The data mapping survey is the second deliverable required by Florida Bar Recommendation 25-1, alongside the cybersecurity maturity assessment, with both due by March 2027. In over a decade of advisory work in cybersecurity and risk management, the data mapping process is consistently the one that produces the most surprises for law firms. Most firms think they know what data they have. The data map reveals they are holding significantly more — in more places, with less control — than they realized.
A data mapping survey is a documented inventory of what client and organizational data a law firm holds, where that data lives, who has access to it, how it is protected, how long it is retained, and how it is ultimately disposed of. The goal is to make the firm's data landscape visible so it can be managed, protected, and governed in a way that meets both ethical and legal obligations.
The term data mapping comes from the practice of literally mapping data as it flows through an organization — where it enters, where it sits, where it goes, and where it ends. For a law firm, that flow involves intake forms, email communications, document uploads to practice management software, file transfers to clients and courts, cloud storage, third-party tools, and eventually disposition after a matter closes.
The survey is not a technical scan. It does not involve any software running against the firm's systems. It is a structured documentation exercise that requires thoughtful input from firm leadership, the IT contact or MSP, and the attorneys who handle different matter types.
Law firms occupy a unique position in the data landscape. They receive, create, and hold some of the most sensitive personal, financial, health, and commercial information that exists. A client in a personal injury matter shares medical records, accident reports, employment history, and financial disclosures. A client in a family law matter shares income information, tax returns, asset details, and custody-related communications about children. A client in a healthcare regulatory matter shares PHI that the law firm is now handling as a business associate under HIPAA.
That information sits in the firm's systems alongside every other client's data, protected by whatever security controls the firm happens to have in place. Without a data map, the firm does not have a complete picture of what it is responsible for protecting — or what it would need to disclose if a breach occurred.
FIPA and the data map connection: Florida's Information Protection Act requires breach notification to affected individuals within 30 days when personal information is compromised. Personal information under FIPA includes names combined with Social Security numbers, financial account numbers, medical records, and other sensitive categories. A law firm that suffers a breach and has not completed a data map may not know which clients' personal information was in the compromised system, making compliant notification difficult or impossible within the statutory deadline.
A complete law firm data mapping survey documents six categories of information for each data type the firm holds:
When conducting data mapping sessions with law firms, certain data categories consistently appear — and certain locations consistently surprise firm leadership. The table below reflects what a typical small to mid-size Florida general practice firm holds:
| Data Category | Common Locations | Risk Level | Frequent Gap Found |
|---|---|---|---|
| Client PII (name, SSN, DOB, address) | Practice management, intake forms, email attachments | High | Stored indefinitely, disposal process undefined |
| Client Financial Records | Email, cloud drives, accounting software | High | No retention schedule, multiple unsecured copies exist |
| Health Information | PI and family law matter files, email | High | HIPAA Business Associate obligations unrealized |
| Active Matter Files | Practice management, shared drives, email | High | Access not restricted to assigned attorneys and staff |
| Closed Matter Files | Local server, external drives, archives | Medium | No retention schedule, stored indefinitely |
| Authentication Credentials | Browsers, sticky notes, shared spreadsheets | High | Shared passwords, no password manager in use |
| Client Communications | Email, text messages, client portal | High | Unencrypted email used for sensitive document exchange |
| Employee HR Records | HR software, email, paper files | Medium | Access not restricted to authorized personnel |
| Financial and Billing Records | Accounting software, practice management, email | Medium | Third-party billing vendor access not documented |
| Third-Party Data | Various, often untracked | Medium | Data received from opposing counsel or courts not inventoried |
Shadow IT refers to technology tools and applications that firm employees use without formal approval from firm management or IT. In a law firm context, this typically includes personal Gmail or Dropbox accounts used to send or store client documents, consumer-grade messaging apps used to communicate with clients, AI writing and drafting tools that process client information, and video conferencing tools not approved by the firm's IT policy.
Shadow IT creates data locations that do not appear on any approved system inventory and are not subject to the firm's security controls. Client data that flows through an attorney's personal Gmail account exists outside the firm's backup and access control framework. Client documents stored in a personal Dropbox are not subject to the firm's retention schedule or disposal procedures.
A thorough data mapping process includes a shadow IT discovery component. The question is not whether attorneys and staff are using unapproved tools — they almost universally are — but which tools, what data is flowing through them, and what the firm's documented response is.
The advisor reviews any existing system inventory, vendor contract list, and organizational chart provided during the information gathering phase of the maturity assessment. This establishes a starting framework for the mapping session.
The data map is built in a working session with the managing partner and administrator, not through a form the firm fills out independently. The facilitated approach surfaces data the firm does not realize it has because the right questions prompt recollection. A typical session runs 90 to 120 minutes.
Each data category is cross-referenced against the firm's vendor and system list to identify which providers have access to which data types and whether those relationships are governed by appropriate contractual protections.
A structured conversation identifies tools being used outside the approved system list. Each identified shadow IT instance is documented with what data it processes and what the firm's intended response is.
The completed map is reviewed for gaps: data categories without defined retention periods, systems without documented access controls, disposal processes that do not meet NIST 800-88 standards, and vendor relationships without appropriate data protection agreements.
The completed data map is documented in a format that can be maintained and updated as the firm's systems evolve. The data map summary becomes a section of the overall maturity assessment report and a standalone compliance document the firm retains.
Florida's Information Protection Act, Section 501.171 of the Florida Statutes, requires any covered entity that owns or licenses personal information of Florida residents to take reasonable measures to protect that information. When a breach of personal information occurs, the covered entity must notify affected individuals within 30 days.
Personal information under FIPA includes an individual's first name or first initial and last name in combination with any of the following: Social Security number, driver's license number, financial account numbers with access credentials, medical history or health insurance information, email addresses with passwords, and a number of other sensitive categories.
Law firms handle FIPA-covered personal information in virtually every matter type. Without a data map, when a breach occurs, the firm faces the challenge of reconstructing what personal information was in the breached system and whose information it was — under a 30-day notification clock. With a current data map, the firm knows immediately what categories of data were potentially compromised and can identify the affected clients.
The data map and ABA Rule 1.6: ABA Model Rule 1.6(c) requires a lawyer to make reasonable efforts to prevent unauthorized disclosure of client information. Making reasonable efforts requires knowing what client information exists and where. A firm that has never documented its data holdings cannot credibly claim it has made reasonable efforts to protect information it does not know it has. The data map is the foundation of a Rule 1.6 compliance posture.
A data map is a living document. Every time the firm adds a new software tool, onboards a new vendor, changes its document management system, expands to a new practice area, or changes its data storage approach, the map should be updated. Annual review of the data map is a reasonable maintenance schedule, aligned with the annual review requirement for the incident response plan.
The initial completion of the data map satisfies the Recommendation 25-1 requirement. Maintaining it as a current document demonstrates an ongoing commitment to data governance that strengthens the firm's position with insurers, corporate clients, and the Bar over time.
First Step Technology LLC facilitates law firm data mapping surveys as part of the Recommendation 25-1 compliance engagement. The facilitated working session approach takes 90 minutes of firm time and produces a documented data map that satisfies the Bar requirement and supports FIPA compliance.
Schedule Your Data Mapping Session