Practice tips: Off-site data storage and security issues

by Dave Bilinsky, Practice Management Advisor

With the increasing emphasis on digital information in a law office and the “paper-less” office becoming a reality, the necessity for reliable data backups is one of the issues facing lawyers and law firms. There are many methods of backup in use — tapes, CD-ROMs, DVDs, RAID arrays, external hard drives and the like. One method that is receiving increasing attention is online backup to a third-party host. This article examines potential issues that are unique to electronic storage via the Internet.

While the Law Society recommends using reputable third-party storage companies for paper files, I am uncomfortable advising lawyers to place their confidential electronic data in the hands of third-party providers, for a number of reasons.

Lawyers have a professional obligation to guard their clients’ confidences and confidential information. Confidential data ending up in the hands of unauthorized persons has implications for identity theft and fraud on the client. We have steadfastly advised lawyers who have suffered a theft of a computer containing client information that they should inform their clients that a possible loss of confidentiality has occurred and advise their clients to take appropriate steps in the circumstances. No lawyer wishes to have to notify clients that their confidential information may be in the hands of others.

Third-party, off-site providers of data storage and backup services do not share the same professional obligation with regards to confidential information that lawyers are required to maintain. While third-party contractors face a breach of contract claim where the damages may be limited by contract, the damage to the lawyer’s reputation may be many times greater. A breach of this obligation has implications with regard to a lawyer’s professional record. A firm using an online backup service places more than just their data in the hands of this provider. Furthermore, unlike paper records, electronic data can be copied quickly and transmitted half a world away in a blink of an eye to a jurisdiction with a very different legal system.

A third-party, off-site data backup provider could become bankrupt, have a receiver appointed, or have its landlord seize its assets for unpaid rent. In these circumstances, the law firm faces not only the loss of its data, but potentially the loss of any claim of confidentiality over what is stored on the hard drives that have been seized. The prospect of a law firm going to court to try to regain possession of and to preserve confidentiality over hard drives in the hands of a third party is not a prospect that any of us would care to contemplate.

In a law office, cleaning staff and others could steal data, both in paper and electronic form. Equally, the same considerations apply to a third-party provider, except that in this case, the law firm has no control over the person or persons who have access to the computers or servers that store their data. Furthermore, as we know, hackers attack all types of websites and corporations; an online data backup service could be a magnet for those seeking confidential information. The Wall Street Journal recently reported:

Breaches of corporate computer security have reached epidemic proportions. So far this year, more than 270 organizations have lost sensitive information like customer credit-card or employee Social Security numbers — and those are just the ones that have disclosed such incidents publicly. While lost laptops and misplaced or misdirected files are partly to blame, many breaches have a more sinister culprit: the professional hacker.

If you are using an online backup service, at the very least, ensure the data is transmitted in a secure and encrypted manner to and from the third-party provider (VPN or SSL or similar protection). Furthermore, it is recommended that the data be stored on the third party’s systems in an encrypted manner, with only the law firm having the key to de-encrypt the data (not all backup services do this). The third-party provider should also be one that has an excellent reputation, is financially secure, maintains a high degree of physical and electronic security over its systems and whose employees have signed clear confidentiality agreements.

Lastly, the entire backup and restore system should be tested regularly to ensure the system does indeed work as it is designed to do. You do not want to suddenly realize that yes, your data is gone, since from that moment on, you’ll be cryiiiing.....

If you would like to discuss law firm data backup alternatives, contact Dave Bilinsky, Practice Management Advisor, daveb@lsbc.org or 605-605-5331.