How to Build a Law Firm Business Continuity Plan for Your Financial and Matter Data in 2026: The Step-by-Step Guide Most Firms Skip Until It's Too Late
Ransomware, vendor failure, a flooded office, a departing bookkeeper with the only password. A business continuity plan is now an ethics obligation, not an IT wish-list item โ and the hardest part isn't restoring your email, it's proving your trust ledger. Here is a step-by-step BCP framework built around the data a bar auditor will actually ask for.
Published: 2026-07-12T13:05:38.408Z ยท Category: Compliance ยท 8 min read
โ๏ธ Why Continuity Became an Ethics Problem
Three duties collide here, and every one of them is already in your rules of professional conduct.
Competence now includes technological competence โ you are expected to understand the benefits and risks of the technology you use. Safekeeping property requires you to maintain complete records of client trust funds and produce them, typically for five to seven years depending on your jurisdiction. And communication requires you to keep clients reasonably informed, which is difficult from a firm that cannot open its case management system.
None of those duties are suspended because a vendor had an outage or a threat actor encrypted a file server.
๐งญ Step 1: Inventory Your Critical Data Domains
Every firm has four, and they have very different recovery requirements.
Trust & financial records
IOLTA ledgers, three-way reconciliations, GL, AR, disbursements. Highest regulatory exposure. Lowest tolerance for gaps.
Deadlines & calendars
Statutes of limitations, court dates, USCIS response windows. A 72-hour outage here creates malpractice exposure, not inconvenience.
Matter documents
Pleadings, contracts, client IDs. Large volume, moderate recovery urgency, high confidentiality sensitivity.
Unbilled time & WIP
The most commonly lost asset in an incident. Time not recorded is revenue that never existed.
๐ฏ Step 2: Set an RTO and RPO for Each Domain
Two numbers, borrowed from IT but genuinely useful here:
- RTO (Recovery Time Objective) โ how long can we be without this before real harm?
- RPO (Recovery Point Objective) โ how much data can we afford to lose, measured in time?
| Data Domain | Realistic RTO | Realistic RPO | Why |
|---|---|---|---|
| Trust & financial records | 4โ8 hours | Zero tolerance | You must be able to state every client's trust balance on demand |
| Deadlines & calendar | 4 hours | < 1 hour | A missed statute is not recoverable |
| Matter documents | 24โ48 hours | < 24 hours | Painful but generally reconstructable from counterparties and courts |
| Unbilled time / WIP | 24 hours | < 24 hours | Attorneys cannot reliably reconstruct a week of time entries |
๐ Step 3: Adopt the 3-2-1-1-0 Rule
The modern evolution of the classic backup rule, and the one a bar auditor or cyber insurer will recognize:
- 3 copies of critical data
- 2 different media or platforms
- 1 copy off-site or in a separate cloud tenant
- 1 copy immutable or air-gapped (ransomware cannot encrypt what it cannot write to)
- 0 errors on your last verified restore test
๐ค Step 4: Own an Independent Export of Your Books
This is the step that separates a real BCP from a checkbox. Ask your platform vendor a direct question: can we, on our own, without a support ticket, export the complete general ledger, every matter-level trust ledger, and the full transaction history โ in a format we could hand to an accountant or a successor platform?
If the answer is "our support team can generate that for you," you do not own your books. You have a claim on them, dependent on a vendor relationship that survives billing disputes, acquisitions, and outages. In a year where legal tech consolidation is running hot, that distinction has teeth.
๐ค Step 5: Eliminate Single Points of Human Failure
The most common continuity failure in a mid-size firm is not a cyberattack. It is one person โ usually the bookkeeper or office manager โ who is the only human who knows how the reconciliation works, holds the bank portal credentials, and understands the chart of accounts.
Fix it with three concrete artifacts: a documented trust accounting operating manual, credentials in a firm-owned password manager (never a personal one), and at least two people who have actually performed a month-end close.
๐ Step 6: Write the Communication Tree Before You Need It
Who calls the malpractice carrier? Who calls the bank if trust funds are implicated? Who notifies clients, and under what threshold? Who talks to the state bar? Most jurisdictions have breach-notification duties, and several now expect prompt notice where client confidential information is compromised. Decide the names now, on one page, printed, because your intranet may be the thing that is down.
๐งช Step 7: Run a Tabletop Test โ Annually, With Real Data
Pick a Friday morning. Declare, hypothetically, that the practice management platform is unavailable and the last 48 hours of data are gone. Then actually attempt to answer:
- What is the trust balance for our ten largest matters, right now?
- What deadlines fall in the next 14 days?
- Which invoices went out this week and which were paid?
- How much unbilled time exists, and by whom?
Time each answer. The gaps you find in ninety minutes of tabletop are gaps you would otherwise find during an actual incident, on the worst day of your professional life.
๐๏ธ How a Unified Platform Changes the Math
CaseQube and LawAccounting run on Salesforce infrastructure, which means enterprise-grade redundancy, role-based permissions, and a complete audit trail on every record change โ including every trust transaction. Because practice management and accounting share one data model, a point-in-time reconstruction rebuilds the matter, the ledger, the disbursements, and the documents together, not as four separate restores that then have to be reconciled against each other.
- Business continuity is an ethics obligation โ competence, safekeeping of property, and client communication all survive an outage.
- Set separate RTO/RPO targets per data domain. Trust records and deadlines have near-zero tolerance; documents can wait.
- Apply 3-2-1-1-0. The immutable copy stops ransomware; the verified restore is the part firms skip.
- Own an independent export of your GL and trust ledgers. If only your vendor can produce your books, you do not own them.
- Run one tabletop test a year with real questions. Ninety minutes now beats ninety hours later.
Can You Prove Every Trust Balance Today?
See how CaseQube and LawAccounting keep matter records, trust ledgers, and audit trails in one Salesforce-backed system โ with exports you control.
Schedule Your Demo →