Slashdot Mirror
Online Storage For Lawyers?
alharaka writes "I have a relative that has been a lawyer for over two decades. In passing conversation, he revealed to me that he has a great deal of his data stored on floppies. Naturally, as an IT guy, I lost it on him, telling him that a one-dimensional storage strategy of floppies was unacceptable. If he lost those files, his clients would be enraged. Since I do not know much about online data storage for lawyers, I read a few articles I found on Google. A lot of people appear to recommend CoreVault, since a few bar associations, including Oklahoma, officially endorsed them. That is not enough for me. Do any Slashdotters have info on this topic? Do you have any companies you would recommend for online data storage specifically for lawyers? My relative is a lawyer with recognition in NJ, NY, CA, and DC; are there any rules and regulations you know of regarding such online storage he must comply with? I know IT and not law. I am aware this is not a forum for legal advice, but do any IT professionals who work for law firms know about such rules and regulations?"
I firmly believe we should store lawyers online.
As a lawyer with recognition in NJ, NY, CA, and DC, are there any rules and regulations you know of regarding such online storage he must comply with?
Ahahahahaha, you are asking Slashdot for advice on legal rules and standards to assist a lawyer?
Look, you're probably going above and beyond what a normal lawyer did back in the day: throw a piece of paper in a filing cabinet in his office. Subject to fire and theft, sure, but I doubt the law has changed enough to make that illegal. CoreVault looks good, you can also visit each of the state bar association pages you listed and find things like NY State Bar Association offering a discount at VENYU for offsite data storage which is probably as close as you'll get to an endorsement. Have you thought about calling each state bar association office and asking them what they use/recommend?
My work here is dung.
Why online storage? Why not just copy everything to a couple USB drives and then backup off-site occasionally with DVDs? It's not like we're talking about a lot of storage, they're probably just text documents mostly, right?
Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
Come to think of it, I think we should store them in *actual* true crypts... ;-)
Scan the lawyers and shred the originals. You'll be very popular.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
a few bar associations, including Oklahoma, officially endorsed them.
I see.
That is not enough for me.
uh, huh.
Do any Slashdotters have info on this topic?
*head explodes*
THL phish sticks
I'm not really clear on why he needs to use online data storage when he could just buy a computer and copy the files onto it.
How about paper? Or has that gone out of style?
So basically what we have here is a lawyer asking, by proxy, for legal advice on Slashdot. ???
1. Online storage - mm hmm, how about lawyer-client confidentiality? I mean, if GoogleArchive (or whatever) gets a subpoena, can they (be required to) surrender your whole legal strategy to the prosecution? .pdf (which I'd say would be the higher priority) and then store on a standard tape rotation.
2. How about localized storage, a nice Dell tape array? As has been posted, these are documents - probably rather easy to move to
3. If you have a vendor that's endorsed by bar associations, then you might want to rely on that. At least it's a credible defense as to why you picked it, in case your legal dept. gets sued because of a situation as described in Step #1 above.
YMMV, IANAL, etc., good luck but I'm a nobody.
I have used Mozy for several law offices, primarily because you can specify your own 256-bit AES encryption key. Not even Mozy has access to your data.
In California the bar association regulations require that a law firm takes "reasonable care" of client data. That's it. Kinda Scary.
Any professional who truly values his data should back it up to the time-proven backup media -- magnetic tapes -- and have more than one copy, and each copy stored at a different offsite location.
Now having said that, since this is a lawyer you're talking about, he might deliberately wish to have his data stored on floppies so that when that data gets lost or unrecoverable, he can argue that since he is not a data storage professional expert, that he believed as a "reasonable person" would believe, that he thought he was indeed exercising due diligence in backing up his data to some removable magnetic media for safekeeping, when he actually has secret ulterior wishes for that data to "go away". And since he is a lawyer, he can probably easily convince a contemporary judge or jury of his plausible deniability regarding the loss of that data.
I don't think lawyers are special or unique in their backup needs. I'm a consultant and this is what I advise most people to do.... Store files on the desktop, do backups with JungleDisk, and archive at some interval to DVDs. It's very cheap, and it's easy to do. If I'm going to be supporting them, I usually set up a VPS (like at mosso) and set up NFS and FTP shares. This is in addition to JungleDisk because I know not everyone will upload all of their data. I have automatic daily and weekly backups set up. For my own personal data (100GBs+), I use dual hard drives and use Grsync to keep the files up to date on both drives. One of the drives is attached via USB, and I only turn it on to do backups. This works well, but my data is less important than a lawyer's, and I'm willing to take more risk.
Then you should know how dumb it would be to put any sensitive info online. The floppies are more secure.
Todos mis movimientos están friamente calculados
Mozy (owned by EMC) has some sort of deal with the ABA to give members a discount, so I would take that to be somewhat of an endorsement for use by lawyers. I'm not affiliated with them in any way -- I just know about them because their booth was across from ours at the ABA TechShow.
Questions to ask, if you're sure that online is the right approach:
Will customers have access to their data when the service provider goes out of business? If so, how much delay will be involved? ("You can have your data when we get the server back from the repo man").
There may be some standard telling lawyers to use reasonable care when handling privileged information. If there is, then by today's standards I'd personally argue that reasonable implies encrypted.
Is deleted data really deleted? Does it live on in backups? Is it like Google, where ghosts of departed data linger in the cloud?
The only thing I can tell you about bar association standards is that at one time the ABA was telling people that email was acceptable for communicating privileged information. I hope they're doing better now.
I have a relative that has been a lawyer for over two decades.
I'm sorry. Have they sought treatment?
if GoogleArchive (or whatever) gets a subpoena, can they (be required to) surrender your whole legal strategy to the prosecution?
As far as I understand it, attorney-client privilege is stronger than doctor-client privilege -- in fact, I'm not sure if there IS a stronger commitment our laws have to privacy and confidentiality.
If a lawyer is a ridiculous n00b and uploads unencrypted data about a client to an online service, my guess is that even though he was an idiot for doing such a thing, the court would still recognize that as being protected client data and would rule it inadmissible. I mean, it might show up as front page material if it leaks, but theoretically the court wouldn't take that information into consideration.
probably rather easy to move to .pdf (which I'd say would be the higher priority)
If all you have is images or hard copies of documents, then scan them to PDF, but if you have text files, I'd suggest storing both PDFs (to retain the precise markup) as well as text/wordperfect/OOo/whatever. It's difficult to do PDF editing and/or full-text searching across lots of docs (although I hear that FOSS tools to do both are getting better).
coding is life
Comment removed based on user account deletion
So long as everything is encrypted and a copy of the decryption key is kept in a secure offsite location (i.e. a USB key in a safe deposit box), what's wrong with having a backup solution that protects you from damages to your primary storage? Not having an online backup runs the risk of data loss in the event of a fire, theft or even a virus.
You do get some of this with a DVD backup, but you have to be really careful with DVDs as a reliable storage mechanism. For instance, lower quality writable DVDs can fail in as little as 2 years, even under optimal storage conditions. Higher quality writable DVDs can fail quickly too if stored improperly. Google DVD lifespan and you'll find plenty of articles on the subject.
There are secure online storage solutions like the one mentioned in the story, but they tend to charge more for privacy and security. And really the only thing you need from an online storage solution is reliability and, perhaps, point-in-time restore capabilities for when something is deleted or modified and a previous version of the file is needed. The privacy/security aspect can be handled using GPG or some other file encryption technique.
"I am aware this is not a forum for legal advice, but do any IT professionals who work for law firms know about such rules and regulations?"
I bet you can get a legal opinion for around $150/hour.
Free legal advice is usually worth what you pay for it.
DISCLAIMER: This post was not checked for speling and grammar- if you complain- you're a whiner
It's not "protected communications" if you give access to 3rd parties.
That's why lawyers who use freemail such as gmail or hotmail (yes. there ARE lawyers who are cheap enough to do that) should be kicked in the head.
Apparently the bar associations and judges overseeing disciplinary hearings are no longer buying the "country bumpkin lawyer" defense. Or, at least, so said a lawyer who ought to know at a session at RSA last year (this _is_ Slashdot, so I'm too lazy to pull up the presentation from the Windows only USB stick they gave us as swag). There is starting to be a recognition that if you don't have the capacity to protect your clients' data, that you need to find somebody who does.
A lawyer cant getaway with that even the fire/flood destroyed everything wonâ(TM)t work most of the time. They are supposed to have copies off site its part of most bar requirements and most contracts most lawyers sell up the fact they do this. I have been working as a it consultant for 11 years for small and medium business from the once a month update and ram install to the 32 hour a week full administrated network users. I have dent with all manner of backups tapes hard drives mirrored servers online services optical media etc. They all have their advantages and disadvantages. For offsite backups for small clients I use online backups (moxypro) combined with monthly or yearly hard media backups. A set of archive DVDs (looking in to bluray for this) the online backup keeps them never more than a day out of date back up wise. The monthly or yearly backups for old files that they donâ(TM)t need to get to fast. Can be stashed a few places for redundancy one at home one in the office one in a safety deposit box one in your car etc all are encrypted . For midsized or very large amounts of data online back ups are much too pricy all being around $1 a gig or so monthly a cycle of tapes or hard drive backups can be done but you run the risk of someone forgetting. Then you have to get a piece of quality backup software allot of hardware and there is administration that is required. Some customers like this I have back up to a mirrored folder on one of my servers I keep in a data center it works its costly and it takes a long time to get lost data back. anyway my suggestion for online backup is moxypro its a small client reasonable pricing rarely down you can control how often it backs up how much bandwidth it uses it runs on 2k + and will email you if it has a problem or runs out of space. They also let you attach it to your own account but bill directly to the user so you can track manage upgrade etc but the bill goes to them. As for the legal aspect of it for extra security for controlled info I set a batch to run an hour before the backup starts to encrypt it all.
Mozy or Carbonite are just one solution. I like the fact that Mozy allows you to specify your own keyfile so if someone does get access to the stored data, it won't matter that much.
However, if you completely lose a machine with a hard disk failure, Mozy will take a long time to restore.
This is why you have a local backup method with some sort of backup program that has certified AES encryption. Both Symantec's Backup Exec and EMC's Retrospect both have had their encryption routines certified.
One of the better ways to back up is to put in place a machine that had a TPM chip for hardware and either Windows Server 2008 or Vista Ultimate so you can enable and use BitLocker on the boot volume and the RAID (of course, the volume recovery keys will be printed out and stored in multiple safe places). Then, install a network backup program on this machine and clients on your workstations. After setting a schedule, you pretty much can walk away. Once or twice a month, get an external hard disk, create an encrypted backup set on it, copy the data from the backup server's RAID volume to it, and then put the hard disk offsite securely. Tape is better, but for a small law firm, the price of a decent tape drive is pretty steep. As an option, you can use TrueCrypt or BitLocker on a device level as a second line of defense.
This covers almost anything that comes up. If someone steals the backup server, they would have to bypass both BitLocker's protection that covers every bit on the hard disk, as well as the backup program's encryption. If someone steals one of the external drives, without the encryption key, the data is worthless.
The reason I recommend BitLocker is that it is transparent. Once configured and the recovery keys saved off, the machine does not require any user input to start back up if it gets rebooted, but the data on it is still protected from someone trying to boot from a CD and copy it off.
I use Opengoo, an opensource suite. I don't use the online editing function, but I *DO* use the checkin/checkout/versioning of the suite. And documents, etc. can be placed in separate workspaces and tagged accordingly with only identified individuals having access to only what they need.
I have it hosted at my hosting company, which takes care of all my backup needs.
Check it out at http://www.opengoo.org./
I have a couple of similar but related questions: What kind of bike should you ride if you are a soccer coach? Also, what color pants should you wear if you dream of breaking into middle management?
My main concern would be privacy. You start putting confidential client files on the internet, and if anything goes wrong you are looking at a malpractice suit for sure.
I tried to explain that to a local lawyer who wanted to use gmail (unencrypted, of course) for his practice's e-mail. I could never get him to understand that there was anything even remotely wrong with doing what he wanted to do. So now he's doing it.
Just as scary, none of his clients seem to think that it's a problem.
This is one of those times that I just want to bang my head on a wall and scream (to myself, since no one else seems to listen), "Why does no one else get it?"
And by talking to other lawyers here, their backup strategy generally seems to consist of... hope that they never have a fire (or, in some cases, hope that they never lose a hard drive).
Half of keeping copies of important documents is being able to retrieve them later on when you need them.
You seem to understand that, which is why you are trying to convince your relative to move his data to a more reliable storage medium.
The other half is in _not_ being able to retrieve them when it is inconvenient to do so. This is why there are floods, fires, mice, lost envelopes, poorly made photocopies and , in this case, corrupt old floppy disks. And as long as you have a storage system which is just barely good enough then you can lose anything you need to and nobody will even blink.
It's all about identifying the client's needs. Give them what they really need, not just what they ask for.
Q: What do you have when you have 10 lawyers stored up to their necks in online?
The average attorney salary is ~$60k per year. And that is with $300k+/yr equity partners pulling the average up.
I was in my 1st year of law school when I found out that I was making more as an engineer (BSEE) than most lawyers were making. (Fortunately, my company was paying for school & guaranteeing me a job upon graduation that involved a pay-grade jump every year for 4 years.)
The truth is, there are just too many lawyers.
Most of them can't find a job in a "real" law firm. So, instead they have to hang-up their own shingle and become sole practitioners.
Sole practitioners usually take DUI cases or other minor disputes, often for clients that decide they're unhappy with the outcome and refuse to pay.
Sole practitioners also get to be taxed on both halves of self-employment taxes, pay their own benefits and business insurance.
Good times.
Add on top of that law school is ~$100k, which most people take out loans for.
So, if you go to law school chances are high you'll graduate with the equivalent of a mortgage and no job.
It really doesn't make financial sense to get a law degree unless you have a lucrative specialty (e.g., patent or admiralty law), go to a cheap state school (e.g., ASU), or feel a moral duty akin to the priesthood.
I would recommend Amazon S3 Jungledisk. It is the same kind of service as Mozy. I've used Mozy, and it works okay. You can generate your own key if you want, or you can use a key generated by Mozy. That means that they can decrypt your data, but I suppose that if you take the professional account, that they promise to protect your data. You can of course contact them by mail. Normally they reply in a day.
I've changed to Jungledisk because it's faster and you can use multiple computers with the same account. For one computer, Mozy is cheaper, although this may depend on the amount of data as well. But $5 or $10 per month is probably not an issue for a lawyer. With Amazon you can use your own key as well.
Extra care should be taken of the backup of the key. You should put it on several usb sticks in different places, probably in a vault. You can print it as well, making sure that you can see the difference between a 1 and l, and 0 and O, etc.
Jungledisk and Mozy are great, but what if you loose everything and you need to download 200GB? That's why I use external usb disks as well for local backup. 2.5" disks are the best because they are small and light, more durable because made for notebooks, and don't require a power adapter. Use Time Machine or another backup program. Create a truecrypt volume on the disk (probably using the same key), and copy the backup to that volume. Better use two external disks, and always keep one offsite.
Are the bowels of hell still available or is Ballmer still farting around down there?
[an error occurred while processing this sig]
vitalEsafe, Inc. provides online encrypted storage to a number of law offices and to all lawyers submitting and receiving legal documents from/to the Mississippi Chancery Courts. We provide secure storage, sharing, and transmission of documents. Many law offices do nightly backups of changed documents to our servers for complete offsite disaster recovery protection. Each account's data is encrypted with a separate key that is only available to the account's owner. We believe the encrypted sharing and sending features are unique among online storage vendors at this time.
More info at: http://www.vitalesafe.com/
Disclaimer: I'm the CTO of this service
Online?
Don't. Just don't.
Webs of trust are all well and good until you bring a lawyer in to the mix.
Remember - these are the same people that insisted that 3.14(etc) could be rounded down in our educational system...
The answer depends on how much he values his data, and what the different regulations are that affect lawyers. It also depends on what you mean by online. You seem to mean a web based application that will store information offsite.
Irregardless, at the very minimum, the information should be stored on a series of redundant disks, whether this be a RAID or something else. A server would make the information more easily accessible as well as more secure from hardware failure. However, there is a certain amount of insecurity that would result from this if you use anything but an airwall between the network and the Internet. However, with a good firewall and proper patching, this insecurity would be minimal.
More than likely, there needs to be encryption of the stored information as well. This CoreVault ought to do that. Another product called E-Vault should work as well.
Hoist Number One and Number Six.
They've got some ace techies in high places!
I worked briefly in a place that would take hard drives and scan them using various software that then would turn almost
anything into an image. Emails, images, documents, etc get turned into a searchable database. This would fill up gigs and
gigs of space.
Ontop of that they also had to keep that data on hand just in case it was called into court or something crazy.
I did something similar for an accountant in Canada. There they are subject to data security/privacy laws, although the wording is also rather vague.
In his case, I simply set up a file server with mirroring RAID. Of course, this is cheap and easy to do since many motherboards have mirroring RAID built in.
Then I set up a USB drive that automatically backs up any changed files (using rsync) when it is plugged in.
So, on his way out every night, he simply plugs in his USB drive, a DOS box pops up and he sees all his files from the day's work get copied over to his drive.
Once he's at home, he can also work on his files knowing that he has an exact copy as what exists at the office. (No VPN solution needed, so no worries about other potential security problems.
Using email as anything other than a medium to move encrypted files is folly in the first place.
If his office is anything like the one I work at, every floppy disk could explode and none of the clients would care. All of the important stuff is printed out, and the really important stuff is stored in fireproof filing cabinets.
I understand your concern regarding email, but I think the real issue is that lawyers should NOT be using email for anything that's even remotely related to privileged, or even confidential information. More than likely your lawyer already knows that, and that's why he doesn't care one bit about email security. You're under the mistaken assumption that you can control/secure email. The fact is that you can't. The only way to secure email communication is by encrypting the message, and at that point, it shouldn't matter who you're using for email. But you're rarely going to find a client who's willing to deal with the headache of encrypted email, so in the end, the only time you discuss privileged information is in person.
And it would be smart to store the key/passphrase on paper in a safe, in case you get hit by a bus and your partner/assistant urgently needs a client's file. IANAL.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
I have also used Mozy, specifically MozyPro, for my company, for more than a year.
I had a terrible experience with it, the client initially worked well, but is so badly written that as you get to multi-gigabyte volumes, the incremental scanning kills completely stalls the OS.
So: whatever you choose, test it for a while. And, most online storage services have encryption, including DriveHQ, which I switched to. Works fine so far (6 months).
came for the lawyer jokes, and not disappointed, thank you dotters :)
BTW.... is it just me or does "IANAL" just sound wrong whenever someone puts it at the end of legal advice? seriously people... TMI...
http://wikileaks.org/ Confidentiality: yeah! Privacy: yeah! Truth: yeah! No corporate bullcrap: yeah! Hidden source (magic word TM): yeah!
It's my understanding that there's a distinct difference between attorney-client privilege and doctor-client confidentiality. In the case of doctor-client confidentiality, a court can compel a doctor to turn over all records in certain circumstances, that's not the case with regard to attorney-client privilege.
One thing to keep in mind regarding the duties of an attorney to a client. An attorney has a fiduciary duty to their client, therefore they have a duty to put the clients interests before their own interests. Therefore, an attorney has to act with extreme care to protect the secrecy of a client's privileged information. Uploading unencrypted client information to an online storage site would be a clear failure on the attorney's part to protect client information and would get them in serious legal and financial trouble.
We had to support a nationwide practice, lawyers travelling worldwide, and offer the best security. Oh, and permit exchanging documents with the office staff for editing, updating with images, and of course distributing these securely to other counsel, courts, and clients.
We started with Novell iFolder, set up a clustered solution, and did encrypted backups to a remote FTP server. Today I'd do this a little differently, but iFolder still works.
'just text documents' doesn't begin to cut it. Much case material is actually scanned as images. Even text documents will have embedded objects. Version control is critical for contracts, and saving each version individually is BAU. A 30-page contract might be a 3-6MB file, but the project can run over 500MB easily, and of course the redundant backup to another folder and reference materials can make the whole storage for this one contract >1GB. If they are doing the business they used to, this would make one partner's storage needs exceed 120GB in a year. For contract work alone. His trademark practice would double that.
Just saying, this is in fact nontrivial.
deleting the extra space after periods so i can stay relevant, yeah.
I spend a lot of time worrying about this.
My recommendation is that definitely encrypt the data before, after, and over and over again. Then keep it somewhere safe outside the U.S. if confidentiality is the goal.
Sorry, but there is nowhere in the United States where your privacy is safe anymore, and I would add many European countries to that list. Encrypt it, and then spread it around to several countries with reputations for protecting privacy.
I would also not bank on keeping data in a data centers where the owners control the keys. They are just one trip to the court away from all of that stuff showing up for whatever reason if someone gets a warrant or by other methods. Use your own computer systems, with encrypted file systems.
This would likly be fine as a VPS, but control the OS. Besides technical reasons, it may provide some legal firewall between any other computers systems in the data center that might be searched and your own. If you are sharing hard drive space directly, it might get messy to claim no association until client files are searched and are now in public court where people that should not have the information can get access legally.
In protecting legal documents, sometimes just the knowledge of a client's name leaked to the wrong person can be damaging to the client's case. So, everything must be protected.
Living in Chile
Yea, but do they protect against searches and seizures?
Living in Chile
No one has yet commented that about 10000 floppies roughly equals a DL-DVD.
The idea of indexing and storing 10000 floppies is incredible. He would have mentioned it.
Therefore he does not have more than 10000 floppies.
Solution is simple.
Make a directory on the hard drive, fill it with files, burn to DL-DVD on a weekly or even daily basis.
Keep this weeks backup in the desk drawer (just in case you delete the wrong file).
Mail two weeks ago to some sort of iron mountain-esque facility. Or stick it in the bank deposit box. Or find a friendly competitor (like utterly different specialty) and exchange backups with him.
No matter what happens, always save a copy of the Dec 31st backup for each year. On Jan 1st, after the hangover, delete any customer subdirectory that has been irrelevant for at least one entire calendar year (thus it exists in full identically on at least two end of year DVDs). Or maybe five years, or maybe whatever the statute of limitations or prison term is for that customers situation. This keeps size down after a couple decades.
This seems like a simple obvious solution, unlike all the crazy upload it to unknown people on the internet, or make a torrent of it, or email it all to your gmail account, or create a 100 TB data warehouse (for a couple floppies?) or whatever else is in the comments today.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
I work in IT for a "top 20" law firm but I don't know the specific answers to your questions but...
The retention and security requirements should not be any different regardless or where the data is, on floppy, in email, in a iPro or Concordance DB, etc... as long as it meets any requirements that the lawyer has with the client (an example is some clients do NOT want specific case data backed up to long term storage etc, only want email signed with PGP or TLS etc). I really doubt you have many different requirements anyway, we have thousands of big time clients and I can only think of a few specific clients that have specific requirements.
Have one of the lawyers examine the contract with what ever storage company you decide to go with.
outside of my Internet that said dead lawyer storage? You know why you didn't because it's not there, that's why!
Even if you use your own encryption key with Mozy, they still know your filenames, foldernames, timestamps, sizes of files, etc. It's not really private.
Repeat after me:
Spinning magnetic storage is not a backup.
Spinning magnetic storage is not a backup.
Spinning magnetic storage is not a backup.
Spinning magnetic storage is not a backup.
Spinning magnetic storage is not a backup.
If you want to use magnetic storage for backups, use DLT or LTO tape, and make two copies, and keep them in different place.
Or, y'know, just hire a friggin sysadmin, and ask him "so, what will your backup plan be", and then get a second opinion on his answer. :-)
Please give some good advice, which is to use the latest and best system, endorsed by important entities everywhere.
It is called "Wikileaks", and can be found using any search engine.
Prove anything by multiplying Huge Number times Tiny Number
Just get a server in a cheap colo and just use it for a cheap off site storage.
Get a NAS for the office.
The whole thinkg is cheap and works very well. The most expensive part is paying someon to move the flopies onto A hard drive.
And don't go off on someone about something they are doing when you don't know anything about it, asshole. How rude.
...Spideroak.com
I currently use it for backups. Some of it's coding is OSS. you get 2Gb free storage (which should be enough for you to test out the system.
Laters Sol "Have you found the secrets of the universe? Asked Zebade "I'm sure I left them here somewhere"
If we received a court order to turn over the contents of a safe my understanding is that we have no choice but to do so. vitalEsafe would provide the legal entity with the AES-256 encrypted files. It would be up to them to decrypt them. I don't have access to the decryption key to provide decrypted files to them. If they can decrypt them, then they can decrypt your local copies as well (assuming your local backups are fully encrypted) which you would be compelled to turn over via the same court order (unless you destroyed them all).
http://www.catalystsecure.com/
Why isn't spinning magnetic storage a backup?
Sure, it's more prone to break than some other storage media, but I doubt you don't have any backup media that can't be made to break, using stuff I've got in the house right now. If you rely on a supposedly indestructible backup medium, you're setting yourself up for a real disappointment.
Just make sure you have adequate redundancy, check your backups, keep backups offsite in a safe place, and replace any failures immediately.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
You are wrong about clients being enraged. The vast bulk of lawyerly data has little archive value. Everything gets printed out on paper and if push comes to shove can be scanned in again. (Wife's a lawyer)
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Let me first throw out everyone's favorite acronym: IANAL
That being said, I used to do on-site service and consulting work for a number of area law firms, and saw several different backup strategies they employed.
Where I saw the online storage concept being put to best use was for email. The law offices I've seen who tried to run their own mail server, in-house, were *always* putting their data at some level of risk of loss.
In some cases, you had firms using Novell Groupwise as their messaging system, a leftover from bygone days when Novell was the "end all, be all" of servers and reliability. The problem, there, is, the Novell servers were so darn reliable, they tended to be largely forgotten and unmaintained over the years. The I.T. people who first installed and configured them are long gone, and very few people have expertise in Novell issues anymore. The hardware is usually getting quite old, and the motherboard, CPU, RAM and everything else comprising the server could potentially fail at any time.
In other cases, a firm might have been using Exchange and Outlook, but usually lacked a real, full-time sysadmin on staff. One of the lawyers who was deemed most "computer savvy" was given the task of doing the adds, moves and changes -- and they assumed they could just "call a place for help" if anything major went wrong.
These scenarios all mean a catastrophic loss of mail folders is quite possible, really. (What if that backup tape they've been telling you to keep swapping each night as "insurance" is actually not backing up half your stuff properly anymore? What if you need some selected stuff recovered from a long-deleted email account? Are you sure you even know how to get that back without erasing anything else?)
If a firm outsources their email to a hosted Exchange server with a competent business that keeps archival backups for them, I'd say that's a superior option to most others in reality. (May sound "scary" in theory, having confidential info "out there" on someone else's server, etc. etc. But if you can't/won't invest in real I.T. workers and the infrastructure to protect it properly, in-house, I think it's really much less risky.)
Ground up and in the freezer..
Inane Comments are Generously Disregarded
There's no reason online can't be secure. Online means it's automatically offsite and that a 3rd party has the time and incentive to be sure it's actually working.
2 years ago I founded https://spideroak.com/ for this exact situation -- wanting a zero-knowledge approach to encryption. We explicitly don't know anything about your data. We just see boring sequentially numbered data blocks on the server. Instead of a EULA, we have a "remember your password" agreement.
You can combine data from unlimited devices and it de-duplicates, and can automatically sync folders for you. Storage is perpetual (unless you explicitly remove things.) FWIW, it's written in Python and we have always supported Linux.
There is the rub.
Attorneys need more protection than that against accidental discovery. By accidental discovery I mean, one good legal search revealing other stuff.
Do you offer offshore protection in other jurisdictions other than the U.S.?
Living in Chile
The type of storage that is used is not really important. What is important is that the restore procedure is tested. There is no reason floppies would not be ok (Although a CDR would be more modern). The key is TEST THE RESTORE PROCEDURE regularly. A backup is not a backup until it is verified.
I'm an attorney and a computer engineer. My main concern would be privacy.
And I stayed at a Holiday Inn Express last night. Just kidding.
I work as a sysadmin at a lawl skool, and it's refreshing to see a chiphead packing a JD. Out of 200 1Ls this year we have fewer than ten with degrees in engineering, science, or math. Most are philosophy, poli sci, sociology, and the like.
My main concern would be privacy. You start putting confidential client files on the internet, and if anything goes wrong you are looking at a malpractice suit for sure. Like other commenters I would recommend an external hard drive or two. One in a safe at home and one at the office.
Don't forget to use TrueCrypt.
There are many services out there, but Wikileaks is what lawyers should probably be using.
M
Come on, just makes sure he buys a couple 8 GB USB flash drives or 1-2 external HDs size hardly matters. Just tell him to copy everything to the key drive, then to the HD, then at the end of the day disconnect it all and toss it into the safe. Problem solved.
The problem would be if he is running something older than Win2000 or WinXP. Then it would be painful to just plug in a usb flash or HD. At that point, I'd tell him to bite the bullet and spend the $600-900 on a decent laptop from walmart. Question him first. Odds are 90% of what he does are word 97 docs or whatever other off brand word processors were around back then. If you are into OO, install that for him. If not, make him buy Office 2007. Just make sure whatever is on it opens his old stuff that's the only important factor that he'd really care about.
FYI, even if you use your own key, Mozy only encrypts the contents, not the filenames. That could be a problem for some people. A court could establish that a particular file exists, and then require you to produce it. See http://michaelshadle.com/2007/05/07/mozy-the-backup-client-damn-close-but-still-no-cigar/ for more info.
What you really need to keep your data secure is use a secure password like the one we use at my company -- 23$wu!x6 -- we've been using that password for a while now and never had any problems.
Ok, so here's a shameless plug for where I used to work, but hear me out.
Sendside is a fairly new company that specializes in secure messaging and storage, among other things. They conform to various legal security requirements for banks and hospitals, and even allow digital signing of contracts and other forms. In all, I think their ideas are pretty revolutionizing for what could be considered "email", but it is much more than that.
Their services for legal solutions can be seen here.
Here is their white paper on their security practices.
If all else fails, add another if.
Spinning magnetic storage is not a backup. If you want to use magnetic storage for backups, use DLT or LTO tape
So, how do you read and write to those magnetic storage tapes? Do you spin them?
Seriously, use whatever the hell you want, just make sure you have multiple copies at different sites, and regularly check that you can still access the data with checksums. Two online hard drives (or whatever they use -- the point is you don't care) at different providers is a great strategy.
Dropbox might be a good solution. All you do is work in a special directory on your hard drive, and your files are automatically synced across computers and to the web continuous. Never lose your data to a bad hard drive ever! You can also link multiple computers to a dropbox account and those files and changes are automatically synced between them!
http://www.getdropbox.com
Your friend should use RAID 10 floppies to safeguard his data and to improve access speed.
A floppy SAN may be the perfect solution if multiple people need access.
766.189627 exabytes of data, which seems suspicious to me since the Internet Archive only has roughly between 4 and 8 petabytes I believe. Of course I could be wrong. But even if they ARE approaching a zetabyte, something that would set a world record, you have to wonder how they are managing all that data.
Restore the madness of youth's lechery
... if this guy is a lawyer then probably the information has significant value to some people, right?
My advice then would be to tell him to hire a professional who won't have to ask Slashdot how to archive and backup such information.
It may be overkill, but RenewData (www.renewdata.com) specifically handles online data storage for legal firms, complete with e-discovery tools.
Where can I get a toilet seat designed specifically for lawyers?
If there's strict liability, failure is not an option.
There are quite a few cases in law, even criminal, where due diligence or even "utmost care" is not a defense.
Whether I think it's fair to hold someone accountable for stuff entirely beyond their control is another story,
Even if the evidence doesn't get admitted in court, the information could lead them to look for other admissible evidence that they wouldn't have otherwise considered.
They then present that without explaining what prompted them to look there, and don't mention the inadmissible stuff.
This site has enough storage that your lawyer relative can put ALL of his client's documents on:
http://en.wikipedia.org/wiki/Main_Page
As a lawyer it seems to me that these floppy things sound like a great idea for backups. Would you recommend the 8 1/2 inch ones or the new fangled 5 1/4 inch models? Dyson or Memorex? I haven't seen the striped ones, but those sound very fashionable.
>>I'm an attorney and a computer engineer.
Ditto, passed the bar last year. While in school, it totally blew my mind how techno-illiterate most of my classmates were. We're generally talking about 21-25 year olds who still think of a "hard disk" as being a 3.5" floppy.
One day we had to give presentations. One guy was slated to talk about technology in the modern law office. I thought, "Oh, this will be good."
And indeed, it was. He talked about how a "database" -- i.e., an excel spreadsheet -- of clients was superior to a paper file. How CD backups should be preferred over keeping files on floppy disks. How attorneys should be able to write emails instead of just relying on their secretary to take dictation and do it. This is 2008 we're talking about.
Scary.
A former student of mine works for Open Text (HQ in Waterloo Ontario). I know one of their products is a document management system for legal firms. I don't know much about the system, but it is one possibility to consider.
Atlas stands on the earth and carries the celestial sphere on his shoulders.
You're supposed to scan the originals and shred the lawyers.
The society for a thought-free internet welcomes you.
As far as I understand it, attorney-client privilege is stronger than doctor-client privilege -- in fact, I'm not sure if there IS a stronger commitment our laws have to privacy and confidentiality.
Very true. Inadvertantly releasing privileged information does not necessarily waive the privilege and it doesn't waive it for all contexts. The courts will (in most circumstances) recognise a genuine stuff up and prevent the other party using the document or the information gained from it.
Having information and being able to use it in court are two very different things.
You does not care about the archive, you do not care about safety, you do not care about security.
So. I.T. just have today. There are no yesterday, and certainly no tomorrow.
PGP Netshare lets you encrypt individual files on a shared network file system and allows those files to be accessed simultaneously by multiple users on the network. The files can be protected by a shared secret or a group of keys/certificates. We use it in house for a very similar application.
http://www.pgp.com/products/netshare/
I setup a backup system for a lawyer last year. Its basically a cron job that runs a script every night. It uses duplicity + gpg and stores everything on amazon s3. Its incredibly cheap. I store 6 months of revisions, with a full backup on the first weekend of every month, then incrementals after that. I perform regular restores and run a big md5sum job to ensure that the restores are working. I havent automated that stage of it yet, but so far so good. I'd be happy to send you the scripts if you want. PM me if youre interested.
I'm a corporate lawyer, and that's exactly how I do it ; except that I encrypt files on the USB because I keep my files with my keys, and in the event I lose my keyring, I don't really want anyone to read it.
Online storage belongs to the problem set, not the solution set. It can fail in so many ways (including storage company going under) that it's just doomed to fail at the worst possible time.
16 Gb are all I need to keep track of 10 years history of the 30 subsidiaries of my company, employees files included.
The banks (I worked in) did it by storing half of a key in two safes, two different managers have access to their particular safe. Each is asked to enter their half of the key when it's required (get's them involved in the data's ownership too). No one actually knows the entire key.
It's a function of the role to have appropriate access. YMMV
My ism, it's full of beliefs.
With today's strong encryption technology implemented properly, no one needs to worry about the safety of online storage. Despite the fact that huge banks and bank customers rely heavily on 128-bit encryption, many lawyers do not yet appreciate how safe it is. Encrypted online backups are much, much safer and more reliable than the backup systems used by most law offices.
We have launched an online backup service specifically designed for small law offices: www.activeonlinebackup.com Our clientele of small firm lawyers like the idea of protecting their valuable data with an online system once they appreciate how secure it is.
End-to-end 448-bit encryption keeps backups secure from compromise by anyone or any agency that does not have the passphrase. The customer has exclusive possession of the passphrase. We never see it. This system complies with the stringent HIPAA requirements and completely protects the attorney-client privilege because no third party can possibly access the information unless the lawyer (customer) gives up the passphrase.
Attorneys put misplaced trust in flash drives, DVDs, and rotating external hard drives that they rotate off-site. How many of these home-grown backup approaches encrypt the data? Very few in our 13 years of consulting with small law firms. The client data are much more at risk of being stolen or lost as disks travel back in forth in cars and sit around in homes and offices.
The real, every day risks of most backup systems include these:
There is a lot more to the subject of securing a law firm's data than we can address here. But this is a good start.
One final comment: Don't trust just one backup system! They are not expensive any more. Run at least two separate systems, making sure that they are compatible with each other. Sure, rotate an encrypted backup on an external hard drive off site every week. Use a one-way file synchronization program to copy files from the server to a PC hard drive or an external hard drive or terrastation. But also use a reliable online backup service with features appropriate for a law office.
Wells Anderson, J.D.
www.activeonlinebackup.com
INAL, but as an enterprise architect, here are the key things I can think of beyond the parent.
- Truecrypt - encryption is critical. Use it on all laptops and any data transferred offsite.
- par2 - parity to ensure the data isn't corrupted.
- RAID-10 - For critical data, it isn't worth anything less.
- Physical security for your data and backups. Lock the server room and lock the rack access to servers and storage.
- Encrypt all backups at the time of backup.
- Consider partnering with another law office to hold each other's backup data securely, assuming you don't have multiple locations 50+ miles apart.
- ssh with keys (not passwords) for file transfer of all data between the 2 locations
- VPN for all remote access. No exceptions.
- No Wifi in the office. No exceptions. Use a cable.
- Setup and use HTTPS protected web access for legal document transfers with clients. Don't email them unless you and they setup GPG or PGP encryption.
- Only use Blackberry remote email devices due to security concerns and require a complex password and auto lockout. Avoid iPhone, WM6x, and smartphones as the security of those devices is suspect. If the lawyers are serious about security, deploy a BES.
- Keep all systems that access your network patched. Be aggressive about anti-virus use. There are routers/switches that verify compliance every time a new device is connected. These may be a good option in offices with 100 or less devices. They also VLAN off unapproved devices from the rest of your network.
Most of these items are based on work "with" our lawyers and items they didn't do well. Wouldn't you rather have a paranoid lawyer over an uninformed-about-security one?
I am an IT consultant and my clients include doctors, lawyers and accountants. Each profession is regulated by rules which in general state that they are responsible for the safe keeping of records. IMHO online storage is neither reliable nor safe. If a file is needed but a connection to the storage provider is down for some reason this could be disastrous. If the storage company loses your data then it's gone and they have limited liability as far as damages go. The lawyer may get his money back or a judgement in money but the damage to his reputation would be considerable. He could be sued for malpractice and even disbarred. For doctors HIPAA has clear rules about the protection of medical records. Accountants have Sarbanes-Oxley rules to follow. The only way I would allow sensitive data offsite is in an armored car.
Yes. This is serious shit.
I have written an article for an American Bar Association publication covering online backup services and the ethical duties of lawyers to protect client information from being lost or disclosed.
Staying Safe with Online Backup and Remote Access Services
http://www.abanet.org/genpractice/magazine/2008/dec/stayingsafe.html
Wells Anderson, J.D.
www.activeonlinebackup.com
Parent says that "Mozy is cheap." That isn't true for commercial use. OTOH, Mozy is backed by EMC and that's exactly who you want to trust critical data with.
https://mozy.com/pro/pricing Forget it - 1TB is $500/month.
GB Cost
2 $8
10 $12
50 $32
100 $57
500 $257
1000 $507
To store, we need to convert them to electrons. I will be happy to demonstrate the process. And I am certain that within the first 100-100K lawyers, I will have the process down correctly. We will be able to convert all of our lawyers to electrons.
I prefer the "u" in honour as it seems to be missing these days.
There a couple of free and fee based options. http://mozy.com/, http://www.idrive.com/, http://www.sosonlinebackup.com/, http://www.carbonite.com/, https://www.upline.com/plans/index.shtml, and many others including skydrive from Microsoft, which is free, but not strictly an online back, in the sense you need to take an extra step of making a backup locally and posting a copy on skydrive.
Here is what I did in my office when I was a lawyer.
On site backup, off-site backup, and however many versions of the prior state as I wanted to tell the script to keep. Thanks to cron, I had set it and forget it ease, all I had to do is see the all clear email that the script sent me to know I was backed up.
Any lawyer wanting to do this kind of thing should be very very careful and know exactly what they are doing as it is extremely easy to mess up and send all your client's information in clear text across the internet or mess up and end up with nothing in your backup.
I don't need to point out to you that online storage means easier access by a 3rd party without you knowing - no such problems with the floppies..
3 steps: first, get these floppies on a backup medium, even a USB disk is better (although the client segregation is then voided, maybe USB sticks, or separate archive files per client). Second, back up the backup and stick it in a bank vault. Repeat every week (most of my friends have two disks which they alternate). Third, ensure the use of full disk crypto (Truecrypt or PGP, with PGP slightly more user friendly and, in corporate mode, offering recovery token facilities) if they run around with laptops - ditto for the office computer (burglary proofing).
If you must collaborate online (typically the case with a practice of lawyers) use a reliable provider of groupware, I'm quite partial to Zimbra myself. Big caveat: I use a provider which operates under banking secrecy as well as data protection laws, but I'm in a country where those laws still count - not sure if you can find anyone that reliable in the US (I don't trust US authorities in any way, shape or form not to casually demand data if it so pleases them). AFAIK my provider accepts foreign subscribers, maybe an option?
Otherwise, install groupware inside the office and VPN it out - but ensure you have a backup regime that moves files off premise or the next burglary or fire will nuke the business.
Oh, and in case it wasn't obvious - make sure your backups are password protected. Select a good master password and stick it in a bank safe.
Usable software: PGP (also for email) or Truecrypt, Acronis True Image (IMHO the best backup software you can get). Truecrypt also enables you to create USB sticks which auto-start a Truecrypt mount (so-called "traveller mode") - that enables your friend to share data without disclosure risk, but you MUST teach him then to unmount properly or he'll mess up file integrity.
It's no easy to give you a sensible answer without more info so YMMV, but I think I've covered most of the basics. Good luck.
Insert
I'm not affiliated with this site, but I do have a contact via Twitter whose company has created a site for just this purpose. I'm not a lawyer so I don't know all the details, but you can look into or suggest http://legalruled.com/ as an option to look into.
...but where is your special online storage for dolphins?
One manager dies or gets amnesia and you're screwed. Data gone forever.
Mod Me Up. You'll make a grown man cry.
For online storage, I like mozypro or rsync.net. As already mentioned, you would use your own private key with mozy, and for rsync.net you can use duplicity for encrypted backups over ssh.
Another idea, instead of asking some partner to burn DVDs and take them home, would be to schedule a cron job (or Scheduled Task) to encrypt the data and send it via ssh to the partner's home computer (could get an external usb drive for this just to keep the work data separate from the personal data).
What I did for a law firm was use mozypro with a private key when we had Windows servers, and encryption with upload to an ftp server hosted by Yahoo! run by a cron job on our linux servers.
Dood!!!The banks (I worked in) did it by storing half of a key in two safes . The managers boss knows the combination.
My ism, it's full of beliefs.
I'll just reiterate what other wise folks here have said. Use a simple, offsite, incremental backup solution that you can understand. Archiving data once on old floppies is clearly a bad idea, but making several backup copies on some DVDs or CDs stored at different locations simply solves the problem. That's all you need to do: no fancy online storage, no shell scripts, no IT consultants.
A lot can go wrong with backups, and since reliability is the whole point of backups in the first place, the simplest solution is usually the best. Sure floppies can be lost or corrupted, but at least the attorneys understand and control the backup process, can identify problems, and can verify their backups easily. Quality optical media would be a more convenient version of the same thing. Using 1 DVD per day (including weekends) would work out to about $75 per year. Having 365 redundant copies of your backups in multiple locations is probably more than enough for any small law firm.
In California the bar association regulations require that a law firm takes "reasonable care" of client data. That's it. Kinda Scary.
Given that the US is a common law jurisdiction (presumably California is), you shouldn't be too concerned about the rule just being "reasonable care".
There will probably be a case (or a series of cases) that have defined exactly what that means. (I can't be sure; I'm studying law in Australia.)
It's also good, in a way, that it's not defined in any great detail. Imagine if the regs required a specific storage procedure that, because the regs were outdated, made it unlawful to store anything electronically. Leaving these matters open to interpretation by the courts means they can be reinterpreted in keeping with modern practices.
Check out www.firmex.com designe originally for lawyers. lawyers can collaborate and store documents online in the original context of the matter - indefinetely give me a call 416-840-4241 x230 happy to show you how it works. Joel
upload to this free website. They will gladly help you do MULTIPLIES backup worldwide with easy-to-understand comments.
NetDocs at netvoyage.com
We really like the versioning.
They then present that without explaining what prompted them to look there
In that situation I feel like the defense lawyer would cross examine the police as to why they searched for the stuff they found. If police can prove that they "would have found it anyway", that's one thing, but if their search for evidence has been tainted by inadmissible evidence, I feel like a judge might throw it all out.
coding is life
check out this service. It provides practice management tools and storage as a plus:
http://www.tocopractice.com
It's less scary if you realize what reasonable means. Doctors are "only" expected by law to be reasonable as well. What's "reasonable" varies wildly.
I don't want this to sound like a commercial, but I work for a company that has an online agreement management system that is used by legal departments, sales departments, etc at companies. It is Mumboe (http://www.mumboe.com). There is also stuff like SpringCM that is more of a generic document management system, SaaS as well. I have heard good things about them and they have eFax support, eSig, etc. I would look for a good SaaS solution that supported multiple users, user/group based security, full text searching, and audit logs. Also, look for an easy way to export/download all your docs if you need to leave the service.
That way you control its security.
---- Booth was a patriot ----
Text documents, pictures, depositions ( audio ), scans of legal documents, etc.
Attorneys create mountains of documents for cases, don't underestimate its volume.
---- Booth was a patriot ----
In my surfing I came across The Modern Firm Hosting Services and they may be what you're looking for.
Hope this helps.
Scientia et Potentia
Any Linux professional can accomodate secure storage on a USB device.
Setup user or company department with a new gpg install on a new linux account.
create a gpg certificate - have them type in their email as recipient (email@me.com below) and a passphrase (the passphrase is yourpasswd below).
You then set their private key to level 5 ultimate trust.
If you were exchanging data with someone you would now export a public key for them to give to other IT for encrypting data to be sent.
In a simple archiving system creating a public key maybe unnecessary (though I've never tried it).
Hence forth in a cron/shellscript archive system you need only the two commands below:
Archive:
cat somefiletobearchived | gpg -e -r email@me.com > somearchivedfile.gpg
Retrieve/Restore:
echo yourpasswd | gpg --batch --passphrase-fd 0 -d somepreviouslyarchivedfile.gpg > somenewfilename
Remember to escape $ and other shell-misinterpreted characters in yourpasswd with \
Do not ever use gpg option passphrase-fd with -e. gpg will skip the first line of data with no warning and you'd never know since often only the recipient with the passphrase will ever extract the data.
so I can set it up and then 'beep' transmit everything down the ol 'tubes or I can do what you suggest- $5 a pop to take tapes to the bank?
and that is cheaper?
really? really? how much do you think it costs to send a 'secretary' to the bank and back. $5? Really?
forget setup/and recycle, costs of every time there is a new authorized user or user to remove from the authorized list.
Forget Gas in the car or maintenance on a car
forget the cost of backup tapes- (7 sets of 2 tb data say)
forget the cost of a tape drive and the labor to have someone swap them in and out
forget the cost of a LOST tape en route...
lets just look at salary
I have employees, I sometimes need to send someone to the hardware store for a 23 cent screw.
if I pay that guy $10 an hour, he is costing me 12.20 an hour, and so that means 25 minutes is $5.00 in labor alone.
Now, try this-
in your head, go from a law office, to the bank, get access to a safety deposit box, and get back in 25 minutes-consistently.
if I'm paying that secretary $15 she has to make the trip in 16.39 minutes.
Really?
every day http://en.wikipedia.org/wiki/Special:Random