Is Your Firm’s Data Backup Strategy Leaving You Exposed To a Data Breach?

Posted in Law Firms On January 26, 2018

In my last blog, I talked about ensuring that your law firm had an effective data backup strategy in readiness for GDPR.

Being in control of your firm’s data backup strategy is important for 2 reasons – firstly, and most obviously, because sometimes the unforeseen happens and you need to retrieve data from backup. The reasons you may need to do this vary from minor day-to-day issues, such as a staff member accidentally deleting a file, through to major issues that affect the whole firm, such as a ransomware attack, a server failure, or an incident such as a fire, flood or other disaster.

However, there is also a second reason why it’s important to understand, and be in control of, your backup strategy, and that is from a wider data protection and client confidentiality perspective. It’s important to realise that your backup data can actually potentially be another source of a data breach, and that is something that I wanted to explore in a bit more detail in today’s blog.

Many firms are now in a situation where copies of their data is distributed across many devices, with emails frequently being replicated to smartphones, and copies of data often on laptops, tablets or home PCs to facilitate remote working.

The problem with data having become widely distributed, is that it makes it difficult to control and backup, and unless there is a central strategy with clearly defined controls, it leaves the onus for data backup on individual members of staff. With the best will in the world this doesn’t work well as staff within your law firm are not IT experts (and nor should you expect them to be), and as such they may either not backup data at all, or they carry out backups by rote and not understand fully what they are doing or whether it is appropriate.

In some cases, I have seen staff who think they’re doing the right thing by making a backup but actually (through inexperience not malicious intent), end up doing quite the opposite; for example by making a backup to an insecure location, or to a location that they do not realise is outside the UK. This is very easily done with so many providers having automatic cloud-based backup services that users do not even always realise are enabled.

Those of you who read my blog Where is your law firm’s confidential data may recall that I referred to a case earlier this year when an unnamed barrister was fined by the ICO (the Data Protection supervisory body in the UK), after 725 unencrypted documents containing information belonging to up to 250 people, including vulnerable adults and children, was uploaded to the internet when the barrister’s husband updated software on the couple’s home computer. These documents were visible to an internet search engine and the breach only came to light after a local government solicitor informed her chambers that documents containing confidential and sensitive information could be accessed online. This demonstrates just how easy it is to inadvertently make data web facing and cause a data breach.

Since the GDPR obliges firms to ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’ (article 32), it is very important that policies and controls around data backup are put in place that not only ensure you always have a backup copy of your data that you can access in a disaster, but also that you minimise the risks of a data breach from your backups.

With the imminent arrival of GDPR, at Stonegate IT we are currently working with law firms to install highly secure and effective data backup systems, which ensure that all data is backed up centrally, to a secure onsite vault that is not web facing and is therefore kept within the 4 walls of your practice. For further protection against a large scale disaster at your premises, an offsite copy of data can be made over a private encrypted link to offsite storage in a UK data centre, a highly secure solution that can be setup by Stonegate on your behalf.

All backup processes are monitored and managed by our specialist data security team to ensure they are working, complete and restorable. This takes the responsibility and the worry around effective and secure data backup out of the hands of individual solicitors and support staff, leaving your practice assured that your data is protected with an effective backup and that your backup strategy data is not leaving you vulnerable to a data breach.

If this article has raised questions or concerns over your firm’s data backup strategy and you would like more information on ways that Stonegate IT can help to mitigate the risks, please do not hesitate to contact me on 020 3761 3520 or email smohr@stonegate-it.co.uk when I will be happy to chat through the issues and discuss ways we can help.