Data Back-ups and Due Care
Let’s talk about safeguarding client files and how advancements in technology are changing what due care means.
First off, let’s not be unreasonable, we, as lawyers, don’t have an obligation to incorporate every single emerging technology into our practices. That’d be overwhelming, and likely wouldn’t be financially beneficial to anyone – certainly not our clients. However, no matter how much a Luddite we dream of being (Smash the Typewriters!), not only do we have a duty to maintain a certain level of competency in relevant technologies, but, more importantly, advancements in technology tend to change the standards of care related to our ethical obligations.
Safeguarding Client Files
Once upon a time, we merely worried about the safekeeping of client files in a specific, known, physical location. And even then, we only needed to take reasonable precautions. Not everything had to be fire-proof or water-proof. Today, however, we live in a land were digitization of paper-based information is commonplace and inexpensive and the concept of an “original document” is more malleable. What is “reasonable under the circumstances” is changing. When all we need is a scanner, Adobe Acrobat, and sufficient memory to back-up our client data in multiple locations, it starts to look pretty reasonable to do just that.
Now, I’m not saying that attorneys suddenly have a specific duty to digitize their files and cast them off to far flung data-centers if they don’t want to (it’s just the only workable way that I have found). But I am saying that since that option is so common, and can be done so safely, in order to be acting within the appropriate standard of care, one needs to do something equivalent. Maybe an attorney wants to keep physical copies of each file in a secondary off-site location that’s updated every day. Or maybe he or she wants to . . . well, that’s pretty much the other option. And, although I find it ridiculous, it would probably be a sufficient safeguard of client files – an expensive safeguard, but sufficient none-the-less.
Don’t get me wrong, I’m not arguing that you have an ethical obligation to go paperless at this time. I understand the tendency to want physical copies of your client files on location and in your hands. And I understand that many lawyers’ operational systems rely on the maintenance of physical files. I do, however, think it’s faster, more efficient, better for the environment, and allows you to practice more remotely. But hey, you do you. And, frankly, once everything is scanned for data back-up purposes, why not go paperless?
But even without going fully paperless in our practices, we have an obligation to back-up client files (and possibly other relevant data) in order to safeguard them. And currently, at least in Tennessee, we have an obligation to keep them for a minimum of five years (I can see this changing as it becomes easier to keep files for a longer period).
The simplest way to do this is by scanning our files and then copying them to another computer (or server) located somewhere separate from the office. That way when (yes, “when”) disaster destroys our local files, it is highly likely that our scanned back-up files were not affected by the same problem. We would simply retrieve our files from the back-up location and go on as if nothing had happened (obviously it’s a bit more technical than that, but that’s the basic idea).
All of this, obviously, is easier said than done. But, it is also necessary in order for us to maintain our ethical standards. So why are we slow to implement this technology?
In my experience, lawyers shy away from bringing new technology into their practices for two very valid reasons: 1) organizational inertia, and 2) due caution. It takes effort and understanding to set up our operations with multiple fail-safes, and it takes time and experience to feel comfortable with those processes. Changing them overnight is not an option. And changing them without having a good grasp of what safeguards need to be in place in our new processes is foolish.
I don’t expect this article to make you completely comfortable with the digitization and back-up process. But it’s a place to start. In the near future, we’ll bring in subject matter experts to talk about these issues in more detail, but for now, let’s talk about some of our valid fears in implementing this process.
There are three broad concerns in the implementation of a data back-up system:
- the security of our client files,
- the operational efficiency of backing up those files, and
- the effectiveness and speed of the retrieval processes.
Obviously, we can’t just copy our client files anywhere and everywhere and put them out there for the whole world to see. Although we’d probably never lose them, we wouldn’t really be keeping the files safe, would we? Additionally, we can’t simply create a system that’s so burdensome and unworkable that we’d struggle to make money while charging our clients reasonable fees. What good is helping our clients today if we won’t be around tomorrow? And, lastly, if we can’t retrieve the data, what was all the effort for?
While, there are obviously more specific concerns in implementation than the three broad ones above, including what sort of scanner to use, and choice of appropriate software, those questions are outside the scope of this article and are generally very user specific.
Security of your data takes two forms:
- Restricting access to the data by unauthorized users, and
- Protecting the substance of the data if a user breach occurs (i.e. encrypting the data).
And it exists in two places:
- At rest (on your computer or server), and
- In transit (travelling along the infrastructure).
Which means that we should restrict access to and encrypt our data when it is sitting quietly on our server or computer, and we should restrict access to it and encrypt it when it is moving between two locations.
These are the ideas you need to keep in mind when deciding on a back-up service provider. Is the information protected as it is travelling to the provider, and is it protected while it sits there on their servers? Remember the Equifax breach? (Yeah, I’m not letting that one go) One of the most egregious problems there, was that the information, which was accessible by unauthorized users, was sitting there in plain text, just waiting to be read.
Obviously, the level of encryption and the specifics on unauthorized access are a concern. We’ll have more on that later.
But who has the time to think about this every night?
I remember when we used to back up our data to CD-ROMs every night. Someone would have to sit there and transfer all of the data to the CD-ROM drive, and then wait there until it was copied and properly written.
I guess you could still do it that way (although you likely wouldn’t be using a CD), but there is no reason to waste that kind of time. Just like Ronco Rotisserie chicken, you should just set it and forget it.
Whether you are creating daily back-ups to an on-location external hard-drive, or managing synchronization between your local server and your remote back-up location, you should be able to automate the process so you can be backing up in real-time, yet no one needs to take any action to make that happen.
If you don’t know how to do this, or you are unsure as to whether you are doing it right, ask your provider for help. Properly automating this process is important. You should take the time to do it right. It will save you time and money in the end.
Here’s the part that people forget about. Backing up your information won’t help you at all unless you can access that backup in a timely manner. Furthermore, finding out that you made a mistake in the set-up is not very helpful AFTER your local data is corrupt.
Instill and enforce retrieval protocol.
At least once-a-month, you should be running dry-runs to check on the status of your backed-up data, and you confirm that:
- it is not corrupt,
- you have all the data you need for your organization, and
- you are able to actually access that data in a timely manner.
Talk to your back-up service provider about this, but my suggestion is that you designate a specific person to be responsible for these dry-runs, and they should cultivate a relationship with all of the necessary players in your retrieval process.
We, as attorneys, do not need to incorporate every single advancement in technology into our practices in order to run efficiently and securely. However, as we are forced by our ethical obligations to change our operations, we should be wary of getting caught reacting to necessary changes instead of planning for them. It is time to plan to go completely digital in your practice. Backing up your client files is a good place to start.