The importance of backing up law firms’ data cannot be overstated. Law firms have always been extremely reliant on their data. In the past, though, firms’ most important data was in physical form. Cabinets full of client files meant that as difficult as it might have been to find a particular bit of information, that information was available absent fire, flood, or theft. With the advent of the information age, however, most of law firms’ critical data is now saved in the ones and zeros of their computer systems. While undoubtedly convenient and easier to copy, this data can be lost in an instant, destroying a firm in the time it takes to register the error message on one’s screen.
Fortunately, data is also relatively easy to protect; many options are available to a firm wanting to back up its data. However, this also means that formulating a plan to protect one’s data can be daunting; it is difficult to know how and where to start. The uniqueness of every firm’s needs means that it is impossible to create a template that would suit everyone. However, let’s start with understanding how backups work and the types of backup options available to protect law firm data.
Backups 101: Types of Backups
The IT field has a dizzying array of acronyms and esoteric technical terms it bandies about when discussing data backups. Despite this, the vast majority of backup solutions fall into one of three general categories: offline backups, snapshots, and fault tolerance.
Chad D. Post, Temple 2017, is a Wisconsin attorney currently working in Washington, D.C. He previously worked as a system information technology engineer and cybersecurity expert in conflict zones around the world for various Department of Defense contracting companies. He is also interested in veteran’s law, privacy law, cyberlaw, and quixotic tilting at windmills.
Offline Backups. Offline backups are static copies taken of data at a particular point in time. For example, an offline backup taken of an attorney’s laptop on the first of the month would reflect the contents of that laptop as of the first of the month. Any changes made to the data on the laptop after the first of the month would not be available in the offline backup.
The primary advantage to using off-line backups is that they’re protected against later changes to or interference with the data. For example, if a law firm is victimized by ransomware, data in an offline backup can be used to restore the law firm’s data, albeit only to the point at which the last offline backup was created. Additionally, offline backups can be used to recover deleted data, though data that is both created and deleted between offline backups will be lost. While offline backup strategies vary somewhat, an article by the late Ross Kodner does an excellent job of explaining how one might go about crafting an offline backup schedule.1
Snapshots. Snapshots create backup copies of data at regular intervals, saving the copies to an accessible location so the firm can retrieve the data as necessary. When data is changed or deleted, the firm can go back to a previous version of that data to retrieve a previous copy. Most snapshot solutions have multiple versions of a particular piece of data, too. What this means is that if there have been multiple changes to the data, a law firm can retrieve a version that is a few iterations old.
Snapshots are great for recovering data that has been accidentally deleted or changed, but they’re hardly a full solution, for three reasons:
Most snapshot solutions remove old copies of data as they need space to save new copies, limiting how far back one can go.
Snapshots stored on the same hard drive as the data are lost if the hard drive fails.
Any malware or ransomware that affects the data is likely to affect the other snapshots as well, rendering them useless or unavailable.
Fault Tolerance. Technically, fault tolerance is not a backup solution but a means of protecting data from loss by having duplicate copies of all data in at least two places. “Places,” though, is a flexible term. Some fault-tolerant backup solutions may represent identical copies on a single system that reside on separate hard drives, while other solutions may take advantage of geographically dispersed systems that mirror each other’s data from afar. Fault-tolerant solutions are primarily meant to protect against data loss if a particular piece of hardware fails. When geographically dispersed, fault-tolerant solutions can also protect a firm against natural disasters.
The near instantaneous replication of data means that a loss of one side of the fault-tolerant set would not leave the firm without data because a perfect copy of that data would still exist on the other side of that set. However, this strength is also, in certain scenarios, a disadvantage. Deleting files also happens instantaneously, so a deletion on half of the set would also result in a deletion on the other half. Additionally, any malware or ransomware present on the fault-tolerant backup solution would be copied to the entire set, making fault tolerance a poor choice for recovery in these scenarios.
Planning a Backup Solution
A good backup solution must examine the data to be protected, determine how important it is to the organization or individual owner, and apply an appropriate backup solution for each set of data. This means that a good backup solution must be tailored. The following high-level questions are one example of how a firm might go about gathering the information necessary to craft a well-designed backup strategy.
Which data must be protected? Before a law firm can begin to plan its backup solution, it must know what it needs to protect. Protecting client data obviously is crucial, but the firm should also make note of other types of data it uses in its day-to-day operations, such as email messages, financial information, and administrative records.
How important is each data set? After identifying its data, the firm should decide how important each type of data it has is by examining how difficult it would be for the firm to recover if the data were lost. Would the firm be able to function if the data were lost? If so, what liability might the firm be subject to if it could not recover the data? Answering these questions helps a firm decide how much time and money to spend on protecting that data.
How often does the data set change? Some data changes relatively often (for example, active client files and financial ledgers), whereas other data rarely, if ever, changes (for example, old client files and lease information). Data that changes often requires more frequent backups, and archival or static data can be archived less often.
How quickly would the firm need to restore the data set? Law firms should evaluate how often they need to access certain collections of data in their day-to-day operations because the data needed most often should be backed up using solutions that allow rapid recovery. Data that is needed less often, while still important, may be backed up in ways that do not require near immediate recovery.
Are there laws on retention, encryption, and storage that must be considered? In designing a backup solution, law firms should be aware of the laws that apply to that data. Data retention standards will necessarily frame a firm’s backup solution, because any solution implemented will have to take into account how long particular types of data must be retained.
Does the firm self-manage or outsource backups? There are two primary ways to handle backing up data. Either a firm manages its own backups or it pays someone else to manage the backups. Choosing whether to self-manage or outsource does not have to be all or nothing, though. For example, a firm may want to have client-file backups managed by an external company with liability insurance, while it may choose to back up individual computers itself.
Should the firm use local backups or cloud backups? The short answer is “it depends.”2 The cloud, in essence, is a collection of someone else’s computer systems, which customers use to store their data in an arguably secure and protected medium. Although cloud backups absolutely have their place, I caution law firms against relying on cloud backups as their only backup solution for critical files.
With some exceptions,3 cloud storage providers generally have the ability to access the information stored on their servers. Additionally, law firms that store their critical files with a cloud provider must trust that access to those files will not be lost. If a cloud provider decides that a law firm violated its terms of service, the provider goes out of business, or the provider is shut down by the government,4 the firm’s data might be lost. As such, cloud-based backup solutions should be seen as one facet of a good backup strategy.
Backups: Tips of the Trade
I regret that there is no one-size-fits-all solution that can be applied across the board. There are, however, some general principles that might make planning and managing your backup strategy easier.
1) Important files should be centralized. Small firms often make the mistake of storing their important data on individual workstations. While undoubtedly convenient, doing so is a terrible idea from the perspective of data protection. Storing data on a workstation means, as a rule, that the data will be lost if the workstation itself is compromised. While it is possible to create a backup solution that encompasses individual workstations, it is easier by far to manage backups if those files are stored in one location … backed up, of course, following best practices.
2) You don’t have to back up everything. Look, I get it. Some guy writes an article telling you that if you lose your data, your law firm is doomed and you want to make sure that you back up everything. The reality is that your firm probably has sets of data that, if lost, you would not lose sleep over. While determining which data you don’t need to save is best left to your judgment, doing so will allow you to avoid unnecessary expense and complication.
3) Trust no single provider completely, including yourself. A good backup strategy is diverse in both the types of backups and the providers used to create those backups. Using one provider might be convenient, but a catastrophic failure on the provider’s side might undermine an entire backup solution. Or a customer might find itself at odds with its provider, resulting in backups held hostage while customer and provider attempt to craft a solution.
4) Yes, back up email, too. Just about everyone is using web-based email solutions these days. These services are undoubtedly convenient, but they are not free of risks. Imagine, for instance, that a hacker gets into your business account and deletes all email messages.5 If you lack a backup copy, you’re not likely to be able to recover the email messages.
Implementing a well-crafted backup strategy might be the difference between a law firm’s success and failure. While the technical details of their implementation may best be left to the IT professionals, understanding the principles behind backups, the different backup types, and how to approach classification of a firm’s data allows the firm to communicate its needs and expectations effectively. Doing so ensures that the solutions ultimately selected will offer the protection necessary to ensure many years of successful practice.
If you have questions about backup solutions or would like more information on the more technical side of the process, feel free to contact me; my inbox is always open. You are welcome to email me at my properly backed up email account at email@example.com.
Meet Our Contributors
How has your career surprised you?
My career has been full of interesting detours and side quests, so I suppose that the most surprising thing about my career is that it remains viable despite what some might frame as a concerted effort (on my part) to make the sum total of my experience too strange to explain on a resumé.
I work in two distinct fields, move to new places more often than most people seem to vacation, and have now taken two extended leaves of absence from my work life to pursue degrees. I’m grateful that there are those out there who see my rather eclectic collection of experience, talents, and history and believe it to be a net positive!
Chad D. Post, Washington, D.C.
Become a contributor! Are you working on an interesting case? Have a practice tip to share? There are several ways to contribute to Wisconsin Lawyer. To discuss a topic idea, contact Managing Editor Karlé Lester at (800) 444-9404, ext. 6127, or email firstname.lastname@example.org. Check out our writing and submission guidelines.
1 See Ross Kodner, Saving Your Practice: Backup That Works, Wis. Law., April 2009.
2 For more on cloud storage and cloud backups.
3 See Chad D. Post, End to End Encryption: Is It Right For You?, Wis. Law., June 2020.
4 See Sebastian Anthony, Megaupload’s Demise: What Happens to Your Files When a Cloud Service Dies?, ExtremeTech (Jan. 20, 2012).
5 Or imagine that you’re the author and you are overly aggressive with the delete key when clearing your inbox. Sorry, editor! [Editor: It’s okay, author. My “sent” box is backed up, too.]