Data Backup Basics for Pennsylvania Lawyers
With the recent massive flooding, a hurricane, and an earthquake in Pennsylvania, lawyers may be re-evaluating data backup plans (you DO have a current, data backup plan). This article provides basic information for creating backups for solo or small law firms.
Basic Backup Planning
A data backup creates a copy of the electronic files on your computer.[FN1] Backups are important (essential) to protect client files and to protect the continuity of your business operations should a disaster occur. Yes, backups take time. Yes, discipline is necessary to make sure backups are regularly run. Yes, errors will occur. But overall, regular backups are simply good practice and good business.
A basic backup plan would consist of two parts: (1) the local backup and (2) an off-site backup. Why two parts (isn’t making one backup enough?)? The two-part, optimal backup plan protects the law firm by providing quick access (the local backup) to lost data and an off-site disaster recovery option should the local site become inaccessible. Paranoia? No; reasonableness under the circumstances.
Local backups consist of two parts: (1) the backup software program and (2) the backup media.
First, the backup software manages the backup process. I have written previously on the challenges of selecting good backup software. Good backup software should at minimum:
- allow you to specify which files and directories are backed-up up (and save this configuration);
- encrypt the backup on-the-fly using real encryption methods; and
- work with a wide variety of backup media.
Read A Basic Computer Data Backup Option for Solo or Small-firm Attorneys: Areca Review for more information on what to look for in backup software. Areca certainly is not the only backup solution. However, lawyers should be very careful when selecting backup software—e.g., many external hard drives now include what-I-call “garbage-ware” backup programs (too basic for law office use) that might NOT be licensed for business use and some do not provide strong encryption of the backup data despite the general marketing claims (not all encryption is the same).
Backup media includes external (USB or eSATA) hard drive, DVD, CD, flash drive, or tape drive formats. Currently, external hard drives are probably the most cost-effective and efficient for the small or solo law firm. DVD and CD backups might be appropriated for longer term archiving. Larger capacity flash (thumb) drives might also be an option, but backup sets can quickly exceed today’s reasonably-priced flash drive capacities. Tape drives are still an option if stand alone servers are used in the firm but are less practical if the firm primarily uses laptops or desktops. With laptops or basic desktops, attaching the tape drive becomes an issue. In a server environment, tape drives may be more practical because the tape drive can be permanently installed.
Offsite backups may be in two forms: (1) rotating a physical local backup in offsite storage or (2) cloud computing data backups. The latter, ONLY if done properly, is currently preferred.
First, traditionally, a business might buy 20 or so tapes and rotate the tapes offsite. Someone would be tasked with carrying the tape offsite and retrieving the old tape. The tape might be stored at a bank or at a secured storage repository (or sometimes just at the system administrator’s home). Similar methods, albeit perhaps with fewer drives, might apply to external hard drives. Cumbersome but workable.
Today, cloud computing based backups (storage-as-a-service or STaaS) obviate the need to coordinate the offsite storage. Rather than physically transport drives or tapes offsite, instead the firm backs up their encrypted data using a secured internet connection. I strongly emphasize the specifics in latter sentence. In lawyer-analysis-terms, cloud computing backups are an option if (1) the data is encrypted prior to backup, (2) using the lawyer’s key, and (3) transmitted securely to the remote, cloud computing service. See my prior articles Navigating the Fog of Cloud Computing: An Unofficial Supplement to The Pennsylvania Lawyer Article (summary links), Navigating the Fog of Cloud Computing, and especially Cloud Computing: Who Holds the Encryption Keys? [And Why It May Matter to Lawyers]. Major providers that pre-encrypt the data using the lawyer’s encryption key include, for example, SpiderOak, Nasuni, CommVault, and CoreVault. (Dropbox does NOT provide this type of protection as of this writing.)
Usually, the STaaS provides a backup software solution for use with their service. This software might also handle the pre-encryption tasks BEFORE uploading to the internet.[FN2]
Bringing the Plan Together—Local + Offsite
The precise backup plan varies according to firm. But, in general, a backup plan might use:
- the cloud STaaS backup for daily or hourly backups AND
- the local backup for standard weekly backups.
Using this method, there is little opportunity for data loss. The cloud backup serves two purposes: (a) protects data on a near hourly or daily basis and (b) provides an off-site disaster copy. The local backup, with media stored in a secured location on-site, likewise serves two purposes: (a) provides quick-recovery in the event of massive data loss or (b) recovery in the event of an internet outage (an internet outage may render the cloud backup temporarily useless because the cloud backup depends on the internet). See my articles entitled Avoiding Being “Bit”ten: Bandwidth Issues With Cloud Computing Backups and Cloud Nines: Understanding Accessibility Versus Availability in Cloud Computing for Lawyers for more information about recovering data from cloud backups and for information on cloud outages.
(For important information on full, differential, and incremental backup formats, see A Basic Computer Data Backup Option for Solo or Small-firm Attorneys: Areca Review. Know this information before starting a backup plan.)
Testing Backups or Oops, You Really Don’t Have a Backup
Great. You have a cloud STaaS backup setup and a local backup setup. You incorporate the backups into your weekly or monthly firm processing.
Then, a disaster happens. Cue the backup. After looking around in the backup log, the lawyer, now managing panic, asks: “but, where is that client file on the backup?” Oops. The directory was missed. No backup.
Regularly testing backups with a live recovery of missing data is an essential (not optional) part of the backup process. On a regular basis, you should try to recover a file or directory from the backups—cloud and local. Recover an item AND OPEN the item to verify that the backup works.
The Paper-based Office Conundrum
Some lawyers, to seemingly obviate the electronic backup issues, may assume: “gee, with all that bother, I will just keep my [mouldering] paper files.” Think again. Data backup does not apply only to electronic files. (Read Pennsylvania Formal Opinion 2007-100 (2007)—Client Files very carefully). Thus, arguably, the job of the paper-file-based lawyer is even greater—how can one “backup” all those paper files efficiently? Fire, flood, building collapse, etc. can quickly destroy paper-based files.
Concluding Remarks: Backups Are Simply Part of Modern Law Practice
Whether you use electronic files, paper files, or a combination, regular backups are part of a modern law practice. Backups not only protect from data loss, but provide essential disaster recovery and business continuity functions. Like insurance, planning after a catastrophic event or data loss is admirable but not sufficient to address the disaster at hand. Developing a solid backup plan can help mitigate data loss and might also help you better manage your firm by helping you to think about the firm’s operations (and continuity). Already have a plan? When was the last time that you revised or checked the plan? Keeping the plan up-to-date is also essential. The take-away: plan today.
FN1—I simplify the discussion here. Technically, there is an important distinction between “backups” and disaster recovery. While I use the terms interchangeably here, generally, backups are more akin to archives—long term storage of essential information. True backups should be part of a data retention plan toavoid over or under storage of essential information. Disaster recovery, in sharp contrast, is a business continuity issue allowing for full recovery in the event of a disaster or data loss. Disaster recovery aims at returning the b8usiness to operation at a point in time and thus usually captures a snap-shot of ALL data. Using disaster recovery for backups may result in over-retention of data—leading to e-discovery issues, higher costs from storing non-essential information, etc.
FN2—More sophisticated IaaS or PaaS cloud services might allow using SFTP or other secure file transfer to affect the backup (such as Amazon EC2, Google Apps for Business, etc. This option is probably not feasible for most firms.
19 September 2011