Are You Playing Russian Roulette with Your Law Firm's Data

You're Going to Lose

August 20, 2018 by Margo Maggio, Vice President of Stragtegic Practices

With a recent downgrade to the 2018 Hurricane season, many law firms up and down the East Coast are breathing a little easier. However, some are mistakenly taking their foot off the proverbial DR/BC, (disaster recovery/business continuity), preparation pedal. Although not all law firms are based on the east coast, nor are they all concerned about a hurricane, but all firms’ should at a bare minimum have a basic understanding of Disaster Recovery and have a proven plan in place should a worst case scenario occur.

Whether it is a natural disaster, data breach, disruption to your supply chain, or even an unplanned IT or utility outage they all require the firm to keep on running. This is where solid Business Continuity planning comes into play. However, we still have challenges as a lot of firms across the U.S. think of business continuity & disaster recovery interchangeably. There is a key difference as disaster recovery is a core component in any business continuity plan.

A business continuity plan provides a framework for how operations can continue to function effectively after an incident or disaster causes your firm a dramatic loss of resources. The Business Continuity Institute states that an effective BC plan typically involves:

  • Identify potential risks proactively
  • Determine risks and how that will affect operations
  • Implement stopgaps and procedures for combating those risks
  • Test those procedures to ensure their effectiveness
  • Review and Audit the process to make sure it’s kept current

Disaster recovery is simply a combination of procedures and policies that aid in the continuation of vital services to the firm. Critical to this planning is level setting your firms expectation based on your business requirements. Those are communicated via your recovery point objective (RPO) and your recovery time objective (RTO).

Recovery Objectives Spectrum  RTO is the target you determine for how long it takes to recovery your systems and firm activity after the disaster or incident occurs. You leverage this to reverse engineer what plans or preparations you need to execute as well as the relative budget for the continuity of your firms systems. If your firm can wait for long periods for systems to be restored that budgets can be relatively low. Real time access to data after an outage takes substantial more effort, planning and time as you would imagine.

RPO, refers to your firms’ acceptance levels for data loss. RPO addresses the time between data backups and the subsequent data that could be lost between your firms scheduled backups. If the culture of your firm can handle rewriting a document that was lost between backups, than you can set your RPO with longer gaps. This becomes a key question for key members of the firm. How long can your attorneys survive between backups and how much data can be feasibly lost? These are very important metrics that need to be decided when planning for the inevitable.

In addition to tolerance levels, your firm also needs to understand data recovery strategies and determine what is the best solution for your firm? Do you back up to tape, disk, drive, or store your back up to the cloud. Many firms are choosing a combination of cloud backup with other solutions for additional security, which gives them the ability to restore systems without a physical location. There are several options to choose from but it’s important to note that cloud backup is definitely rising in popularity and becoming a standard in the legal industry.

This is all solid terminology for any firm to be cognizant of and I would also recommend the following steps for your business continuity planning:

  • Business Impact Analysis
  • Define BC plan scope
  • Identify key business areas within each Practice
  • Identify and prioritize critical functions
  • Determine dependencies between the business functions
  • Determine acceptable downtime for each critical function
  • Create a plan to maintain operations
  • Train, Test & Re-evaluate the plan regularly

With solid preparation and planning you should be able retain the systems you need, when you need them, and quickly get back to the practice of law following a disaster – natural or man-made.