Back it up

Email should be stored on your firm's server. But it should be backed up daily, at least. Back up should be to an internal hard drive plus an external hard drive for off-premises storage or storage in the Cloud. But the Cloud presents some special issues. Do you continue to own the data? Do others have access to it? Read your use agreement very carefully. Is the Cloud storage outside the U.S.? Foreign laws may be different.

Deleting

Deleting is necessary if you get a new device or have undesired emails to eliminate. Be careful, however, as deleting emails may be exfoliation of evidence. If you are in litigation, or threatened litigation, it is definitely improper and can lead to sanctions or other penalties. It helps if your firm has a definite retention policy to timely delete emails (e.g., over a year old). Such a policy is certainly sensible since emails can build up at a ridiculous rate.

The physical act of deleting is difficult, if not impossible. First, identifying every copy of an email is a problem. In my own case my email starts off with three copies: my office computer, my office server, and my iPad. Then there are daily office backup copies, one for every day the email has existed. And those are just my copies. Does the provider have a copy? Have I sent it to anyone I no longer want to have it? Have I sent it around the office to partners or staff?

Even if I have located all the copies, deleting is harder than pushing "delete." On old devices, such as an iPhone, the data must be overwritten 3 times to ensure it is really deleted. Remember, a computer does not delete data by just using "delete." All that does is change the internal table of files so the file is no longer recognized. The data is still there, sitting on the hard drive. Unless and until it is overwritten, it can still be found by programs designed to locate it.

Storage

The only way data can be completely secure is to reside on a hard drive inaccessible to the outside world. An external hard drive in a bank safe-deposit box comes to mind. Otherwise, data has some element of insecurity attached to it. That is true whether it is in the Cloud, an external data farm, or in your office.

The best thing to do is hire a professional. Access to services are the key factor. A professional will give you, hopefully constructive, advice on storage, plus other security issues such as firewalls, external access of your server, and similar issues.

The next important thing to do is carefully scrutinize any agreement for off-site storage, whether in the Cloud or data farm. Who controls the data? Who owns the data? Who has access to the data? Does any government have access? Whose law applies? How are disputes resolved?

Avoiding Viruses and Hacking

Your professional consultant is critical here. He will be aware of what the current threat environment is. What programs are at risk? What commercial firewalls are effective and kept current? Do you need protection for the firm's server as well as individual computers? [YES]

What training do the firm's employees need to avoid unwittingly letting in a virus or hack? The simplest rule is do not open emails from any unknown sender. Employees must be aware of "phishing" in its various forms. While researching a client's matter I had to visit the website of the Florida State Bar. There I saw a "phishing" warning. Attorneys were getting "past due" notices purportedly from the State Bar that were fake. Hackers were attempting to obtain personal financial information. I thought this was a sign of the times: hackers are so unafraid that they will attempt to steal from lawyers.

Never assume that your firm is not a target. Viruses tend to be indiscriminate: they target all users. Hackers can and do specifically target law firms. They know that law firms have a great deal of important information they protect and maintain. Besides the obvious example of Intellectual Property firms who have client's trade, professional, and business secrets, any law firm will have information that is confidential to someone, be it personal, financial, or criminal. There could be incriminating photographs, documents, or personal information. There could be personal identifying information. All of this information could be desired by a hacker who will not hesitate to steal if he can.

If your firm is hit by a virus or hack follow the below checklist:

1. Stop the damage. Call your IT consultant.
2. Assess the damage. Are files lost?  Corrupted? Stolen? Illegally copied?
3. Notify the affected client. Many states require disclosure, not just to affected clients, but to all clients.
4. Remedy the situation to the extent possible. Lost or damaged files should be repaired or replaced. Copied files should be updated so they are no longer current, and hopefully, made irrelevant. Stolen data is almost impossible to recover.
5. Install new security measures. Are additional computer defenses needed? Are new security protocols needed [no more passwords on sticky notes or using "1234"?]