January 20, 2013

Geek vs. Geek-What Do You Mean Backup?

© 2013 By Cary J. Calderone, Esquire

Geek vs. Geek
This is the first in a new series of blog posts that will illuminate the communication gap between Legal Geeks and Technology Geeks.  For these "Geek vs. Geek" posts, the basic assumptions will always be the same:  1) Both types of geeks, T-Geeks and L-Geeks, are pretty darn smart. 2)  Both know quite a bit about their own unique tasks, tools, and responsibilities.  3)  Both can be a bit defensive, if not downright surly, when they sense a challenge to their authority coming from a competing "Geekdom."  Now that we have the ground rules, the sample hypothetical for this post is about the company Backup or Disaster Recovery Policy.  Do you have one?  Do you think it is being followed?  Maybe.  Maybe not.

The Background.

At almost every company, the legal department has finally realized the company is responsible for backing up company electronically stored information (ESI) on a regular basis.  If a legal matter is initiated, the company L-Geeks are responsible to lock down, collect, review, and possibly produce relevant ESI that has been under the "ownership and control" of the company, even if it is located on an iPad or a laptop computer.  In this hypothetical, they have decided to issue a policy that says the company employees will use an online backup tool, Carbonite.  They send out an official email that says something to the effect;  "it is now company policy for  users to backup all their work ESI created on their desktops, laptops, home computers, and iPads by using the Carbonite cloud backup solution.  If you are an L-Geek, you read this message, determine it is clearly and accurately written, and assume all employees will follow it. 

 However, if you are a T-Geek, your interpretation may differ.   You interpret it as follows:  the company wants you to backup your data regularly, BUT since you personally recognize that the company L-Geeks do not understand that cloud-based backup is really not all that secure, you will continue to use Norton Backup to your local tape drive, as it has always been your preferred backup tool.  You will also continue to copy and encrypt everything you have ever worked on to your USB flash drive that you wear around your neck, AND copy that to your home network server running the latest secure version of Linux.  Now THAT is a safe backup routine!  If the L-Geeks want safe backup, you have got it covered, plus it is far more functional because you can easily search and retrieve your old code routines and ESI, if you are ever so inclined.  Other T-Geeks at your company will most certainly disagree with your interpretation of the Backup Policy.  They will continue to use Dropbox and Google-Drive to store copies of their ESI.  They are fine with the cloud services they have researched and tested.  The L-Geeks will be none the wiser, until one day when it gets mentioned in court, at a deposition, or during a 30(b)6 witness examination.  That will not be a good day for the L-Geeks.

The communication gap happened as soon as legal (your lovable L-Geeks) selected a cloud backup product.   In essence, they unknowingly opened the door to other cloud-based backup products.  Once a company approves a technology, the implication is that technology, not just a particular brand, is now okay.  In my work, I have seen this happen with email client applications, search tools, cloud storage, and instant messaging programs.  Users, and especially T-geeks, just assume it will be okay to use their own preferred brands and versions as long as it accomplishes the requisite task.  They have seldom been informed of the potential Information Management or E-Discovery issues their "interpretations" will cause.

The solution is simple.  L-geeks, legal, needs to collaborate with IT and all company department leaders, to select a backup product that will be the ONLY APPROVED BACKUP product anybody uses.  The communication has to be clear and there has to be follow-up to audit the policy and specific penalties for non-compliance.   It is extra work but unfortunately, it is the only way to ensure your users will understand and follow the policy.  Ultimately, this method will save you and your company from large headaches and expenses in the future.   As an L-geek, I assume you would never want to have to go before a Judge and say "SURPRISE,  we just found copies of the emails and files we thought were deleted.  Is it okay if we produce them now?"   That scenario has played out in many courtrooms, and the outcome is seldom pleasant for the party that surprises the court.   

In conclusion, when was the last time you reviewed your company's backup, archiving, and computer use policies?   Are they up to date?  Are they being followed?  Maybe it is time to take a look at them, again.

Lesson on-the-side-Do you know that March 30th is National Backup Day?  To be clear.  If you answered "yes" to this question, you are a certifiable Geek.  

Happy Backup Day!


Sixties said...

In general with backup the challenge is how it aligns with corporate policy. If IT organizations are backing up everything, every night and have been doing so for decades, how do the copies of sensitive files and email contained in backup align with legal hold and records management policies? For example, if sensitive email communications are key evidence in current ligation, and these emails are no longer on corporate email servers but many copies are found to exist in legacy backup tapes how does a legal team define their strategy? Applying legal policy to legacy backup data is critical to managing long term risk. If a legal team does not know what is contained in legacy backups, and if this information is not managed according to policy, the hidden risk and liability is a major issue for any organization.

Jim McGann
Index Engines

Alex2323 said...

Great read- Thank you, Cary! I am working on a high profile legal bankruptcy on the Records Management side and have found that the very issues that you raise here are tremendously relevant.

Alex Campbell
HBR Consulting