Online Storage For Lawyers?

alharaka writes "I have a relative that has been a lawyer for over two decades. In passing conversation, he revealed to me that he has a great deal of his data stored on floppies. Naturally, as an IT guy, I lost it on him, telling him that a one-dimensional storage strategy of floppies was unacceptable. If he lost those files, his clients would be enraged. Since I do not know much about online data storage for lawyers, I read a few articles I found on Google. A lot of people appear to recommend CoreVault, since a few bar associations, including Oklahoma, officially endorsed them. That is not enough for me. Do any Slashdotters have info on this topic? Do you have any companies you would recommend for online data storage specifically for lawyers? My relative is a lawyer with recognition in NJ, NY, CA, and DC; are there any rules and regulations you know of regarding such online storage he must comply with? I know IT and not law. I am aware this is not a forum for legal advice, but do any IT professionals who work for law firms know about such rules and regulations?"

A Few Helpful Lists

[eldavojohn]

Well, there's a list of online backup services on Wikipedia that's probably only half of what's available so if you feel you are lacking options and would like to help your friend out, you can do a thorough comparison matrix containing his priorities and rate each of them. You might be able to find viable options in the list of file hosting services as they use encryption.

As a lawyer with recognition in NJ, NY, CA, and DC, are there any rules and regulations you know of regarding such online storage he must comply with?

Ahahahahaha, you are asking Slashdot for advice on legal rules and standards to assist a lawyer?

Look, you're probably going above and beyond what a normal lawyer did back in the day: throw a piece of paper in a filing cabinet in his office. Subject to fire and theft, sure, but I doubt the law has changed enough to make that illegal. CoreVault looks good, you can also visit each of the state bar association pages you listed and find things like NY State Bar Association offering a discount at VENYU for offsite data storage which is probably as close as you'll get to an endorsement. Have you thought about calling each state bar association office and asking them what they use/recommend?

Re:A Few Helpful Lists

IAAL and using any of these services is suicide.
Store your documents IN A FIREPROOF SAFE or VAULT ON PAPER.
Use a document scanner for retrieving them if you lose the electronic originals.
Disclosure to a 3rd party is suicide as your atty-client confidentiality could be lost (what happens if the 3rd party gets subpoenas?). Losing data is suicide because it shows a lack of due diligence.
Use paper. It works. or burn to 2X archival CDR and THEN use paper. whatever floats your boat.
   

Re:A Few Helpful Lists

[Captain+Splendid]

Speaking as someone who runs a small law firm, parent has it mostly right, especially in regards to the document scanner. We live and die on paper, so we make a lot of effort to keep the physical and digital versions safe. As for online storage, HDs are cheap, and even several million pages of text documents won't break anyone's bank.

I've never understood the online storage appeal for just about any commercial entity, but for a law firm, that just ain't gonna happen.

Re:A Few Helpful Lists

[anagama]

IAAL too, and I wouldn't feel comfortable with any particular service in which the service owner could have access to my files or the keys/passwords for decryption. I simply won't entrust my data to a third party, not even my calendar to Google Calendar. I do however perform nightly automated backups to a remote server.

My system works like this:
- in my office, tar the data into a single file, encoding the date into the filename.
- mcrypt that tar file.
- transfer the encrypted tar to a virtual private server via ssh. (*)
- on the VPS, I have a script that keeps a set of my backup files: the last 7 days are kept, and then mondays for the previous 7 weeks.

The risk is that my VPS or another VPS on the remote machine might be hacked and my data files exposed. However, because the data files are encrypted as well as can be by present standards, it is highly unlikely that the actual data will be exposed even if my account was hacked. The person would simply get a set of encrypted files. I suppose it would be possible for a person to grab my files, and 20 years later decrypt them. I think that worry starts to get a bit foil-hatish in that I don't work with terribly sensitive information -- at least not the kind that someone will wait decades to be able to decrypt.

Even if my data was somehow decrypted, I feel that I have performed sufficient due diligence under the rules in my state (**). In fact, there is no data existing anywhere that cannot through some highly contrived set of circumstances, cannot be revealed. I do feel I'm doing a better job than if I merely stored the files in a locked storage closet. Taking a bolt cutter to a masterlock and then trundling off CDs, papers, or thumb drives is way easier than decrypting my files. Any safe I can afford can probably be picked in 30 seconds by some 13 year old kid looking for cred on YouTube. Lastly, I have no doubt my encrypted files on the VPS are more secure than files located on a computer through which the internet is accessed by a web browser.

Anyway, I do feel I'm going beyond what most lawyers do with backup security. Of course there are certain unlikely possible breaches -- but I'm not required to protect against all of them. For example, I don't need to personally hand deliver all paper documents because I'm allowed to use the mail. What could be less secure than documents protected by a paper envelope?

As an added bonus, because my backups are nearly 3000 miles away (I'm on the Pacific, my VPS is on the Atlantic), even a devastating regional disaster will not cause me to lose data. If a disaster is so bad as to stretch from sea to shining sea -- my files will be the least of anyone's concern.

(*) I only get 15gb of space, but it only costs $10/month. It's running CentOS 5, no webserver or anything else, just ssh.

(**) Comment to WA State RPC 1.6 (confidentiality and information):
[17] When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the
reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule.

Mozy.com, you can provide your own encryption key

I have used Mozy for several law offices, primarily because you can specify your own 256-bit AES encryption key. Not even Mozy has access to your data.
In California the bar association regulations require that a law firm takes "reasonable care" of client data. That's it. Kinda Scary.

Re:Why online?

[TheRaven64]

I've worked with a couple of companies that had the same kind of requirements:

• They can't afford to lose the data.
• They can't take if off-site without some additional constraints (e.g. stored in a safe, encrypted).
• The users don't want to have to understand the technology.

A lot of these companies currently use a third-party warehouse with locked cages and transfer photocopies of court documents there for off-site storage, and want something a bit more high-tech.

The best solution I've come across is an on-site RAID-5 NAS with hourly snapshots. If they can store their data on floppies now, it is almost certainly less than 1GB. Put this on a three or four 250GB disks in a RAID-1 array (no point in RAID-5 when you've got that little data - go for the extra redundancy) which takes (volume-level) snapshots every hour (something like GEOM or ZFS snapshots). Every work night, burn the latest snapshot to a DVD and give it to the boss to take home and put in his safe. He should store the most recent 5 backups there and, n week-end backups. If you're not using ZFS on the server then make sure you're using something else to check for single-sector corruption.

Note: This is not legal advice. I know some law firms one accountancy firm who use this system, but I am probably not in your jurisdiction and you may have additional regulatory / legal requirements. Fortunately, if you are a law firm, you can probably consult a lawyer and get some legal advice cheaply...