All too often when the topic of backing up a firm’s data is broached, the discussion quickly devolves into a highly technical exchange focusing on backup hardware and software implementation. While these conversations as to how to implement a backup plan are important and necessary, I’ve found that the cart sometimes gets ahead of the horse when it comes to backups. First, you have to have a plan; only then can you implement it. So, here I’ll try to focus on the planning phase, which everyone can relate to no matter what level of technical expertise.
Quite simply, a backup plan is a form of self-insurance. It is a risk management and avoidance mechanism. It’s the process of making an electronic copy of your firm’s work product "in case" something should happen to the original.
None of these ideas will be really new or revolutionary, but the high rate of backup failure and data loss that I continue to see in the workplace means that there are still firms with inadequate backup plans that need to be revised. So, take a six-minute increment of nonbillable administrative time to review your own firm’s recovery plan, and see if there aren’t some ways to improve upon it.
A New Twist on an Old Concept
Law firms have been copying and safekeeping their work product and client secrets for centuries. In the earliest days of our profession, law firm data meant handwritten documents. Lawyers either wrote their own, or hired scriveners to write them out for them. Scriveners also wrote out any additional copies of a document. The advent of the typewriter ushered in the ability to use carbon paper to create the additional copies at the same time the original was being reduced to paper. However, it was the introduction of the photocopier that really began what has become the entrenched industry custom of redundantly duplicating volumes of work product. Photocopying made reproducing work product easy and cheap. So, why not make a few extra copies while we’re at the machine, just "in case?"
With the advent of computer use, law firms now have to determine how they will safeguard their digital information. This includes not only the traditional documents, but also new forms of information that are now received and stored exclusively in electronic format such as e-mail correspondence, accounting data, and calendaring information. All of this information needs to be digitally copied in some way so as to preserve it. In order to do this effectively, it is imperative that the data be copied from the place where it is originally stored, and placed on a separate piece of media.
Understanding Risks to Your Data
It isn’t a question of if you will lose data, only a question of when you will lose it, and what you will lose. And the first questions that will be asked when it happens are: When was the last backup? Where is it?
If insurance is a process of risk avoidance, and backups offer the equivalent of data insurance, then it is important to understand both the risks that your data is subject to and methods of avoiding those risks. Electronic data is subject to a wide variety of risks, some shared by traditional paper copies, but others unique to the medium. It is important to provide for all of these risks when designing a backup plan.
I advocate a two-pronged approach. On the one hand, you need to have a plan to recover from any kind of catastrophic, or total, loss of information. The second approach is to protect isolated elements of data from data loss. This can dramatically decrease the amount of time it takes to get the data restored and functioning. A good plan will cover both bases.
The proverbial hard drive "crash" is the first idea that most users think about when developing data backup plan. That’s fine, because hard drives are in fact machined parts. They will eventually fail like any other mechanical device. Other risks that are unique to electronic data include data corruption, accidental loss by the actions of users, or malevolent attack by outside sources such as viruses. These losses may be total and catastrophic or, more commonly, affect only some of your electronic data while leaving other elements intact.
Data is also subject to nonmechanical threats such as fire, flood, physical damage, or theft. In my experience, theft of the entire computer is a risk that is frequently underappreciated, and yet the most likely to happen. I’ve had more clients lose data due to theft of their computers than from failure of a hard drive. All too often, this has also been a situation where there was either no backup system at all, an existing backup system that was not working properly, or where the only form of backup involved copying information to a central "server." Well, if the server is stolen, so is the backup that was stored on it, including the backup tape that was still in it!
Frequency and Redundancy
How often should you backup? The answer is how much are you willing to lose? If you suffered a data loss today, how much of your work would you be able to recapture? For catastrophic backups I suggest a frequency schedule that includes: a daily backup, along with separate and distinct monthly backups, and a year-end backup. The daily backups need to be made separately for each day, and not overwrite each other until the following week. I’ve seen firms that only have one or two tapes/disks that they just keep overwriting every night. Well, it’s better than nothing, but it won’t get you too far if you don’t notice the problem for a couple of days. You will essentially have overwritten the "good" data with the bad.
In addition to catastrophic backups, you should make backups of your firm’s databases on a periodic basis. These separate periodic backups have really saved a firm’s bacon on more than one occasion. In these situations, the staff had made some additional database backups and stored them to Zip® drive, CD-ROM, or even locally on their hard drive, and we were able to restore from there. These separate copies are especially beneficial when they are made from within the software application that is designed to read it.
Making these types of separate backups allows you to spread the risk of backup failure, the digital equivalent of not putting all of your backup eggs in one basket. All too often a firm will dismiss the utility of making these additional backups with comments like, "Oh, we have a tape backup on our server—we don’t need to make any additional backups." Well, if one copy is good, wouldn’t five copies, stored on different media or in different locations, be even better? Why limit your options? Backup jobs themselves can, and do, fail for a variety of reasons, so lay away a few more backup eggs, just "in case." And then put them in all sorts of baskets: Zip® drives, CDRWs, tape, removable hard drives, NSAs, online backup repositories, e-mail yourself a copy, USB storage drives, etc., etc.
Casting a Broad Net
Don’t forget about data that isn’t stored on the server or central drive. The tendency is to store documents and major databases centrally on a single drive, and run the backups on that data. This is all sound theory, but don’t forget about items that are NOT stored there. For example, documents that are stored to a user's default "My Documents" folder, or e-mails, are typically stored locally on the workstation’s hard drive. If you’re only backing up the server, you won’t be preserving these items. One of my clients learned this the hard way when he suffered data loss on his workstation, and lost all of his e-mails from his son, a Navy fighter pilot during the Gulf War.
Ultimately, your firm is responsible for protecting its own information. This responsibility is subsumed in your ethical responsibility to safeguard your client’s secrets, and cannot be delegated to your IT professional without adequate supervision. Therefore, it is imperative that you have a firm understanding of where this information is, and how your firm is going to protect it, "just in case."
Nancy Duhon, Esq., is the owner of Duhon Technology Solutions, LLC. She has provided consulting advice for over 10 years to law firms using Timeslips®, Amicus Attorney®, and PCLaw®. She can be contacted by phone at 404-325-9779, or via e-mail at firstname.lastname@example.org.