Start Your FREE Membership NOW
 Discover Proven Ways to Be a Better Law Office Manager
 Get Our Daily eNewsletter, Law Office Manager Bulletin,
    and MUCH MORE
 Absolutely NO Risk or Obligation on Your Part -- It's FREE!

Upgrade to Premium Membership NOW for Just $90!
Get 3 Months of Full Premium Membership Access
Includes Our Monthly Newsletter, Office Toolbox, Policy Center, and Archives

How to ensure your firm can weather a disaster

Many law firms are not well prepared to weather a disaster, whether it’s a physical one such as a flood or fire, or a technological one such as a data breach, says Catherine Sanders Reach, director of law practice management and technology for the Chicago Bar Association.

In extreme cases, such as a terrorist attack or a hurricane, Reach says the damage done to unprepared law firms has been so great that it is impossible for them to recover and continue to operate.

It’s an attorney’s and a law firm’s ethical responsibility to ensure that the firm can continue to serve its clients, safeguard their property, represent them diligently, and maintain confidentiality in the event of a physical or technological disaster, she says. And while you might get a pass if the disaster is widespread, such as the damage caused by Hurricane Katrina, if the incident is micro, such as a flood or fire at your law office, it cannot be used as an excuse to delay a court case.

“All of these things are written into the ethics rules and are important for law firms to be able to follow. If you are in a legal administrative position, those responsibilities that are put on to the attorneys by their rules are passed over to you. You have a responsibility to maintain the firm in a way that comports with the rules that they have to follow.”

Reach says the whole point behind disaster recovery planning is to mitigate risk, whether it’s dealing with the aftermath of a broken water pipe or a data breach. If you haven’t planned a means of recovering from such disasters, your firm may never recover.

Crafting your business continuity plan

Developing a business continuity plan starts with keeping in mind the goal of protecting your clients and maintaining a consistent ability to serve them, says Reach.

To do this, you will need to gather a lot of information and put it in a safe place so that you will be armed if a disaster occurs. That information, whether it involves details on vendors, insurance, real estate, staffing, clients, or referrals, needs to be accessible, both onsite and offsite.

You must also document your firm’s people and processes.

“This is literally going through and looking at different aspects of how everybody does their jobs and trying to document how they do it,” says Reach.

Other information that needs to be documented includes:

  • Time, billing, and accounting
  • Calendar and to-do lists
  • Contacts
  • Phone calls and messages
  • Open and closed files (knowing where they are and how to find them)
  • How documents are made and where they are saved
  • Hardware and software

Where to start

Mapping data is the process of gathering and analyzing information, including emails, contacts, calendars and documents, and knowing where the information lives, who can access it, the format it is in, and how long it needs to be kept.

The process starts with using a spread sheet or a sheet of paper to divide firm information (such as human resources, taxes, payroll, IT, and insurance/property) and client information (such as matter, correspondence, client documents, memos/letters, filing, contacts, invoices, time sheets and trust accounts).

There are some tools that can help you with this task, such as:

  • Digital identity management tools that can collect and segregate information regarding who needs to be contacted in the event of a disaster.
  • Document management systems that allow emails and documents to be saved in a central repository that is backed up, searchable and accessible from remote locations.
  • Practice management software that collects time, trust accounting, links to documents, links to emails, contacts and also maintains work flow checklists in one place.
  • Checklist and project management tools.

Backing up

Reach also stresses the need for having a solid backup strategy in place for data, email, servers, disc images, mobile devices, and your website, blogs, and social media. Important paper files should be scanned and then backed up electronically and original documents should be placed in fireproof and waterproof safes.

“I’m a big fan of redundancy. The more backup, the better,” she says. “The rule that I always apply is ‘If you lost it, would you cry?'”

Reach says backups should be done daily. She also suggests conducting regular reviews of the backup log and of open files, and regularly performing test restores.

Mitigating the risks

Your business continuity plan should also include the use of documentation tools such as software asset management, such as Belarc (, which looks for licenses, unused licenses, licensing issues (such as people using unlicensed software), and updates and patches.

“When you look at the list of security issues these days, it’s not just about having anti-virus protection. One of the big things that comes up is keeping your software patched and updated,” she says.

If software updates have not been done, you are leaving your law firm vulnerable to data breaches. Reach says using software asset management tools such as Belarc will let you know which desktop and laptop computers have been updated.

Remember that your firm’s data lives on hard drives, thumb drives, email, cloud storage, and possibly on personally-owned resources for those who work while they travel on firm business, telecommute, and have home offices. Reach recommends you establish procedures to ensure that these systems are backed up and that you have a recovery plan in place for this data, including how they are moved into approved repositories and what happens to data when an employee departs. Your practice should also have a policy about what should and should not be maintained outside the office.

Another important consideration that Reach recommends is password management. Passwords need to be strong and unique and the use of password management tools can help ensure that everyone is well protected against hacking. These tools can also allow you to delete or change passwords in the event that an employee “goes rogue.”

How to respond to an incident

If the incident is a data breach, Reach recommends the following responses:

  • Verify that an incident has occurred
  • Maintain or restore business continuity
  • Reduce the incident impact
  • Determine how the attack was done
  • Prevent future attacks

“I’d recommend you have a consultant on speed dial,” says Reach, adding that your knee-jerk response may be to unplug the computer; however, that may not be the most useful solution. In the event of a data breach, your best first step is to contact an expert.

If the incident is a natural disaster, Reach recommends the following:

  • Human life and safety come first. If necessary, initiate your phone tree to ensure that all your personnel are safe
  • Review your disaster recovery file and implement your plan
  • Report to authorities
  • Rescue critical records and valuable property
  • Mobilize emergency response person or team
  • Make the maximum withdrawal from your ATM
  • Move to the recovery process


“Lawyers are often risk-averse for clients, but are not always aware of the risks facing their own firm,” says Reach. It’s up to the law office administrator to ensure that there is adequate insurance coverage, proper back-up procedures, and a business continuity plan in place to enable the firm to continue serving its client, whether it experiences a data breach, a burst pipe, or a hurricane. The old adage may be cliché, but it’s true: Failing to plan is planning to fail.

Editor’s picks:

The 6 essentials to include in your Business Continuity Plan to help your firm survive a disaster

How to keep the office in business-as-usual shape after any kind of disaster

The War Against Data Breaches:
What Law Firms Need to Know









Try Premium Membership