Why bad data backup could put Legal Eagles in the dock

29 Feb 2020

A recent survey of UK legal professionals by Legal Week Intelligence found that more than two-thirds of respondents felt their firm provided them with some of the right technology to do their jobs effectively, but that there was “room for improvement.”

When you consider that search terms like “solicitors data protection breach” and “data protection breach solicitors” top the Google charts, it becomes pretty obvious where at least some of those technology improvements are urgently needed.

Law firms lost some £11 million to data hacks last year, and, to add insult to injury, recent research shows that only about 50% of UK law firms regularly back their data up.

One fire, one flood, one dead server or disk, one ransomware attack – without the right backup technology, to paraphrase the ad, “Bang – and the data’s gone!”

Data backup: the damning evidence

As we explored in a previous post, the Law Society strictly requires its members to create and keep records documenting all their “data backup, archiving and deletion routines” – a difficult task to comply with if you don’t have any backup, archiving and deletion routines!

Plus, the reality is that, of the half of law firms that do back up data, the majority of them rely on outdated and outmoded backup technologies.

It’s difficult to come by precise UK data on this point, but comparable research from the American Bar Association recently found that the most frequently reported forms of backup in law firms include clumsy, non-secure, vulnerable and sometimes wholly unsuitable physical media such as external hard drives, tape, CDs and DVDs, and even USB sticks.

But surely some backup is better than no backup at all, right?

“Some backup” - is there a case to plead?

The Solicitors Regulatory Authority clearly states law firms should have a data backup strategy that covers the National Cyber Security Centre’s ‘3-2-1’ rule - three copies of all important data, on at least two separate devices and with one copy offsite.

That’s considerably more than “some”.

The offsite copy can, of course, be in the form of a cloud-based backup. But the rash of free cloud backup services, predominantly US-based, that have found favour in the UK - simply because they involve minimal-to-no financial outlay - risk a cruel irony: they could easily cause law firms to become law-breakers, since the US data centres behind them typically do not comply with the UK Data Protection Act and parallel EU GDPR legislation.

Imagine if you were a solicitor – or, worse still, a specialist data protection solicitor – and you had to explain to the Information Commissioner how your cheap, non-GDPR-compliant USA backup got hacked and let clients’ personal data out onto the internet.

That would be a courtroom appearance like no other in your career…

“We thought it couldn’t happen to us, Your Honour…”

Legal technology specialist Adriana Limares has commented on this topic that “Lawyers get complacent. They think, ‘Nobody’s going to come after me.’ But that’s not how things work.”

It’s not. For a start, it doesn’t necessarily take anybody “coming after you” to compromise data. Simple user error can wipe out swathes of the stuff, with this kind of accidental deletion making up a significant part of up to 44% of all instances of data loss.

Without warning, disk or hardware failure can take a machine down and the data with it, whilst fire or flood can wreck an office and everything in it – including, of course, any data stored there.

But yes, the ransomware hacker can of course instantly and utterly paralyse access to data – and in perhaps the harshest paradox of all, the wrong choice of backup will result in a damaging delay, possibly even days long, between accessing the data and restoring it into the system to make it usable again.

Little wonder, then, that a study carried out by the British Chambers of Commerce found that 93% of businesses that suffer extended data loss submit a file to the bankruptcy courts within one year – and 50% immediately.

Buy cheap, plead guilty

What law firms urgently need to consider is this: backup is not a tickbox exercise to be executed at minimal cost. It is critical cover that, for £100 to £200 a month, can save a business and a reputation, and avoid multiple lawsuits!

Would law firms do without their professional indemnity insurance because it didn’t come for free? Would law firms do without their public liability insurance because it didn’t come for free? And would law firms simply do without any of it because ‘it’ll never happen to me?’

With 60% of UK law firms experiencing a cyber breach, according to research from Price Waterhouse Cooper reported in 2019, solicitors and law firms should consider how they would explain to a judge that effective and secure data backup either wasn’t worth doing or wasn’t worth paying for.

We rest our case.