Having a recovery plan is indispensable for your system’s inevitable crash
Ben Sapiro well knows the meaning behind the metaphor “like closing the barn door after the horse escapes.” When lawyers call him about disaster recovery, it’s usually because something has already happened. “Very often, questions come after a business continuity issue occurred,” says the KPMG risk consulting senior manager.
This saddens Sapiro, but it doesn’t surprise him: Many businesses are a corrupted hard drive or disabled router away from losing hours, even days, of billable time.
Chuck Rothman and his colleagues at information governance and e-discovery services firm Wortzmans know the potential issues. When interviewed, the firm was reviewing its disaster recovery setup. “The ability of our firm to function is based on access to our data,” says Wortzmans’ director of e-discovery services.
If Rothman’s statement describes your firm, draft a disaster recovery plan to ensure you can mitigate the consequences.
When drafting the plan, Sapiro suggests firms map their systems. This map provides an understanding of critical busi- ness processes that rely on those systems. For instance, few law firms could function without e-mail, so they easily grasp the importance of their laptops, mail servers and Internet connections in keeping that mundane process available.
When drafting a disaster recovery plan, national account manager for Canadian Cloud Backup Alex Moffat suggests creating three scenarios: “Minor incident, major incident, and a full- fledged disaster and the response. Determine the time frame to recovery on each. Then write the disaster plan based on the three scenarios.”
Once the plan is in place, practice it. “This is by far the most important part of the plan,” Moffat says. “You will find areas where you have overlooked the importance of something you considered to be minor or non-critical.”
Disaster recovery plans must include two highly similar measures. The recovery point objective (RPO) is the most time a firm will tolerate being without its data as a result of a business continuity disruption. The recovery time objective (RTO) is the amount of time a business can last without access to data before it suffers unacceptable consequences. Both measures help define the systems to use, required response times and other important points in the plan.
Data backups, the most widely known component of disaster recovery plans, often do double duty as archives — something Rothman thinks is a bad idea. “The whole idea behind retention is that you only keep files as long as you need them, and no longer,” he explains. He recommends firms use information governance systems that automate the execution of their retention policies “so you don’t keep every last e-mail, document and so forth” on a live system “which means you don’t need to back them up.”
Since backups are iterative copies of what’s on a live system, “you create lots of duplicates,” Rothman says. “Where it becomes an issue is if you’re faced with litigation or regulatory production. You have tons of duplicates you need to sift through.”
He steers clients toward hard disk drives as backup media, saying that the technology has been proven over its four decades of existence.
Magnetic tape may still be the least expensive way to store massive amounts of data, but users must maintain working tape drives (a technology travelling the same downward path as the fax machine) if they want to continue storing backups to tape.
Rothman won’t use CDs as backups. “I have CDs that I burned 10 years ago, and I can’t read them now,” he says.
Online backup can be an attractive alternative to in-house systems. Three of the most common questions Moffat fields from lawyers about online backup concern whether data is stored in Canada, whether it travels outside of Canada en route to the data centre, and how encryption works.
Rothman explains his concerns over online backup by recounting a U.S. event. “The FBI had raided a cloud service provider because one of its clients was laundering money,” he says. “They took hard drives out of the servers and made forensic copies.
“They seized data from all the clients, not just the one. One of the other subscribers to this cloud service provider sued the FBI to get their data back, and they lost.
“I don’t know if the RCMP would have the same power here,” Rothman adds, “but if the RCMP knocked on our door and imaged the hard drives on our server, the law firm upstairs from us doesn’t have to worry about their data being taken as well. It’s a matter of control.”
Sapiro recommends accounting for “near misses” in the disaster recovery plan. For instance, lawyers may lose USB memory keys or have hard disks crash. A kind soul might return the key, and data recovery specialists might salvage a damaged hard drive. Such near misses happen, but don’t take them lightly. Near misses “indicate situations from which you one day might not be able to recover,” Sapiro warns.
Moffat suggests assigning dollar values to files and programs that will represent what it would cost if the firm lost access to them or had to recreate them. “As soon as people assign monetary value to data, they treat it as though it’s worth something,” he observes.
Just as importantly, he suggests testing the restoration of backed-up files to ensure that data is being backed up.
Sapiro agrees: “I’ve seen the documented restore procedure not be correct. I’ve seen backup media not be readable. By practicing, you learn what breaks and you put correct measures in place.”
Periodic repeat practice sessions (experts recommend at least once a year) can alert lawyers to changes required in the plan caused by such issues as changes in hardware, software and information governance policies.
Firms that don’t have the expertise to independently prepare for disaster recovery must consult professionals. “Spend the money,” Moffat says. “Don’t be penny-wise and pound-foolish.”
This article originally published in Lawyers Weekly Magazine. To view the print version, click here.