Business Continuity and Disaster Recovery for Law Firms
Attorneys are trained to see what others don’t see and to protect their clients from unforeseen disasters. However, this foresight and protection must extend beyond legal representation. A firm must have an understanding of the importance of protecting its clients’ data. With ransomware and numerous data breaches making headlines every day, a well thought out Business Continuity and Disaster Recovery (BCDR) Plan can set your firm apart.
Disasters affecting your firm’s data protection and business continuity are always knocking at the door. For all businesses, but especially for law firms, which rely heavily on data, the loss of or inaccessibility to that data can cause serious monetary and reputational damage to a firm and its clients. In fact, it has been estimated that each hour of downtime can cost a firm $60,000 in billable opportunities. What makes this scarier is that attacks, such as a ransomware, can simply start by an attorney clicking on the wrong link while doing research on the internet. The right tools can detect most of these but employees that are well-trained can help reduce these incursions.
In today’s digital age, the ever-growing amounts of data, reliance on remote operations such as email, case management software, and billing, and stricter data compliance requirements have created an enormous need for better storage, backup, and disaster recovery solutions. This need has been exacerbated by the fact that a firm’s business operations can be easily disrupted by cyber-attacks, natural disasters or something as simple an employee negligence. More importantly, law firms are extremely vulnerable because they deal with very sensitive client data.
The good news is that a BCDR plan, along with the proper tools, practice and training, can help a firm to secure its data and stay up and running no matter what comes its way. Such a plan can go a long way in helping a firm to protect its data from being stolen lost or erased, and made data available and accessible anywhere, anytime, and from any device. Furthermore, a good BCDR plan backed must be back by the right technology. But even more important than the right technology is the proper training of people to test and execute the plan. Any investment in good technology will be all for not if a good plan is not designed and executed by well-trained employees. Last, but not least, a proper BCDR plan will also help firms to meet compliance and ethical requirements.
Any good BCDR plan should include the following:
1. Select a team and assign responsibilities. Create a team with determined roles and responsibilities. This team should have a clear set of priorities to follow in order to get the firm’s technology up and running, have a data backup and recovery system in place frequently test and maintain the technology in place. This process should include getting through a disaster, assessing damages (both via physical and remove access), contacting clients, and resuming business.
2. Accountability. The plan must account for security, staff, systems, services, supplies, and business continuance.
3. Inventory. An inventory should be conducted to know what the firm has on hand, including, software, hardware, client files, location of files and data, and service level agreements with technology solutions providers. Something as simple as having an information management service ship your physical documents for an ongoing case can go a long way in your firm’s business continuity.
4. Risk Assessment and Analysis. The team should conduct a risk assessment to identify critical services, systems and data, define the firm’s recover objectives, and identify support tools, techniques and procedures that that support the recovery objectives. Any weaknesses found should be addressed as soon as possible. In addition, the team should be able to answer questions such as, what are the contingency plans when dealing with ongoing cases, are we willing to re-locate those critical resources, if those resources are re-located temporarily will they be able to continue do the day to day tasks?
5. Data Protection Technologies. Data protection technologies in the backend such as SAN/NAS snapshots, and backup technology can help protect and minimize your firm from data loss, cyber-attacks and downtime. It works in conjunction with your frontend technologies such as antivirus scanning, malware scanning, and intrusion protection systems. In the event of a system failure, ransomware attack or natural disaster, the safety of your clients data, case file and all of the firm’s data is at risk. However, a comprehensive and dependable backup system can minimize loss and ensure that your firm stays up and running and that you will be able to fully restore your data without any losses in the event one of the above occurs. Once the right tools are deployed, the team begin its process of frequent snapshots and backups to minimize the loss of new data.
6. Determine how to handle sensitive information. The team must create procedures on how to handle sensitive information such as clients’ personal, private information, employee data, financial records and sensitive business data.
7. Stay Current. Review and update this plan every year. Keep the systems updated and maintained. Hackers attack software that are vulnerable. Not patching your systems, especially if they are in a cloud provider on the internet, allow hackers to attack your cloud infrastructure. For example, a popular NAS manufacturer allowed hackers to find a vulnerability allowing them to encrypt customers data in the cloud because of an unpatched cloud application that copied data from the local site to the cloud. Systems that are exposed to the internet have to be updated and patched frequently. Make sure you have tests done on these systems. For those in the cloud, although you are not managing the infrastructure, the protection of your data is still up to you and the organization not the cloud provider. In fact, if you review your provider contract carefully you will realize that your are responsible for the protection of the data. Therefore, make sure you are using your cloud provider snapshots and backing up of your cloud data.
Although there is never a full-proof method of preventing or protecting your firm from unexpected disasters, taking the time and making the investment to implement a data-backup and disaster avoidance will ultimately save your firm money, increase customer satisfaction and loyalty, and assure your firm is meeting all of its compliance and ethical obligations. With that being said, putting this plan and team together, as well as selecting and deploying the right tools seems like a daunting task. But it does not have to be. The dedicated team of technologists at Pro Logic Systems can help your firm to design a plan that’s right for your and guide you on this journey. If you would like to learn about how we can help, feel free to reach out to Pro Logic Systems at firstname.lastname@example.org to speak with our engineers and industry experts.
Written by: Yohan Gomez & Amiel Lee Yee