Why law firms are extra vulnerable
Client file data behaves differently from regular office data
Most law firms are small or medium-sized organisations with no dedicated IT department or security officer. A case file consists of dozens of documents, versions, emails, and attachments that belong together. Restoring one document without the context makes the file unusable. Version control is legally critical: a judge asks for the version of the summons as submitted on March 15th — if that version no longer exists, you have a problem. Professional secrecy is absolute: a data breach where client information becomes public has immediate disciplinary consequences, apart from GDPR fines.
- Law firms
- Client files
- Case documents
The misconception that costs many firms dearly
Microsoft 365 is not a backup
"We work in Microsoft 365, everything is safely stored in the cloud." We hear this often. And it is not correct. Microsoft 365 is a productivity environment, not a backup solution. The default recycle bin in SharePoint retains files for 93 days — after that they are gone. And if ransomware encrypts your files, the encrypted version syncs immediately to all connected devices. Within minutes every copy is compromised.
Microsoft 365 does not protect your client files. A proper backup does.
What do I need to back up if I use a case management system?
The files law firms most often forget to protect
Law firms typically back up their email and shared drives — but forget the case management system itself. Most case management platforms store data in a database, not in individual files. You cannot simply copy a folder — the full database needs to be backed up as a whole. Critical data to include: the full case management database, all linked documents and attachments, email archives including sent items, scanned documents and evidence files, and accounting and billing records. Ask your case management supplier explicitly whether their SaaS backup covers your data — or only their infrastructure.
- Law firms
- Case management
- Microsoft 365
What a proper backup actually does
The 3-2-1 rule as the baseline standard
The widely accepted standard is the 3-2-1 rule: 3 copies of your data on 2 different storage media with 1 copy fully isolated. For a law firm: a daily backup of all case files, email and working documents for fast recovery, a weekly full backup separated from the primary environment, and a cloud backup with immutable storage for ransomware protection. If ransomware strikes on Friday, you can restore to Wednesday.
How do law firms protect themselves against ransomware?
Isolated, immutable and tested — the three requirements
Law firms are an attractive target for ransomware because the pressure to restore access is high — especially when a hearing is imminent. Three properties make a backup ransomware-proof. First, isolated: the backup must not be reachable from your production network. If ransomware can reach the backup, it will encrypt it too. Second, immutable: the backup cannot be modified or deleted after writing — not even by an administrator. Third, tested: a backup you have never restored is not a backup — it is an assumption. Test monthly by restoring a random case file to a separate location and verifying all documents are intact.
How do I create a backup if I use Microsoft 365?
Microsoft 365 does not back itself up — you need to add a layer
Microsoft 365 stores your data in the cloud but does not create isolated backup copies. To properly back up Microsoft 365 for a law firm: use a dedicated Microsoft 365 backup solution such as Veeam, Acronis or Mindtime that connects via API and copies your data to an isolated location. Make sure the backup covers Exchange Online (email), SharePoint (documents), OneDrive (personal files) and Teams (chats and files). Set the backup to run daily. Verify that the backup is stored on Dutch or European soil to comply with GDPR. Test quarterly by restoring a mailbox or document library to confirm recovery works as expected.
Professional liability and retention obligations: what many firms underestimate
Bar Association rules and GDPR obligations
Lawyers work under the Lawyers Act and the conduct rules of the Dutch Bar Association. Professional secrecy applies to former clients and does not end when a case closes. You must retain client files as long as there is a legitimate interest — a minimum of five years, longer for property and liability cases. In the event of a data breach you are required to report it to the Dutch Data Protection Authority within 72 hours. Minimum retention periods: active files daily with 90 days of version history, closed files minimum 5 years, financial administration minimum 7 years.
A backup is for fast recovery. An archive is for long-term retention. Most firms need both — and they are separate systems.
- Bar Association
- GDPR
- 5-year retention
Five steps to get this sorted
Even without IT knowledge
Map your data
Which systems contain client data? Case management, email, accounting software, scanned documents. Know what you have before thinking about protection.
Define your RPO and RTO
How much data loss can you accept? How quickly does your firm need to be operational if there is a hearing tomorrow?
Choose a GDPR-compliant solution with NL storage
Client data may not simply be stored outside the EU. Verify that the provider stores data on Dutch or European soil.
Test your backup monthly
Restore a random case file to a test location and verify that all documents are present and readable.
Document the recovery process
Who does what when things go wrong? Where are the login credentials? This document must be available offline.
Your questions answered
Frequently asked questions from law firms
No. Microsoft 365 is a productivity environment, not a backup solution. Deleted files are permanently gone after 93 days, and ransomware spreads immediately to all synchronised locations. You need a separate backup solution with immutable storage and version history.
The Dutch Bar Association recommends a minimum of five years after the case closes. For property, family, and liability cases longer is standard.
Most law firms cannot afford more than a few hours of downtime — especially when a hearing is scheduled. A hybrid backup with local NAS and cloud storage makes recovery within two to four hours achievable.