Securing Records — The Critical Need for Robust Security and Reliable Backup Systems

An essential aspect of any legal practice is maintaining accurate records.  However, this component of practice exposes law firms to significant risks.  Law firms manage highly sensitive information, including client briefings and cases, legal strategies, and operational data.  This article highlights the importance of implementing a robust record-keeping system, incorporating reliable backup solutions to mitigate risks including data loss, destruction, corruption, unauthorised access, and misuse of stolen information.

What is a Robust Record-Keeping System?

A robust record-keeping system is designed to protect records and data from various threats, including natural disasters, human breaches and error, and system failures.  It involves vigorous measures to secure confidential and sensitive information while ensuring immediate access and retrieval, and integrity, even in adverse circumstances.  However, no security system, no matter how robust, is infallible.  That said, some measures can mitigate destruction and loss.  The following case studies highlight the need for a robust record-keeping system. 

Case Scenario 1 | Theft of Office Computers

A small law firm, focusing on civil litigation, experienced an office break-in, during which several computers and laptops were stolen.  These devices contained all client files, as the firm did not maintain physical records or backup systems.  The loss of records was permanent and irreparable, resulting in:

• Missed court deadlines,
• Substantial costs to replace the stolen office equipment,
• Significant expended time and financial losses due to efforts to reconstitute records,
• Concerns regarding potential misuse of client information, including identity theft and lawsuits, and
• Strained relationships with aggrieved clients worried about the possible misuse of their personal information.

Case Scenario 2 | Destruction from a Flash Flood

A small law firm focusing on conveyancing faced a severe flash flood that destroyed:

• Physical client files;
• Original transactional documents, such as sale and purchase agreements and documents of title, stored in filing cabinets; and
• Onsite computers and laptops which contained all client files and firm documents.

Although the law firm had an onsite backup server, it was also destroyed in the flood.  The law firm also did not sync data on the backup server to any offsite or cloud-based storage solutions.  The aftermath included:

• Significant costs to replace the destroyed office equipment;
• Substantial expenses to reconstruct records, borne by the law firm; and
• Unhappy relationships with dissatisfied clients.

Case Scenario 3 | Car Smash-and-Grab Incident

A lawyer parked their car on a busy business district street while getting a quick dinner.  The lawyer left their laptop bag, containing their work laptop, in the car’s front passenger seat in plain sight.  During dinner, a thief smashed the car window, grabbed the laptop bag, and fled the scene.  The stolen laptop contained time-sensitive working documents and client communications regarding a significant corporate transaction.  The theft resulted in:

• Missed tight deadlines;
• Costs to replace the stolen laptop;
• Concerns regarding unauthorised access misuse of sensitive information stored on the laptop, including acquisition pricing and related strategies; and
• Heated exchanges with an aggrieved client, who was also concerned about potential misuse and missed deadlines set by regulatory bodies.  The client intimated intentions to sue.

Lessons Learned and Key Takeaways

The case studies highlight the importance of vigorously securing records and implementing reliable, multi-layered backup systems.  Key takeaways include:

1. Diversified Record-Keeping Security Measures

• Law firms should implement diversified security measures and avoid reliance on a single storage solution by utilising an integration of secure physical storage (eg fire and flood-proof safes and cabinets), onsite servers, and encrypted offsite storage (eg cloud-based solutions). 
• In Case Scenarios 1 and 2, a recovery of lost data could have been possible, had the law firms maintained an offsite backup system.   
• Law firms should regularly update backup systems to ensure consistency and congruency between primary and backup storage records.    

2. Contingency Plans

• Law firms should develop and implement contingency plans to facilitate a quick restoration of records in the event of natural disasters, human breaches or error, or system failures. 
• In Case Scenario 2, the destruction of crucial transactional documents could have been mitigated if the files had been stored in secure physical storage, such as flood-resistant safes or cabinets. 
• In Case Scenario 3, the threat and occurrence of unauthorised access and misuse of data could have been mitigated if tracking software or remote wipe features had been enabled on the stolen laptop.

3. Document Handling Protocols and Policies

• Law firms should adopt comprehensive protocols and policies on security risk recognition and mitigation. 
• In Case Scenario 3, the lawyer failed to practice basic preventative security measures, which could have could mitigated the theft by adhering to protocols on handling sensitive documents.  

While no security system is entirely failsafe, implementing a streamlined combination of different systems can significantly reduce the risks of data destruction and loss while preserving client confidentiality.  Lawyers are encouraged to explore and implement these systems to support business continuity and safeguard their operational resilience.