retains.

The Connection Between the Data Map and FIPA

Florida's Information Protection Act, Section 501.171 of the Florida Statutes, requires any covered entity that owns or licenses personal information of Florida residents to take reasonable measures to protect that information. When a breach of personal information occurs, the covered entity must notify affected individuals within 30 days.

Personal information under FIPA includes an individual's first name or first initial and last name in combination with any of the following: Social Security number, driver's license number, financial account numbers with access credentials, medical history or health insurance information, email addresses with passwords, and a number of other sensitive categories.

Law firms handle FIPA-covered personal information in virtually every matter type. Without a data map, when a breach occurs, the firm faces the challenge of reconstructing what personal information was in the breached system and whose information it was — under a 30-day notification clock. With a current data map, the firm knows immediately what categories of data were potentially compromised and can identify the affected clients.

The data map and ABA Rule 1.6: ABA Model Rule 1.6(c) requires a lawyer to make reasonable efforts to prevent unauthorized disclosure of client information. Making reasonable efforts requires knowing what client information exists and where. A firm that has never documented its data holdings cannot credibly claim it has made reasonable efforts to protect information it does not know it has. The data map is the foundation of a Rule 1.6 compliance posture.

Maintaining the Data Map After Initial Completion

A data map is a living document. Every time the firm adds a new software tool, onboards a new vendor, changes its document management system, expands to a new practice area, or changes its data storage approach, the map should be updated. Annual review of the data map is a reasonable maintenance schedule, aligned with the annual review requirement for the incident response plan.

The initial completion of the data map satisfies the Recommendation 25-1 requirement. Maintaining it as a current document demonstrates an ongoing commitment to data governance that strengthens the firm's position with insurers, corporate clients, and the Bar over time.

Complete Your Law Firm Data Mapping Survey

First Step Technology LLC facilitates law firm data mapping surveys as part of the Recommendation 25-1 compliance engagement. The facilitated working session approach takes 90 minutes of firm time and produces a documented data map that satisfies the Bar requirement and supports FIPA compliance.

Schedule Your Data Mapping Session
Disclaimer: This article is published by ComplianceFirst.io, a compliance intelligence publication of First Step Technology LLC. It is provided for informational purposes only and does not constitute legal advice. First Step Technology LLC is not a law firm. Questions regarding your specific obligations under the Florida Rules of Professional Conduct or FIPA should be directed to qualified legal counsel or the Florida Bar Ethics Hotline at 1-800-235-8619.