When I left off last time, I mentioned that prospective MerusCase users have been asking our president, Johnny Fuery, what happens to their stuff if he gets run over by a bus.  Given that one of the foremost duties of any attorney is to safeguard client confidentiality, I can certainly understand why they would want to know the answer to this (unthinkable, tragic, eerie, etc.) hypothetical question. In addition, some MerusCase users are subject to enhanced regulatory requirements, such as the  Health Insurance Portability and Accountability Act (HIPAA). Indeed, the concern extends beyond just confidentiality, as attorneys must ensure that client files entrusted to a vendor will be secure from destruction or degradation – whether due to a natural disaster, system failure, sabotage or dissolution of the company – and that they must be able to retrieve the data in a form that’s usable in the event of a catastrophic event.  But, what’s with the bus?  Why always the bus scenario?  Don't they know that Johnny is extremely nimble and acrobatic? He'd definitely be able to dodge an oncoming bus.  

Fortunately, for us as well as for MerusCase users, we are prepared for such questions.  Having an ironclad business continuity plan is essential both to our long-term success and in providing a peace of mind to our clients.  Every plan should start with a comprehensive risk analysis, which is core to planning for disaster recovery and business continuity for any organization.  The risk analysis must identify potential threats, risks, vulnerabilities, impacts, and outline the criticality of the business processes.  The outcome of this analysis then helps determine the needs and requirements to sustain the business in the event of a major outage, natural disaster or the president of a company getting run over by a bus.  However, no business continuity plan is of any use if it cannot withstand testing on an ongoing basis. 

Recently, we were audited by one of our clients to make sure we were HIPAA compliant as well as to obtain assurances that their data would be secure and retrievable should some event occur rendering MerusCase extinct.  We provided them with a copy of MerusCase End of Life Mitigation Plan, which was written for relative laypersons without specific subject matter expertise in the field of software engineer to restore services provided by MerusCase software package. 

The beauty of our business continuity plan is that it also serves as a blueprint for MerusCase users to conduct a run-through scenario and test out the plan on their own should a real event take place.  Thus, not only were we able to demonstrate our policies and procedures for maintaining continuous business operations and disaster readiness and preparedness,  we made sure that the plan allows for our MerusCase users to get the key to the castle and gain access to their data.  

For most attorneys (including myself) searching for cloud-based practice management software that offers reliability and an airtight security can be a daunting task.  Attorneys have a lot to worry about.  Our users should not have to worry about what happens to their client files entrusted to us.  Planning for the business continuity of an organization in the aftermath of a disaster is a complex task.  Some of them will happen without a warning and most of them will never happen.  It is highly improbable that Johnny will ever get run over by a bus (thank goodness!).  The key is to implement a business continuity plan to be able to respond to whatever event when it does happen, so that MerusCase and our users can continue "business as usual."

                                                                                       Written by Sooah Sohr, General Counsel at MerusCase