In my last blog, I talked about the importance of data backup in your law firm’s preparations for GDPR. Since then a number of you have been in touch with questions, many of which revolved around the wider topic of disaster recovery, so today I thought it would be worth expanding a little on disaster recovery provision, an important topic in relation to both GDPR and SRA compliance.
GDPR places an obligation on your firm to safeguard the personal data which it holds, and my previous articles in this series have addressed key challenges around day-to-day ways to protect your data through effective risk management in relation to cyber security, access control and data backup.
However, with the best planning in the world, sometimes the unexpected does happen. We only have to look at the Wannacry ransomware attack that so devastated parts of the NHS to see the reputational damage and compliance breaches that can be caused by such an eventuality. It is therefore important from both a GDPR and SRA regulatory perspective to have the appropriate incident response and recovery plans in place to handle such a situation.
Whilst having a technical disaster recovery plan is vital to recovering systems, it is equally important for the business continuity plan to cover how you would communicate details of an IT failure or data breach to customers, staff, suppliers, the ICO, the SRA and the public at large to minimise the financial and reputational damage to your firm. Bear in mind that, in such a situation, many of the systems you normally rely on for your communications such as emails or contact databases may be unavailable, so the plan needs to provide for alternative ways to access these details and contact these people.
And to bring the subject of disaster recovery planning into perspective, whilst many law firms I talk to tend to associate IT downtime with a large events such as fires or floods, the reality is that the majority of IT downtime has much more mundane causes which can include hardware failures, loss of power, cyber security breaches (such as ransomware attacks) and software failures. And in many cases the downtime is considerable, with the EMC global data protection index 2016 study showing that the average length of unplanned downtime was 22 hours. Indeed the situation seems to be worsening this year, with IT downtime caused by ransomware attacks in particular often running into a week or more.
It is also critical in this situation that the disaster recovery plan is going to work effectively and in a timely manner. Many businesses I work with had put together a disaster recovery plan some years ago and left it in the fireproof safe ever since, without testing or updating. My experience is that this document needs to be constantly evolving, as our use of technology has moved on significantly, and what was an acceptable recovery plan a couple of years ago may now be totally inadequate. In addition, our systems are constantly changing, with software updates and security fixes being installed on a regular basis, all of which can impact on the technical success of a recovery.
So in order to ensure ongoing compliance and relevance, I always recommend that Partners and Compliance Officers at law firms we work with continually reassess and test their plans around resilience, backup and disaster recovery, against the operational needs of their firm and their regulatory compliance obligations. Some points to consider would include:
- How long could you afford for each of your various IT systems to be down for?
- How much data, if any, could you afford to lose?
- Have you tried a test of your full disaster recovery plan lately? Did it work? How long did it take? How much data was lost? Did the results demonstrate that recovery times and data loss met your current business requirements and compliance obligations?
- Where are your backups held? Would an incident like a fire or a ransomware attack wipe out your backups as well as your live systems?
- In the event of a major disaster what hardware would you restore your backups onto?
- If your offices were incapacitated (or the emergency services wouldn’t allow you access to your premises) where would you work from and how would you connect to your recovered systems?
Tests of disaster recovery plans also need to be documented, so there is clear evidence that testing has been conducted, the plan has been reviewed and any necessary remedial actions highlighted by the test have been actioned.
I hope this has given you a useful insight into some of the key areas to consider around disaster recovery planning when preparing your firm for GDPR. Should this article have raised questions or concerns around your firm’s current disaster recovery arrangements, please do not hesitate to contact me on (01494) 444065 or mobile 07894-269600 or email firstname.lastname@example.org, for a no obligation discussion around ways Epoq IT can help, which include a full range of backup and disaster recovery solutions, tailored around your firm’s specific needs in regards to recovery times and data loss, and based on an affordable monthly subscription.