Features - Thinking About Law Firm Security After September 11th

Wendy R. Leibowitz is an attorney and writer in Washington, D.C., and the editor of E-Filing Report. Her Web site is http://www.wendytech.com.

Before September 11th, Ralph H. Baxter looked a little paranoid. The chairman and CEO of Orrick Herrington & Sutcliffe LLP, with ten offices in four countries, is building a global operations center for his law firm in Wheeling, West Virginia. The firm’s client files, its own data, including its financial and accounting records--its nerve center--will be maintained and run in an old building the firm is renovating in a town not exactly known as the epicenter of the legal or high-tech world. And that’s what appealed to Mr. Baxter and the firm’s information technology director, Patrick Tisdale. 

Why a global operations center and why Wheeling? Because the data will be safe and well-supported there. “There’s a reliable supply of energy, and little risk of natural disaster--no earthquakes, no hurricanes,” explains Mr. Baxter, whose San Francisco office survived the October 1989 earthquake with little damage. “The biggest flood they had on the Ohio River around here didn’t rise above the first floor.” And so come this March, the firm will begin operating redundant systems through May, and then eventually use the Wheeling facility as its sole global operations center. 

In the wake of September 11, Orrick doesn’t look paranoid, but prophetic. The firm’s largest office is in New York City, with 200 lawyers. Although the firm did not lose anyone in the terrorist attacks, its clients were directly hit, notably the Port Authority of New York and New Jersey, which had developed the World Trade Center and whose employees, including its CEO, were “In a sense, anyone and everyone is at risk--we might be hit by a bus or struck by lightening,” says Mr. Baxter. And terrorism, too, is part of our new reality now. Though the legal world outside Orrick might not be able to build a global operations center by March, we can and should be better prepared for disaster. 

SECURITY 101

There are two aspects to security: first, protecting people’s lives, and secondly, protecting their work, or data. But the best-laid plans are worthless if they are not known to the employees and followed by all involved. At too many law firms, lawyers and staff treated security nonchalantly. That has certainly changed after the terrible events of September 11th. Ironically, lawyers who advise their own clients on how to avoid every possible business risk took great risks with the security of their own firms, as well as that of the employees of their firm. This is now changing. This article will address a few steps that firms can and should take in the wake of the terrorist attacks on the World Trade Center and the Pentagon. 

1. WALK THE WALK: On September 11th, many of the World Trade Center employees who survived the attacks came from firms and companies that had survived the 1993 bombing of the Twin Towers. They followed their evacuation instructions to the letter, despite an announcement on the public address system in the second tower telling them to return to their desks because all was well. Furthermore, there had been improvements made in the evacuation route since 1993: The emergency stairs were well-lit. They had not been in 1993, and people had had to walk down pitch-black stairways. Lights had been installed in the intervening years. It is cold comfort, given the number of dead, but the lights helped forestall panic among those who survived. They were familiar with the evacuation plan, and so they knew what to do, and knew where to gather or to whom to report after evacuating the building. Is the same true of your firm? 

Have you walked the evacuation route of your law firm? Please do so, and advise your clients to do so in their workplaces. 

2. APPOINT A SAFETY OFFICER FOR EACH WORK AREA: Immediately assign safety issues to someone in authority. One person should be in charge only of ensuring that everyone is aware of evacuation plans and knows how to exit the building safely. People should know where to gather, or to whom to report, so that all can be accounted for after the building is evacuated. 

Designate a place (or two places, depending on the size of your staff) where employees who have evacuated an office will go to assemble. It is important to be sure you can get a head-count, and help them back home, or to another, make-shift office space to continue work if feasible. Whether all or some employees will resume working immediately after a disaster depends on their health and the type of event that precipitated the evacuation of the building. 

3. ESTABLISH A CYBER-RENDEZVOUS POINT: Set up a Web site as a check-in point as well. These Web sites were indispensable on September 11. If someone is out of the office at the time of the disaster, they can also check in at the cyberspace rendezvous point, and the site can be made public, so that family and friends can see who has been accounted for.

Obtain alternative e-mail addresses and cell phone numbers for all those who work in an office, so that a way to contact people, other than their work contact information, is on file. Remind people to update their information every time they change their coordinates. 

Work continuity issues can be assigned separately to someone else, probably in the information technology department. The goal is, first, to safeguard lives. The second goal is to be able to continue working even if your office or your building is inaccessible for some period of time. 

4. EDUCATE PEOPLE THAT DISASTER PLANNING IS NOTHING NEW: To avoid unnecessary paranoia, put the strength of your institution in its historical context. Sidley & Austin (now Sidley Austin Brown & Wood), with 600 employees in the World Trade Center, miraculously survived September 11th with only one employee missing. But the firm had also survived the Great Chicago Fire of 1871 that decimated that city, and Brown & Wood had survived the first bombing of the Twin Towers in 1993. 

Most law firms and courts have proud histories of surviving war, floods, fires, civil unrest, and controversial verdicts that threatened (or produced) violence in their immediate surroundings. Disasters, and disaster plans, are nothing new. Institutions in the Midwest, which have experienced serious flooding in recent years, and those in hurricane- or earthquake-prone areas, have had long experience with this. 

5. KNOWLEDGE IS POWER, AND PRODUCES CALM: Consider giving out “wallet cards” that explain to employees emergency procedures, including what to do during and after an evacuation. “It never hurts to be forced to take a hard look at our vulnerabilities and figure out where we can do better,” says Kyle Christensen, Senior Communications Specialist for Thomson Legal & Regulatory, West’s Group’s parent company. “We’ve been fortunate to be able to coast for a long time with very little threat to our personal security, and this has probably been a wake-up call to the fact that we’re not invincible.” 

DATA SECURITY

Protecting data is a whole different ballgame. Loren Jones, director of WestWorks customer care, a division of West Group, says that September 11 is “really going to push us more firmly towards implementing document imaging systems. The less we rely on the paper, as being the ultimate object of our business fascination, and begin to rely more on electronic versions, the better off we’ll be.” 

Many firms in the Twin Towers had prepared for the expected Year 2000 computer glitch by backing up their data and mirroring their computer systems off-site. That is one reason why many companies and law firms, even though devastated emotionally and of course physically by the terrorist attacks, were able to pick up work largely where they had left off. For example, thanks to electronic filing at the Southern District of New York, in which the files of the court were mirrored in Washington, D.C., the lawyers and court employees in New York were able to continue functioning, despite the New York court’s being closed for a week. 

“Article after article pointed out the firms [in the Twin Towers] were well-protected from the standpoint of their data,” noted Mr. Jones. “Their billing systems were backed up, and their document management systems were backed up, but they were all scrambling to recreate the massive loss of paper files--scrambling to the courts to get copies of pleadings, and going to opposing counsel to get copies of files.” For our day to day transactional needs, recommends Mr. Jones, we should rely less on paper. 

In fact, one of the many images that people will take away from the tragedy is the paper scattered all over Ground Zero. Like the lives lost, the paper is irretrievable. 

That is the opposite of what many lawyers think. The old belief system is that the paper copy is safe and secure, and that the computer file is prone to mystical disappearances at critical moments. But the truth is that paper is the most perishable. You can easily replicate the electronic data and have it stored in multiple places. 

A consensus is emerging that a law firm should have at least two sets of disaster recovery files and backup tapes of your computer’s data. One copy should be stored on your office site in a secure, fireproof, location. Another complete copy should be stored off-site.

These files, like extra paper copies that lawyers are enamored of, are useful for minor disasters, such as a lost document or hardware failure, as well as major disasters. 

Large businesses, like West Group, have long used back-up data centers. “West has two data centers,” explains Mr. Jones. “There is a primary data center and what we call the bunker.” The latter is literally built like a bunker, and is located a physical distance away from the primary data center in Eagan, Minnesota. The main plant, which has power feeds from two separate sources, is on the primary approach path from the Minneapolis-St. Paul airport, and is built to withstand a crashing 747 airplane and be able to continue to operate. “We can keep our presses rolling even if there’s a blackout,” he says. 

It’s necessary to counter the paper mindset that prevails in many legal environments, says Mr. Jones. “I point out that systems like Westlaw, that have been online for 25 years, experience a total outage in a typical year that can amounts to a few minutes.” By contrast, paper “outages” are much greater, even excluding fire or flood. Paper gets lost, and if it’s the only copy, it is irreplaceable. “If everything is committed to digital storage, you have the ability to replicate all of that information,” Mr. Jones notes. 

Still, lawyers will protest, noting that computers freeze up and that digital documents can be lost in new ways online. Good systems are key, emphasize Mr. Jones. “Most of the data loss that people experience are not with the high-end backoffice systems,” he says. “They’re thinking of their Windows 95 machine crashing and freezing, or Word or WP trashing a document. It’s kind of like saying, ‘Because my ‘73 Chevy broke down on the road, I can’t depend on public transportation to get me to work.’ ” On the public transportation side, he said (that’s the high-end computer systems)--there are professionals monitoring the equipment, handling maintenance and managing optimization that isn’t happening on a ‘73 Chevy. 

Perhaps someday the Orrick solution--the off-site global operations center--will become everyone’s solution. “It never hurts to be forced to take a hard look at our vulnerabilities and figure out where we can do better,” says Mr. Jones. If we examine our vulnerabilities, and take action to improve, then what didn’t kill us, may leave us stronger.