Online Storage For Lawyers?

alharaka writes "I have a relative that has been a lawyer for over two decades. In passing conversation, he revealed to me that he has a great deal of his data stored on floppies. Naturally, as an IT guy, I lost it on him, telling him that a one-dimensional storage strategy of floppies was unacceptable. If he lost those files, his clients would be enraged. Since I do not know much about online data storage for lawyers, I read a few articles I found on Google. A lot of people appear to recommend CoreVault, since a few bar associations, including Oklahoma, officially endorsed them. That is not enough for me. Do any Slashdotters have info on this topic? Do you have any companies you would recommend for online data storage specifically for lawyers? My relative is a lawyer with recognition in NJ, NY, CA, and DC; are there any rules and regulations you know of regarding such online storage he must comply with? I know IT and not law. I am aware this is not a forum for legal advice, but do any IT professionals who work for law firms know about such rules and regulations?"

Yes.

[Aaron_Pike]

I firmly believe we should store lawyers online.

Re:Yes.

[gandhi_2]

With a big knife you could store them in a Redundant Array of Inexpensive Freezers. RAIF-0 supports striped lawyers.

Re:Yes.

[dgatwood]

I thought it was the Judicial Array of Inexpensive Lockers that held the striped lawyers....

Re:Yes.

[Red+Flayer]

Meh. The operating costs of that are too high (refrigeration ain't cheap). I suggest RAID-0, Redundant Array of Inexpensive Dumpsters.

This does have an issue with degradation of the lawyers over time, but that's OK... it feeds into our COMP-Office Services Technology department.

Re:Yes.

[wastedlife]

Seriously, its like he thinks the internet is just a big dumptruck. Everyone knows that it is a series of tubes. All those lawyers would clog the tubes. It might take one of my staff a whole day to send me an internet again.

Sincerely,
Ted Stevens, former Senator

A Few Helpful Lists

[eldavojohn]

Well, there's a list of online backup services on Wikipedia that's probably only half of what's available so if you feel you are lacking options and would like to help your friend out, you can do a thorough comparison matrix containing his priorities and rate each of them. You might be able to find viable options in the list of file hosting services as they use encryption.

As a lawyer with recognition in NJ, NY, CA, and DC, are there any rules and regulations you know of regarding such online storage he must comply with?

Ahahahahaha, you are asking Slashdot for advice on legal rules and standards to assist a lawyer?

Look, you're probably going above and beyond what a normal lawyer did back in the day: throw a piece of paper in a filing cabinet in his office. Subject to fire and theft, sure, but I doubt the law has changed enough to make that illegal. CoreVault looks good, you can also visit each of the state bar association pages you listed and find things like NY State Bar Association offering a discount at VENYU for offsite data storage which is probably as close as you'll get to an endorsement. Have you thought about calling each state bar association office and asking them what they use/recommend?

Re:A Few Helpful Lists

IAAL and using any of these services is suicide.
Store your documents IN A FIREPROOF SAFE or VAULT ON PAPER.
Use a document scanner for retrieving them if you lose the electronic originals.
Disclosure to a 3rd party is suicide as your atty-client confidentiality could be lost (what happens if the 3rd party gets subpoenas?). Losing data is suicide because it shows a lack of due diligence.
Use paper. It works. or burn to 2X archival CDR and THEN use paper. whatever floats your boat.
   

Re:A Few Helpful Lists

[Captain+Splendid]

Speaking as someone who runs a small law firm, parent has it mostly right, especially in regards to the document scanner. We live and die on paper, so we make a lot of effort to keep the physical and digital versions safe. As for online storage, HDs are cheap, and even several million pages of text documents won't break anyone's bank.

I've never understood the online storage appeal for just about any commercial entity, but for a law firm, that just ain't gonna happen.

Re:A Few Helpful Lists

[quantumplacet]

You do know that you can back up to a 3rd party and still maintain sole access to the data, correct? All of our backups are encrypted using a 448bit key that only we have access to. If our backup provider is subpoenaed they can give all my data to whoever they want, it's just a meaningless binary blob.

Re:A Few Helpful Lists

[Chabo]

If they do that, then the information is protected against attorney-client privilege. Practically no judge would allow that privilege to be broken, so any warrants given under those circumstances would be thrown out.

Re:A Few Helpful Lists

[ixidor]

exactly. i did support for a small accounting firm, anyone here felt the pain ofgoing from quickbooks 05,06 to 2008 ... omg that sucked. i had bought them a cheap prepackaged nas box from newegg, around $200. then in the QB2008 documents it says specifically not to do this, 4x the network overhead. so i looked around for online storage. and i have a question related to the lawyer theme, if the data is encrypted in the online storage place, evan if they were to be subpoena'd what would they get ? unusable encryped data chunks. but back to the point, second that about onsite and paper. burn copies to cd or something ok. but mozy is cheap, like $5/month. how is that hard to justify?

Re:A Few Helpful Lists

[anagama]

IAAL too, and I wouldn't feel comfortable with any particular service in which the service owner could have access to my files or the keys/passwords for decryption. I simply won't entrust my data to a third party, not even my calendar to Google Calendar. I do however perform nightly automated backups to a remote server.

My system works like this:
- in my office, tar the data into a single file, encoding the date into the filename.
- mcrypt that tar file.
- transfer the encrypted tar to a virtual private server via ssh. (*)
- on the VPS, I have a script that keeps a set of my backup files: the last 7 days are kept, and then mondays for the previous 7 weeks.

The risk is that my VPS or another VPS on the remote machine might be hacked and my data files exposed. However, because the data files are encrypted as well as can be by present standards, it is highly unlikely that the actual data will be exposed even if my account was hacked. The person would simply get a set of encrypted files. I suppose it would be possible for a person to grab my files, and 20 years later decrypt them. I think that worry starts to get a bit foil-hatish in that I don't work with terribly sensitive information -- at least not the kind that someone will wait decades to be able to decrypt.

Even if my data was somehow decrypted, I feel that I have performed sufficient due diligence under the rules in my state (**). In fact, there is no data existing anywhere that cannot through some highly contrived set of circumstances, cannot be revealed. I do feel I'm doing a better job than if I merely stored the files in a locked storage closet. Taking a bolt cutter to a masterlock and then trundling off CDs, papers, or thumb drives is way easier than decrypting my files. Any safe I can afford can probably be picked in 30 seconds by some 13 year old kid looking for cred on YouTube. Lastly, I have no doubt my encrypted files on the VPS are more secure than files located on a computer through which the internet is accessed by a web browser.

Anyway, I do feel I'm going beyond what most lawyers do with backup security. Of course there are certain unlikely possible breaches -- but I'm not required to protect against all of them. For example, I don't need to personally hand deliver all paper documents because I'm allowed to use the mail. What could be less secure than documents protected by a paper envelope?

As an added bonus, because my backups are nearly 3000 miles away (I'm on the Pacific, my VPS is on the Atlantic), even a devastating regional disaster will not cause me to lose data. If a disaster is so bad as to stretch from sea to shining sea -- my files will be the least of anyone's concern.

(*) I only get 15gb of space, but it only costs $10/month. It's running CentOS 5, no webserver or anything else, just ssh.

(**) Comment to WA State RPC 1.6 (confidentiality and information):
[17] When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the
reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule.

Why online?

[captaindomon]

Why online storage? Why not just copy everything to a couple USB drives and then backup off-site occasionally with DVDs? It's not like we're talking about a lot of storage, they're probably just text documents mostly, right?

Re:Why online?

[fuzzyfuzzyfungus]

Barring(har, har, not intended) poor recent graduates slaving to pay off giant loans and shoestring do-gooder types being paid in peanuts to keep poor kids off death row, I strongly suspect that most lawyers have more available cash than available time or technical expertise.

Copying everything to a couple of USB drives is exactly the sort of thing that is easy to forget to do, and potentially disastrous. Far better to pay a fee that, for a bunch of mostly text documents and some .tiff scans, won't be all that high, and have it done for you.

Re:Why online?

[TheRaven64]

I've worked with a couple of companies that had the same kind of requirements:

• They can't afford to lose the data.
• They can't take if off-site without some additional constraints (e.g. stored in a safe, encrypted).
• The users don't want to have to understand the technology.

A lot of these companies currently use a third-party warehouse with locked cages and transfer photocopies of court documents there for off-site storage, and want something a bit more high-tech.

The best solution I've come across is an on-site RAID-5 NAS with hourly snapshots. If they can store their data on floppies now, it is almost certainly less than 1GB. Put this on a three or four 250GB disks in a RAID-1 array (no point in RAID-5 when you've got that little data - go for the extra redundancy) which takes (volume-level) snapshots every hour (something like GEOM or ZFS snapshots). Every work night, burn the latest snapshot to a DVD and give it to the boss to take home and put in his safe. He should store the most recent 5 backups there and, n week-end backups. If you're not using ZFS on the server then make sure you're using something else to check for single-sector corruption.

Note: This is not legal advice. I know some law firms one accountancy firm who use this system, but I am probably not in your jurisdiction and you may have additional regulatory / legal requirements. Fortunately, if you are a law firm, you can probably consult a lawyer and get some legal advice cheaply...

Re:Why online?

[snowraver1]

Every work night, burn the latest snapshot to a DVD and give it to the boss to take home and put in his safe.

HAHAHA hahahahahahahahahaha ha ha, whew. That's funny. Who is loading the dvd drive?

Gather 'round boys and girls, it's story time. My dad was a lawyer for somewhere around 30 years. At the time, he and 4 other partners togeather made up their law firm. Because each of them were essentially seperate from each other, they tended to have their files stored either on their own comptuer, or on their secretary's computer.

My dad was smart enough to know that this probably wasn't the best setup, so he hired an "IT Professional" to fix this problem. The computer guy came in and set them up with a small server which would be a centeral repository for digital files. This server would then do daily (possibly weekly, can't recall) backups. The secretarys would then take the tape home with them over night.

Not a bad setup. This system was in place for several years. One day, one of the secretaries computer's HDD died. The office called the guy that had setup this system for them to have the HDD replaced. What happened next will require a new paragraph.

I get a call that day from my Dad. I was weeks away from graduating from Computer Engineering at a local technical school. My dad calls, clearly upset. Apperantly a while ago there was some problem that they had to call the "IT Guy" for. The "IT guy", in the process of fixing that problem, changed it so that the secretarys computers and I think 1-2 of the lawyer comptuer backed up to one of the secretary's comptuers, and not the server. Well, guess which computer died? You know it, the secretary's computer that was holding the backups it shouldn't have been.

No problem right? They were taking weekly backups and taking them off site. Well... Turns out that in the process of moving the backups to the secretary's computer, he was also preventing that data from being backed up. Essentially, the backups were only backing up 1/2 the data.

So, I'm just about to graduate, I get this call from my dad, and he tells me the story. I tell him what he already knows, no data should be on the comptuers, it should all be stored on the servers and backed up. The next day my dad's firm and the "IT Guy" had a meeting. This guy was scared shitless that he was going to get his pants sued off. Not all lawyers are bastards, my dad and the firm told him to send the HDD to a data recovery specialist and told the IT guy that he would be responsible for the bill. The data recovery was partially successful.

Losing that much data caused real problems at the office. Some lawyers were hit harder than others. My dad got through it just fine. My dad had a system where everything was done in triplicate. Document was saved on computer (1), printed and attached to the client file (2), I'm pretty sure that he also printed a third copy to send to Iron Mountain. When the data was lost, he still had the paper copies, the other lawyers wern't so lucky.

Having seen that, I would recommend printing and filing EVERYTHING. Most lawyers change outragous rates for printing anyways, so why not? So, I would say that you should definately take precautions against data loss, the hard copy should be your real backup.

Re:Why online?

[jra]

And *this*, boys and girls, is an altogether excellent example of why professional system administration talent is well worth whatever you have to pay to have it around.

Re:Why online?

[brtech]

One good story deserves another, from several years ago

There was this medical device manufacturer. It had an older product, pre-microprocessor. One day, the FDA came for an inspection. When they do that, they usually send at least one person with clue, but they cross train other people and send them too. On this inspection, one of the inspector's regular job was inspecting galleys in ships (another FDA function you may not know about). This guy had been cross trained.

So, they are walking down the manufacturing line, and the employee shows them the board from the product. One of the chips has a label on on. The inspector says "PROM"? Meaning, is that chip a programmable read only memory (like today's flash, but usually one time programmable and a lot smaller). The employee says "Yes, that's a PROM". The inspector says "Checksum?" and the employee says "yes, the checksum is on the label". The inspector says "Verify?" and the employee takes the board, pulls the chip, goes over to the programmer, plugs it in and verifies that the checksum is valid.

The inspector says "Source Code?". The employee is a bit stumped. He goes away to ask some engineers who were around for a while, then goes to the manufacturing engineering guys and finally goes back to the inspector and asks them to accompany him to a storage room.

In the storage room, there are a number of 4 drawer file cabinets. The employee searches around, and finally finds the right file.

The file has the right build data on the cover. He opens the file and triumphantly removes the floppy disk with the source code on it.

An 8" floppy disk.

You know what's coming right?








No 8" drive left in the company.

TrueCrypt?

Come to think of it, I think we should store them in *actual* true crypts... ;-)

Scan and shred

[peacefinder]

Scan the lawyers and shred the originals. You'll be very popular.

omfg...

[gandhi_2]

a few bar associations, including Oklahoma, officially endorsed them.

I see.

That is not enough for me.

uh, huh.

Do any Slashdotters have info on this topic?

*head explodes*

Re:omfg...

[lymond01]

You know, I might put Slashdot above Oklahoma. Slashdot is the biggest tech site on the internet. Oklahoma has a musical named after it.

That gives me an idea...

Mozy.com, you can provide your own encryption key

I have used Mozy for several law offices, primarily because you can specify your own 256-bit AES encryption key. Not even Mozy has access to your data.
In California the bar association regulations require that a law firm takes "reasonable care" of client data. That's it. Kinda Scary.

Comment removed

[account_deleted]

Comment removed based on user account deletion

You seem to be missing the point

[Minwee]

Half of keeping copies of important documents is being able to retrieve them later on when you need them.

You seem to understand that, which is why you are trying to convince your relative to move his data to a more reliable storage medium.

The other half is in _not_ being able to retrieve them when it is inconvenient to do so. This is why there are floods, fires, mice, lost envelopes, poorly made photocopies and , in this case, corrupt old floppy disks. And as long as you have a storage system which is just barely good enough then you can lose anything you need to and nobody will even blink.

It's all about identifying the client's needs. Give them what they really need, not just what they ask for.

Re:Encryption

[SirGarlon]

And it would be smart to store the key/passphrase on paper in a safe, in case you get hit by a bus and your partner/assistant urgently needs a client's file. IANAL.