The COVID-19 pandemic has turned the word "unprecedented" into a popular term used amongst households and organizations. Many lawyers are familiar with this term as it is widely used throughout the legal industry. But if there is anything that the past year has taught us, it is that no one is truly protected from an "unprecedented" event striking, and you should prepare at all costs.
There is a stark difference between the firm that takes a proactive approach to maintain its infrastructure, security and disaster recovery plan versus the firm that believes it can prepare independently. How you react and adapt to adverse events can mean the difference between resuming peacefully with a business continuity plan in place or leaving your clients in the dark. An unprepared firm leaves your lawyers, staff, clients, and valuable data at risk.
Legal Ethics in a Digital WorldMaintaining a highly secure network that prevents attacks, whether intended or not, is a must. The Canadian Bar Association and the CBA Ethics and Professional Responsibility Committee ask specific questions that every law firm should consider when building their security and disaster recovery plan, such as:
- Is your data backed-up?
- Do you use encryption where appropriate?
- Is there an incident response plan in place in your firm?
- Are you using firewalls and intrusion detection software appropriately?
- Is your use of public cloud computing resources interfering with client confidentiality?
See here for the complete guidelines by the Canadian Bar Association.
Preparing for a potential disaster can safeguard your law firm and client data while supporting your ethical obligations.
Steps to Creating an Effective Disaster Recovery Plan
An effective strategy is an ongoing process and requires multiple stakeholders within the firm to consider your resources, such as your systems, services, suppliers, lawyers, clients, and staff safety, as well as your communications plan. The overall aim is to create a plan to recover your firm's data, support lawyers and staff, and protect your client's data at all costs.
Step 1: Conduct a Risk Assessment
The risk assessment should include a complete inventory of your firm's hardware and client files. You need to consider how your hardware and files would be affected if a natural disaster or cyberattack occurs. You need to consider each risk's impact on a scale of "low to high." Consider what would happen if several client files got destroyed or if an employee made a clerical error – what is the impact on the firm and your stakeholders?
Most importantly, you need to consider the number of ways you can mitigate each risk, for example, moving files, applications, and other vital documents to a secure cloud-based server. Doing so would significantly reduce the impact of an incident that can affect your on-premise storage and overall costs associated with replacing your files, servers and mitigating damage to your brand and reputation.
Step 2: Define Your Recovery Time and Objectives
Depending on the size and speed of your day-to-day business, you should determine how long your firm can operate without being "online." Consider how your firm would react if they cannot access specific research files or attend to a time-sensitive matter.
- The Recovery Time Objective (RTO) is the duration of time and service level where a business process must be restored after a disaster to avoid unacceptable consequences associated with a break in continuity.
- The Recovery Point Objective (RPO) is the age of files that must be recovered from backup storage for normal operations to resume if a computer, system, or network goes down because of a hardware, program, or communications failure. For example, if the RPO is one hour, backups must be made at least once per hour.
Step 3: Find Tools That Will Help You Succeed
To have an effective disaster recovery plan, you need to identify tools, resources, and procedures to support your objectives. Often, this requires external support, such as a cloud provider. You need to consider how often you need to back up your data, the location, and the current backup plan.
As legal technology progresses, automation has come into play. Consider if you can utilize automation to remove and reduce human error and increase productivity amongst your team and the firm.
Cloud platforms and managed security providers (MSPs) have invested in the tools and technology to support your business while reducing your costs.
Step 4: Identify a Service Provider and Review SLAs (Service Level Agreements)
If a disaster were to occur, your firm should be able to contact someone as soon as possible to ensure that your data will be accessible as quickly as possible. Many large cloud providers do not provide their clients with an account manager appointed to your business. Much of the responsibility lies with the organization to manage.
Identify a service provider who has a quick response time and will be able to help you in the state of an emergency.
Ensure that you review the service level agreement with your vendor as this is the place that would detail what would happen in the case of an emergency and how long it would take to respond and recover data after a disaster.
Step 5: Document and Share Your Plan
Be Proactive and Plan AheadWith the digital world accelerating faster than ever, it is integral to safeguard your firm from internal and external threats such as human error, malicious attacks, or even natural disasters or a global pandemic. How your firm responds to such matters will determine your future. It is in everyone's best interest to safeguard the firm and clients with a disaster recovery plan.
"To achieve great things, two things are needed; a plan, and not quite enough time." - Leonard Bernstein.