The Ethics of Backups

on 03/15/2016 by David Szostek



When it comes to backups – or lack thereof – most of us have at least one horror story. But when it comes to our client’s files and confidential information, the Michigan Rules of Professional Conduct impose certain duties on us to ensure that our client’s information does not become part of any horror stories.

Michigan Rule of Professional Conduct §1.1 outlines the basics for which our duties for backups derives; our duty is to be competent. And while instructive, the rule does not provide any helpful, practical guidance. So the remainder of this article will focus on doing so.

For a backup to have any value at all, it needs to: (1) exist, (2) be able to promptly restore critical files, and (3) be tested.

In order for a backup to exist, a person or a program must actually backup files. Although obvious, many people own backup programs that they simply never set up or set up to run on a manual basis, then forget to run manually. When you select a backup program, it should allow you to run backups on an automatic schedule and be able to notify you of any errors that may prevent the backup from running. As long as you set up your backup schedule and monitor for errors, you should feel comfortable that your backup will actually exist.

But even if your backup exists, it is not much use to you if you cannot access it in the event of an emergency. This implicates two problems: locally stored backups and commodity online backup providers. In the case of locally stored backups, if a backup is made to an external hard drive that is always attached to your computer, your backup may not be accessible if somebody steals your computer and external hard drive or if a fire or other casualty destroys your physical office space. And in the case of online backup providers, some providers (typically the free or low cost ones) may only allow you to retrieve your information at very slow speeds. So if you have lots of data, it could take days to weeks to recover it.

To ensure that you can promptly restore your critical files, it is best to use a locally connected backup, which is also replicated to a reputable, well-known online storage provider that does not force you to retrieve your information at very low speeds. We recommend Dropbox, Google Drive, or Amazon Web Services to replicate your backups to, and some backup programs have an option to do that automatically.

Lastly, you must test your backups. Everything always works as-expected in theory. But in practice, anything can happen. You should periodically (quarterly to semi-annually) perform a test restore of your files (from both your local and online storage, if you use both). After your restore, ensure that you have backed up the correct files (client files, accounting and billing databases, e-mails, etc.), the backed up files are up-to-date, and that the backup is not corrupt. And if you discover that there are problems, fix them before you need your backup.

And two more tips: first, be sure that your files or your backups are encrypted, or both. This is a standard option on with most backup programs, and helps ensure compliance with our other duties. Second, make sure you set your backup to keep multiple versions of your files so that if you get a virus, you can restore your files to their pre-virus state.

In our next installment, we will explore how document automation systems can help prevent malpractice and ethics violations.

About the Authors:

David Szostek is a partner at Edward Allen Law, where he practices business law, intellectual property, and litigation. Victoria Vuletich teaches professional responsibility at Western Michigan University Cooley Law School and has a private ethics practice that serves Michigan lawyers and law firms.

Click here for our website.