The fact is that most companies take assume that once their data is in the hands of a legal service provider (especially a law firm) it is safe and sound. Having practiced at a law firm and having worked on hundreds of document reviews, I can tell you that is not always the case. Law firms assume that their standard security is enough and that contract attorneys can be trusted because they have signed a non-disclosure agreement. This is a naïve assumption at best. An attorney once commented to me that if he wanted to become an inside trader all he had to do was walk down the hall of any law firm. Perhaps that is an exaggeration and perhaps not. The fact remains that, on most document review projects I have witnessed, law firms allowed contract attorneys to access the Internet from review computers/facilities, access personal email accounts, carry cell phone/cameras, USB storage drives and personal belongings into review areas. In some cases, reviewers conduct their work on computers with open USB ports and CD/DVD drives, and even work from home on their personal computers. Seriously??? How secure do you think any of that is? You might as well post the data on the Internet.
Perhaps law firms and onshore attorney staffing providers need to start taking lessons from offshore LPOs. Since their inception, LPOs (as the relatively new kid on the block) have been required to convince clients that it is safe to send data abroad for processing or review. They have had to employ aggressive security measures and state-of-the-art security technology to win the confidence of their clients throughout the world. LPOs have raised the bar for what constitutes a secure review or processing facility. On-shore providers need to play catch up, and in a hurry.
To ensure that client confidentiality is rigorously protected, service providers (including law firms) should employ a redundant security strategy that incorporates physical security, computer and data security, personnel security, and additional protocols. The following provides a good checklist of the security measures companies should require from their providers:
Physical Security
- Biometric access controls
- Audit trail records to identify the circumstances under which particular information has been accessed
- Secure off-site storage for digital audit trail records
- Biometric entry and exit locks keyed to individual reviewers to monitor access
- Additional badge identification
- Time, location, and information access restrictions
- Escort program for visitors
- Visual and motion detection surveillance
Data Security
- Information securely maintained and hosted by the e-discovery review application provider (e.g., Applied Discovery, Concordance, Kroll OnTrack, etc.)
- Secure web access incorporating Proxy/Firewall
- Each individual client team working on a local system based on a client/server architecture with a client controlled (U.S. based) data source supported by Citrix or other Windows-X platform
- PCs with biometric access, user tracking, limited user rights, and disabled media drives and communications ports
- Individual PC firewall and antivirus protection
- Network monitoring and tracking
Personnel Security Measures
- Comprehensive background checks – confirming credentials, past employment, and all references.
- Staff security training
- Full time on-site security personnel
Other Security Protocols
- Review team may not possess cell phones, cameras, or PDAs in secure areas
- No papers or writing instruments except as necessary for the project and which do not leave the work area
- Papers collected and securely shredded at the end of each work session
- All reviewers and personnel required to execute confidentiality and nondisclosure agreements upon hiring
These security measures and protocols are crucial in protecting clients’ information and maintaining a secure environment whether the review is conducted on-shore or off-shore. In the end, it is a company’s responsibility to inquire and ensure the appropriate steps are taken to ensure the security of their data.
Posts
3 comments:
I came upon your blog by chance. Happy to read that there’s a lot of attention being paid to security measures for lawyers and their work outside the U.S. I work in the health care services industry and believe me, that’s one of the topics uppermost in our minds. When I first found out that our health insurance information was being sent overseas, I was floored! I mean, that’s confidential information we’re sending abroad. Although they’re not state secrets, they should also be protected.
I came upon your blog by chance. Happy to read that there’s a lot of attention being paid to security measures for lawyers and their work outside the U.S. I work in the health care services industry and believe me, that’s one of the topics uppermost in our minds. When I first found out that our health insurance information was being sent overseas, I was floored! I mean, that’s confidential information we’re sending abroad. Although they’re not state secrets, they should also be protected.
I wasn’t aware that firms have such lax security standards. The presumption is that they have in place at least some semblance of security measure in order to protect clients’ information. This is very disturbing indeed. It seems companies are better off sending work to offshore LPOs.
Post a Comment