How to Secure Your Paperless Office


4-Step Computer Security Upgrade

Learn to encrypt your files, secure your computer when using public Wi-Fi, enable two-factor authentication, and use good passwords.

There is more to a paperless office than just scanning everything and accessing your documents when you’re at home, on vacation, or in court. Even if your office is not paperless, you are certainly storing data and documents on computers. But do you know where all that data is being backed up? Is it being backed up at all?

Lots of lawyers have had crash courses in data loss after recent disasters, from 9/11 to hurricanes Katrina and Sandy. Many other lawyers have had smaller lessons after losing a hard drive or accidentally overwriting a critical file. Data loss happens all the time, to everyone who isn’t backing up their data. The only way to prevent data loss is a solid backup strategy, and that means redundant backup.

The ideal way to back up what’s important to you is to ensure that you have copies saved both on- and off-site, and both in the cloud and in physical locations.

If you are already paperless and your documents are stored in the cloud, your data is much safer than those of an attorney who still has an office full of Redwelds, legal pads, and an assistant who transcribes Word documents for “safe-keeping” on an office server. However, even though services like Dropbox are great for file-sharing with colleagues or syncing your files across your computers, file sync is not backup. And while you can set up backup on your computer to recover quickly from brief interruptions like power outages or server crashes, this won’t save you if your building burns down.

Being redundant may not be a good thing with respect to lawyering, but it’s a great thing when it comes to your computers, and off-site backup is the key to a good, redundant backup system.

The difference between redundancy and backup

“Redundancy” is storing information in more than one place. Many offices have redundant systems that involve storing data within devices that have at least two internal drives. Redundancy alone is not backup; it is a fail-safe measure in the event of failure of the storage device’s initial internal drive. This means that if one drive fails, another will immediately kick in and preserve any data contained within. It’s just like when you double-bag your groceries — if one bag seems flimsy for what you’ve purchased, you might place the whole thing inside another bag so that if it breaks, there’s a second layer of protection before your eggs crack all over the sidewalk.

However, redundancy alone does not preserve your data. It saves you in the event of a minor technological glitch, but not from physical disaster like fire or flood. “Backup,” on the other hand, is the practice of keeping of data in multiple places so that if something happens to one (or more) copy, you have additional copies. In theory, if you email yourself a document via Gmail, you’re creating a backup. One exists on your hard-drive, and one exists on Google’s servers. But that’s not ideal for a general backup system, for reasons that should be obvious. The ideal way to back up what’s important to you is to ensure that you have copies saved both on- and off-site, and both in the cloud and in physical locations.

Data backup options

Cloud backup: You might already be backing up your data in the cloud. If you are using Dropbox, Google Drive or another syncing application, you are effectively syncing your documents to the cloud (and your other computers) in real time. As long as the Internet is safe, so is your data.

The downside is that if your Internet isn’t lightning-fast, both uploading and downloading can take a long time. Also, if there is a disaster that leaves you without Internet connectivity, there’s no way for you to access any of your documents. And since your data is being handled by a third party, you might not be entirely comfortable when it comes to your highly-sensitive, confidential documents.

Local backup: This includes flash drives, external hard drives and media like CDs or DVDs. These devices are starting to have more and more available space, but there are still limitations. Also, they are only as good as the security of the holder. In other words, if you or an employee lose a flash drive or a CD (which is easy to do), then not only is the data lost, but it also can be viewed by whomever finds it. Of course, if you just need in-office data storage, backing up on CDs or external hard drives is fine. However, there’s no protection in the event of a natural (or other) disaster that affects your physical office.

Network backup: Generally, this refers to a network-attached server (NAS) that keeps copies of data on the network, itself. Sometimes, this can be synced to cloud storage, but it will not going to save your data in the event of a physical event at your office.

Best practices for backing up sensitive data

Local backup and network backup are useful and important, but your data may not be secure without a remote backup server.

A remote backup server can store your data and keep it recoverable in case of a local data loss. For example, if your physical office is in San Francisco, you might have your backup server in North Carolina. This remote backup server would store a copy of every piece of information in your infrastructure on a schedule that does not overload your computer or network; daily, every 48 hours, or whatever you choose.

On the back end, you might have a local repository where you clone your backup job, and then send a backup snapshot over a wide-area network to your remote backup server. This way, you are actually replicating your files so that if there’s a catastrophic data loss, they are still sitting happily on the remote server and are ready for you to easily replicate in a usable way. This is probably the best way to mitigate the risks of daily data protection.

Regardless of whether your firm is mid-sized or a solo practice, you must back up every day because — as the conventional wisdom suggests — it’s not a matter of if you eventually have a system failure, but when. So, what happens if you have a crash? You could have to spend days buying a new computer; researching, purchasing and installing software; entering program data; configuring accounts for email and program settings; loading all of your previously stored data and hoping that all of your earlier versions of documents are compatible with the new system. This process requires not only manpower, but expertise. Especially as a solo practitioner, this could take close to a week of time that you’re not prepared to spend in that manner. It’s been estimated that for each day of down-time, your firm could incur a cost of $1,500 per attorney, which does not include tech support and malpractice or liability issues that could arise.

Is my data lost, or simply unavailable? What’s a data spill?

“Data loss” refers to information that has been destroyed by failures of storage, transmission or processing. If you’re suffering from “data unavailability,” your information might just be temporarily inaccessible because of a network outage.

A “data spill” is when lost data is acquired by a third party who is not authorized to view it. This most commonly happens when an employee loses a laptop computer, flash drive, or other portable data storage device (which could even be an iPad or smartphone). The costs associated with these losses can be high, which is why you should encrypt any data that leaves your office. In the event of a data loss or spill, you might have to continue without the data, although you might be able to recreate it. Worst, you might have compromised a client’s confidential information, if the data has fallen into the wrong hands. If you are storing your data in the cloud, use a system wherein your data is encrypted both in transit and during storage.

If you’re choosing to store data on a flash drive (also known as a jump drive or thumb drive), it should be encrypted because those tiny drives can be physically lost so easily. However, while this saves you from a data breach, it doesn’t prevent actual physical data loss. If you’re using one of these micro-drives as backup, be sure that it’s not the only place where you’re storing the most current version of your data.

Practical security considerations with respect to passwords

Passwords should be strong. They should contain at least 12 characters. Don’t use the same password office-wide. If someone is able to crack your password, don’t give them a free ticket to everything in your files. Have multiple passwords. Yes, it can be mentally exhausting to keep track of all of your passwords, especially when you likely have plenty for both work and personal accounts. Apps like SplashID are encrypted for password protection and will store and protect not only passwords but credit card numbers and other most sensitive data. Whatever you do, never have a file on your computer entitled “Passwords”. Unless it’s an airtight decoy, this is never a good idea! In a January, 2012 issue of Law Practice Magazine, the American Bar Association indicated that the most common place where attorneys keep passwords is on sticky notes under their keyboards or in their top right-hand drawers. If you must keep a password or encryption key on a piece of paper, be sure that it’s hidden in a spot that’s highly unlikely to be discovered.

One final item about passwords: Don’t keep defaults. Regardless of whether it’s your router, operating system or any other hard- or software, the default passwords for software and hardware are well-known entities. Like any password, don’t use easily guessable codes like your office phone number, for example.

Easy action items with respect to backing up your valuable data

Cloud backup is inexpensive and allows for your files to be easily located anywhere that you have Internet access. It’s probably the most goof-proof and convenient, but know the risks.

Use office computers as extra backup devices in addition to your backups in external hard drives, flash drives, CDs and so on. Just make sure the backups are password-protected so no one can accidentally work on them as originals and destroy work. This is especially important for small offices where there is a single computer, or if there is one computer that stores data while all other computers are used as workstations.

You can maintain an indefinite number of external hard drives. They’re relatively inexpensive and tend to be stable. Work them into your backup repertoire and maintain them both on- and off-site. If you’re a solo practitioner and you don’t want or need remote server backup, you can transfer files from your office computer to an external hard drive in your home (provided it’s not in the same physical location) via the cloud. Or, you could transfer data by flash drive. Just be sure to work the transfer into your daily routine in order to maintain it as reliable backup.

A crash could also cause lose software, especially if you are using old versions of various applications, it could be difficult to restore data stored within. If you can’t keep a duplicate CD or other version of the actual software, keep an off-site file with the software specifications, version and receipts for purchase. Depending on the circumstances, this information could help you avoid having to re-purchase older software.

Cloud backup is inexpensive and allows for your files to be easily located anywhere that you have Internet access. It’s probably the most goof-proof and convenient, but know the risks. You want to ensure that the data is secure and that the online storage company is reliable and trustworthy. Also, ensure that whatever cloud you’re using has its own backup plan. This should probably not be your only backup method, but it’s excellent as one of them.

Always be testing

Finally, test, test, test! To make sure that your backup is functioning properly in the event of a disaster, be sure to periodically retrieve your files from your remote server and make sure that they are readable. Remember, your backup files are just as valuable as your active data. This means that whatever precautions you’re taking to ensure the security of your active files should be taken (and then some) on your backup files. Hopefully, the worst-case scenario will never happen to your files. But if it does, at least some of the aggravation can be alleviated if you’re confident that your data is securely and properly backed up in a way that it can be accessed any time from anywhere.



Get Lawyerist in Your Inbox, Daily

Current Articles
Current Lab Discussions
  • Nobel,

    All of your points are outstanding examples that illustrate how important it is to secure all clients’ confidential information. That is the main reason our firm uses SpiderOak for both secure, encrypted back up and syncing, as well as strong encryption for our individual computers.

    Unlike many other back up or syncing services in “the cloud”, like DropBox, SpiderOak does NOT have the keys or any password to your data stored with them. The downside is that if you lose your password, you cannot retrieve your data. The upside is that no one who does not have your password, which includes SpiderOak itself, can see your clients’ unencrypted data.

    So, even if SpiderOak is served with a FISA warrant, all they could provide would be the encrypted data, which I presume they would do. I realize that if the federal government wants to devote its significant cryptography resources, it might be able to unencrypt that data, but I do not know of any other, stronger way to ensure my clients’ data is secure.

    The critical concerns you raise in your article are also the reason all of our office’s computers, including all laptops, are also, themselves, encrypted. So, when a laptop gets stolen, no one without the (very strong) password gets to see our clients’ information.

    It has taken some effort to come up with and implement this two-step solution, but we sleep better, knowing that our security system is robust.

    Thanks again.

    Inez de Ondarza Simmons
    North Carolina Business and Real Estate Litigation Attorney

    • Noble McIntyre

      Inez- Thanks for the comment! Those are all good points, and I’ll have to check out SpiderOak.

    • Encrypting laptops is essential. As for SpiderOak, we’ve discussed it a bit in the LAB (here, for example). While it sounds secure, some aren’t satisfied with its performance. I think SpiderOak hasn’t been tested. Dropbox may not be perfect, but it has handled its security breaches pretty well, in my opinion.