Guide to Business Continuity for Legal Services: 8 Things Attorneys Must Consider
The cloud has made these processes faster, cheaper and easier to manage.
But what if something happens to all that valuable data? What if it’s encrypted by ransomware, destroyed in a fire or accidentally deleted?
Even if only a small portion of a single client’s files is wiped out, it would be a costly nightmare for any legal services company.
Now more than ever before, law firms need to take business continuity planning seriously if they want to avert a disaster.
1) Disasters happen all the time.
It’s not just the legal world.
Businesses in every industry are exposed to the risks of disaster. And some sectors are more vulnerable than others. Like any company, law firms need to be prepared for a wide range of events, such as:
· Natural disasters, including hurricanes, tornados, flooding, etc.
· Fire and subsequent water damage from firefighting efforts
· Cyberattacks, including ransomware, data theft, viruses, etc.
· Social engineering attacks, such as email phishing scams
· Data loss from hardware failure, application bugs, accidental deletion and other causes
· Extended work stoppage threats from terrorist attacks, transportation disruptions, etc.
These disasters are especially damaging for small businesses. The U.S. government estimates that roughly 40% of small firms never reopen their doors following a weather-related disaster—and that’s only one category of risk.
2) The evidence is everywhere.
In 2017, an attorney at a small law firm in Providence, Rhode Island, did something that he does every day: he opened an email attachment.
Except, this time, things went bad.
Opening the attachment unleashed a nasty ransomware infection that would derail the firm for months, costing it hundreds of thousands of dollars.
Within minutes, the infection knocked the firm’s network offline and froze its documents. The firm’s 10 attorneys and staff “were rendered essentially unproductive” – unable to access critical case files, emails or other data for three months.
The firm—Moses Afonso Ryan Ltd.—scrambled to pay the $25,000 ransom, but it didn’t work. The decryption keys were bogus. Eventually, the firm managed to contact the perpetrators and obtain keys that successfully restored most of the data—for an additional ransom payment.
But the real damage was already done. Three months of downtime cost the firm $700,000 in billings and led to a lawsuit with the firm’s insurers.
While most ransomware attacks on law firms go unreported, experts say attacks are now commonplace and lawyers aren’t taking it seriously enough.
3) Disaster recovery planning is essential.
Understandably, most attorneys are focused on their day-to-day work, rather than the firm’s vulnerability to unknown disasters. This is especially true for smaller practices, which don’t have the resources to hire somebody full-time to handle their law firm’s business continuity management and disaster recovery planning.
Still, this is critical work that needs to be done.
Every law firm should have a disaster recovery plan (DRP) that outlines the firm’s strategies for preventing and responding to disasters.
Two critical components of a law firm’s DRP:
· Risk assessment: Most attorneys will be well versed in the area of risk exposure – but not necessarily when it comes to their firm’s own exposure to disasters. Every firm must take the time to assess the specific disaster scenarios that could disrupt its operations.
· Impact analysis: Firms must prioritize their risks by analyzing how each of those disaster scenarios will negatively affect the firm. How long could operations be disrupted? How long would recovery take? At what cost? Specific calculations are needed here in order for law firms to gauge where to focus their DR planning.
4) Data is more valuable than ever.
It’s not just the physical offices and the paperwork that needs to be safeguarded. It’s the data.
Today’s attorneys digitize virtually everything – and that’s a good thing. It enables them to access files from anywhere, improving productivity and collaboration with staff, while also reducing overhead. But that digitization comes with added risk. If something happens to the data, the loss can be devastating, not just for an individual case, but for the entire firm.
Even with paper backups, a single data-loss event can cost law firms tens of thousands of dollars. And if the loss causes extended downtime (as did the ransomware attack on the Providence law firm), those costs can skyrocket to anywhere from $10,000 to over $5 million, depending on the size of the firm.
5) Data loss can be a liability.
What if a loss of data has a negative effect on a client’s case? Could the firm be liable?
What if the loss exposes the firm to scrutiny or litigation from regulators or civil liberties groups?
In a 2011 report from the American Bar Association (ABA), entitled “Surviving a Disaster: A Lawyer’s Guide to Disaster Planning,” Stephen N. Zack writes:
“While the Model Rules of Professional Conduct do not specifically address this obligation [for business continuity in law firms], a small body of post-Katrina literature suggests that failure on the part of a lawyer to prepare for disasters could lead to violations of these rules, or even expose the lawyer to civil liability for failure to protect property and interests.”
5) Backups need to be faster, more frequent and more resilient.
Most legal services firms today are using some form of backup software to protect their data – but often not the right kind.
The days of nightly or weekly backups are long gone—they’re simply too risky. Even if you’re backing up data overnight, if the backup fails or the data is infected with ransomware just before the backup is performed, then you’ll lose an entire day’s worth of data. For most firms today, that loss would be catastrophic.
Attorneys need to be backing up their data constantly—as often as every hour or even every few minutes—without putting a strain on server resources.
But also, those backups need to be dependable. Older backup technologies are notorious for failure during the recovery process, due to instabilities within traditional incremental backup chains.
Firms need to reevaluate their systems to ensure backups can be quickly recovered without problem.
6) Cloud storage apps don’t cut it.
The proliferation of cloud-based file storage applications has led many law firms to believe that these apps are all they need for backup.
But the reality is, they’re not really intended for data backup at all. They’re primarily for file storage and sharing.
· Services like Google’s G Suite and Microsoft Office365 can indeed make your firms more productive and efficient. But they won’t protect your files from the common data loss events, including ransomware and accidental deletion.
· Additionally, if your entire IT infrastructure (computers, servers, apps, operating systems, network configurations, etc.) are locked up with ransomware, then your cloud apps probably won’t be very useful.
Attorneys need a dedicated data backup solution that protects their entire law firm IT infrastructure, so they can rapidly restore operations after a disruption.
7) Recovery needs to be instant. Virtualization makes it possible.
Imagine that 95% of your data has been lost in a fire.
Even if a backup survived, it could take days or even weeks to completely recover all your files, not to mention the critical applications that your law firm uses.
Most law firms simply can’t afford that kind of disruption.
For today’s legal services organizations, data recovery needs to be instant. And with backup virtualization, it is.
Backup virtualization on BC/DR systems like the Datto SIRIS allow you to regain access to your data within seconds. Even if your on-site infrastructure is destroyed, you can boot a backup in the cloud, enabling you to access all your data and your applications, virtually, on another device.
This is the kind of business continuity that today’s law firms must strive for if they want to avoid a catastrophe.
8) Set aggressive business continuity objectives. Reevaluate constantly.
Law firms need to approach business continuity with aggressive objectives for restoring operations after a disaster. And that’s only possible if an advanced data backup solution has been deployed.
For example, consider how quickly the firm needs to recover before a disaster causes unsustainable damage. 12 hours? 1 day? 1 week? Use the calculations from your impact analysis, as outlined above, to create this goal, which is otherwise known as your Recovery Time Objective (RTO). Then, use that objective as a guide to choosing a backup system that can meet those recovery needs.
The same goes for your Recovery Point Objective (RPO), which dictates a maximum age for your latest backup. So for example, an aggressive 15-minute RPO would ensure that you never lose more than 15 minutes of data when you need to restore a backup.
Finally, it’s important to keep in mind that a law firm’s business continuity needs will evolve over time. The firm may need more data storage, greater protection from malware, off-site backup redundancy and so on. This is why it’s important to reevaluate your disaster recovery planning throughout the year and make sure that your IT deployments remain in-line with your objectives.
Get the protection your law firm needs
Learn more about implementing a business continuity solution that will protect your law firm against data loss, ransomware and downtime. Request a free demo of today’s advanced data backup solutions from Datto, or contact our business continuity experts at Invenio IT: call (646) 395-1170 or email success@invenioIT.com.