A Guide to Creating a Law Firm Disaster Recovery Plan

Written by

From the global pandemic to California’s wildfires to hurricanes in Florida, this year has shown us that the unexpected can—and, unfortunately, does—happen. 

While no one expects you to predict or prevent the unpredictable, you should be prepared for how your law firm will respond. How you react and adapt to disastrous events can mean the difference between resuming work with relative business continuity—or leaving your clients stranded or in the worst scenario, closing your business. Being unprepared for emergencies can also leave your firm’s staff, clients, and data vulnerable and at risk.

Law firms need a clearly defined law firm disaster recovery plan now, so that they can get back to work as quickly as possible (and with as little loss of data, time, and business as possible) after an unexpected event.

In this post, we’ll cover the essentials of disaster recovery strategy and planning for law firms. We’ll outline what a disaster recovery plan should include, and how to create and maintain it. In addition, we’ll review the ethical obligations to consider when creating a law firm disaster recovery plan, and discuss essential technology and tools you can start using now. These tools will be fundamental to keeping your firm running should a worst-case scenario occur.

Ethical obligations when creating a law firm disaster recovery plan

An effective law firm disaster recovery plan is about more than just the potential business disruption. As with any aspect of running a law firm, you must also consider and research the ethical rules of creating a disaster plan. Taking the time to research the exact ethical obligations that apply to your firm is important, as they will vary depending on your location and state. Those ethical obligations should then shape the procedures that your firm implements for disasters. 

The act of preparing for potential disaster—both by having a disaster recovery plan and by using available technology to safeguard client data—can help ensure your firm can meet its ethical obligations should the unexpected occur. 

The American Bar Association offers guidance with this formal opinion on ethical obligations related to disasters. While you should review this in detail along with researching your area’s specific obligations, (note that many states have not adopted the ABA model rules for this topic), the overarching takeaway is that “The Rules of Professional Conduct apply to lawyers affected by disasters.” 

As the ABA reminds us, “Lawyers have an ethical obligation to implement reasonable measures to safeguard property and funds they hold for clients or third parties, prepare for business interruption, and keep clients informed about how to contact the lawyers (or their successor counsel).”

Highlights from ABA’s model rules

Highlights include a firm’s responsibility to: 

  • Communicate with clients after a disaster: As ABA Model Rule 1.4 (communication) states, lawyers are required to “take reasonable steps to communicate with clients after a disaster.” You should have a plan in advance for how you will be able to access client contact and information, as well as a strategy for physically reaching out (for example, via phone or email).
  • Store client files electronically with a reputable software provider: ABA Model Rule 1.1 (competence) touches on the need for lawyers to “develop sufficient competence in technology to meet their obligations under the Rules after a disaster.” Take the time to learn and implement a system for storing client files securely, electronically, with a reputable provider before a disaster strikes.
  • Ensure access to funds in trust: According to ABA Model Rule 1.15 (safekeeping property), lawyers must “protect trust accounts, documents, and property the lawyer is holding for clients or third parties.”

What are the features of an effective law firm disaster recovery plan?

Your law firm disaster recovery plan needs to cover certain essential topics. Have a clear set of priorities is also key. Specifically, an effective law firm disaster recovery plan must consider—and have a documented plan for how to account for—the following factors (in order of priority):

  • Safety
  • Staff
  • Systems
  • Services
  • Suppliers
  • Business resumption

Once the above factors are accounted for, you can move forward towards resuming business. 

Steps to creating a law firm disaster recovery plan

10 steps for marketing your law firm

The first step to preparing your law firm for disaster is to assemble a law firm disaster recovery plan. With this plan, the goal is to recover your law firm and clients’ data.

Brainstorm, draft, and document your plan for the following points, and then revisit the plan at least once every year to revise as necessary.

  • Identify the scope of the situation. Brainstorm likely issues for your area (for example, do you live in a hurricane-prone region?).
  • Appoint emergency contacts. We also recommend educating team members on personally preparing for disaster by having personal emergency kits that hold 72 hours worth of essential supplies.
  • Get a disaster recovery team together. Identify specific people at your firm.
  • Determine roles and responsibilities. Ensure that everyone knows their roles in advance.
  • Restore technology functionality. You should know how long it may take to get your technology back in service if there is any interruption. 
  • Data and backups. Have a system in place—with backups—to protect and recover firm and client data. 
  • Do testing and maintenance. Ensure any hardware, software, or other technology your firm uses is well-maintained. 

Steps to creating a law firm disaster response plan

You also need to build a detailed law firm disaster response plan. When creating your law firm disaster response plan, the goal is to be able to jump into action as quickly as possible when needed. Here’s how:

Step 1: Conduct an inventory. 

You should always know exactly what your firm has on hand so that anyone following your plan knows what needs to be recovered or replaced. Your inventory should account for:

  • Software. Make a list of any software your firm uses. How many licenses do you have? Do you need to have passwords or other ways to access it?
  • Hardware: How many computers, servers, or other pieces of physical hardware does your firm have—and where are they located? 
  • Client files. Should a disaster occur, have an inventory of all client files in your firm’s possession so that they can be recovered. 
  • Location. Note the locations of everything. For example, are files stored in the cloud, or a physical location? 

Step 2: Do a risk assessment. 

Account for:

  • Each type of asset in your inventory. Include everything from firm hardware to client files.
  • Possible risks to those assets. Consider natural disasters, hardware failures, service provider failures, or human error.
  • The likelihood of each risk. 
  • The impact of each risk. What would happen to each item if that risk should occur? For example, if the asset was paper client files and the risk was an office fire, the impact would be high and devastating. 
  • Ways to mitigate the risk. Are there ways to mitigate future risks? For example, moving paper files to a secure cloud-based server now could greatly reduce the impact of a fire to a physical office location in the previous example.

Step 3: Identify critical services, systems, and data. 

Graphic shows symbols representing digital security

Group each of the types of information, systems, and services at your law firm into the following categories. This allows you to prioritize should a disaster occur. 

  • Critical: For example, any important client data that is located on a single server or has no backup is of critical importance. 
  • Medium: Data or systems that are important to clients or the outcome of a case, but that could be recovered (for example, a file with a backup).
  • Low: Items in the low category can be easily replaced, or are backed up in multiple places and easily recoverable.

Step 4: Define your recovery objectives. 

Determine how long you could reasonably be without each service or application accounted for in your plan after a disaster. For each, determine your:

  • Recovery Time Objective (RTO): The acceptable amount of time any of your data and systems could be unavailable. 
  • Recovery Point Objective (RPO): The acceptable amount of data your firm can afford to lose. 

Step 5: Identify supporting tools. 

Identify any tools, techniques, and procedures that support your recovery objectives.

  • Data backup: Do you backup your data? How often? Where is it located (is the backup site located in the same region as the primary site)? Assess your current situation, and make note of any gaps that could be an issue. In this case, consider ways to mitigate the risk, such as using a cloud-based data storage system.
  • Automation: Could you use automation technology to remove or reduce human error to help protect your firm in case of disaster?
  • Outsourcing: Can you outsource any critical functions (like data-hosting backups) to mitigate risk in case of a physical disaster?
  • Planning for recovery: Make a list of the tangible steps to take to recover specific assets and data. We recommend having copies of insurance policies so that clients can open claims as early as possible. 

Step 6: Assign responsible individuals. 

Checklist

Should a disaster occur, people should know in advance what their responsibilities are

  • Identify members of your response team and assign roles and responsibilities: Ensure each person is aware of their specific responsibilities. For example, who would declare a disaster and start your disaster plan? Who would be responsible for client communication? 
  • Service providers: Identify any service providers to be contacted (for example, if your firm would need professional data restoration help, who you would contact? Who on your team would contact them?). 
  • Create a contingency plan. Always have a backup plan for if an assigned individual is unavailable in an emergency. 

Step 7: Review SLAs (service level agreements) with vendors. 

For every contract that you have (for example, with SAAS providers, insurance companies, landlords), have a defined service level agreement that includes details on what would happen—and how long it would take—to move forward after a disaster. 

Step 8: Determine how to handle sensitive information. 

Document a plan for handling essential records (like employment records, financials, and client files) in terms of confidentiality, security, and integrity following a disaster. Considerations could include:

  • Hard copy and soft copy documentation: What is the procedure for transferring hard copies of files to another person?
  • Secure communication: Who can access files, and how? 
  • Tracking requests to access: What would be the next steps if a client wants to switch attorneys during a disaster response?

Step 9: Create a communication plan. 

Document a plan for communication in case of disaster, including:

  • How? Detail the specific means of communication your team members will use.
  • When? How and when will your firm communicate with essential personnel, service providers, and clients?
  • Who? Who will be responsible for each type of communication? We recommend planning multiple methods of communication, as you can’t rely on any one method during a disaster. For example, phone networks can drop during hurricanes, but text messaging may remain available despite experiencing significant delays.

Step 10: Document the plan. 

Write it all down. This reduces guesswork and speeds up the resumption of business when disaster strikes. Be sure to:

  • Create a centralized document. We recommend having multiple copies. Store a copy in the cloud for remote accessibility. Also, have a local copy on a phone, laptop, or printed out in case of major disasters like earthquakes and hurricanes, where telecommunications will fail.
  • Share it. Familiarize the whole team with the plan. 

Step 11: Test the plan—annually. 

Test your plan, and test it often. Testing helps ensure that everyone at your firm knows what to do, and also helps account for normal business factors like staff turnover or moving offices.

How will you test your plan? Consider:

  • Types of tests: Will you do a walkthrough, simulation testing, full interruption testing, or parallel testing?
  • What works (and doesn’t): So you can adjust the plan and train staff accordingly.

Step 12: Review and update the plan annually. 

Consider:

  • The results of your last test. 
  • Any changes to your setup or location. 
  • Any changes to your team. 
  • New software or service providers.

Essentials for when the unexpected strikes

The ability to be agile with your business—that is, having the tools and technology to safely and securely conduct firm business from wherever you are—can be the difference-maker for your firm’s survival when disasters occur. The following essentials can help.

Essential tools for resuming business

  • Hardware/laptop: You’ll need access to an up-to-date computer (or any machine if you’re using cloud-based software).
  • High-speed internet: High-speed internet when working remotely after a disaster is essential.
  • Phone, smartphone, or other mobile devices. Smartphones and mobile devices can be used to conduct business remotely, but you’ll still need a phone to call clients and service providers. 
  • Call forwarding and virtual receptionists: Tools like call forwarding or a virtual receptionist service like Ruby can help keep calls answered and clients cared for. 
  • Scanner: Essential for handling hard copies of documents and making hard copies more accessible to team members and/or clients.

Essential software and services

Secure, cloud-based software and legal technology can help provide much-needed peace of mind in the face of disaster and uncertainty. In fact, according to the 2020 Legal Trends Report, “legal professionals rank technology as a high priority to their firm’s success”—now and in the future.

  • Clio: Clio’s cloud-based practice management software lets you work from anywhere, while keeping your files and work secure in the cloud. Clio Grow’s legal client relationship management software, for example, streamlines, personalizes, and automates client intake—making client intake easier for you and potential clients following a disaster. Clio Manage makes it easier for you and your firm to do billable work in the cloud—so you can manage cases and clients effectively from anywhere.
  • Microsoft 365 (with Teams): Microsoft Teams lets you create the communication flow of an office environment, without being in the office. This means that you and your team can work productively—without clogging everyone’s email inbox with the discussion you would have otherwise had in person.
  • Video conferencing software: Help keep your team together, conduct meetings, and have face-time with clients by using video conferencing software like Zoom.
  • e-Signature tools: Not all documents require wet signatures. For those that don’t, using e-signature tools like ZorroSign, DocuSign, or HelloSign streamlines signatures when it’s harder to meet with people. Clio Grow also enables lawyers and clients to use e-signature in documents.
  • Secure client portal: Maintaining security is critical in the wake of an unexpected event, and using a secure client portal makes document management and access simpler and more secure. 
  • Credit card processing and payment plans: The 2020 Legal Trends Report found that the majority of consumers (65%) prefer to pay using electronically—via methods like credit and debit cards, or Clio Payments and Apple Pay. After a disaster, your clients may have a harder time making payments in traditional ways—and secure online payments are easier, faster, and safer for you and your clients.
  • Email campaign software: Should a disaster occur, email campaign software lets you automate messages to your client base and vendors, and easily send communications to appropriate lists, tailored to specific groups. Software like Clio Grow lets you create and send automated-yet-personalized emails to your clients. 

Use this guide to be prepared as possible for the unexpected

While we always hope for the best, the fact is that the unexpected happens—like natural disasters, global pandemics, or floods at your office. How you react to those events can set your firm apart and make it possible for you to help clients who may also be experiencing a disaster.

While you can’t predict the unforeseen, you can be as prepared as possible by creating a law firm disaster recovery plan. An effective plan doesn’t have to be complicated, but it must be thorough, up-to-date, and meet the ethical obligations of your area. By setting up, testing, and reviewing your firm’s disaster recovery plan, you’ll be ready to act when the unexpected strikes.

Categorized in: Business

How should law firms adapt to COVID-19?

We surveyed over a thousand lawyers and legal clients - and reviewed case volumes from tens of thousands of law firms - to discover tips for adapting to COVID-19.

Get the Guide