Cybersecurity: have you checked your service providers?

Cybersecurity is only as strong as your weakest link. No matter how well you shore up your firm or corporate legal department, you can still become vulnerable through a vendor. According to a Ponemon Institute study, sixty-one percent of US respondents confirm that their organizations experienced a data breach caused by one of their third parties, an increase from 56 percent of respondents in 2017 and 49 percent of respondents in 2016. Chances are you’ve heard of more than one company recently that has suffered costly, embarrassing, and damaging breaches that jeopardized customer relationships. Perhaps you’ve even done business yourself with one of these victims.

For corporate legal departments, the weak link may be an outside law firm. For a law firm, the weak link may be a deposition solutions provider.

What can happen if, say, deposition solutions provider systems are hacked?

• Personally identifiable information (PII) of lawyers, clients, witnesses and others can be grabbed from transcripts, scheduling and billing systems.
• Confidential documents pertaining to undisclosed settlement terms can be exposed in the media or used for blackmail.
• Private health information (PHI) can be exposed, risking a HIPAA violation.
• Deposition transcripts, exhibits, videos and more can be stolen, changed, destroyed, altered, or publicized.

All of these scenarios jeopardize cases and reputations, potentially putting law firms out of business.

Industry fears

Companies that hire law firms and law firms that hire deposition solutions providers are becoming increasingly concerned about these risks. 68% of chief legal officers are very or extremely concerned with data breaches and the protection of corporate data, according to the Association of Corporate Counsel (ACC) Chief Legal Officers 2019 Survey.

The average total cost of a data breach in the U.S. for the companies studied has grown from $3.54 million in 2006 to $8.19 million in 2019, a 130 percent increase over 14 years, according to the Ponemon Institute and IBM.

To address the cybersecurity risks, the Association of Corporate Counsel (ACC) has produced model cybersecurity practices, a de facto industry standard for law firms serving corporate counsel. It encompasses information retention/return/destruction, data handling and encryption, data breach reporting, physical security, employee background screening, and cyber liability insurance.

What a client should demand

The last thing a deposition services provider wants is to be the weak link in a client’s security. While providing state-of-the-art cybersecurity can be tough for small court reporting shops, providers with scale are more likely to have the resources to invest in the security infrastructure clients require (whether clients are asking for it explicitly or not).

Here are some security capabilities law firms and corporations should look for in deposition services providers:

End-to-end encryption – Look for vendors who use strong encryption (for example, AES-256) to secure communications between your workstations and your deposition provider’s servers, storage, video streams, audio streams and transcript delivery systems. Rather than transmitting unencrypted transcripts and videos – which, unfortunately, happens every day in this industry – look for a provider that employs strong encryption during all stages of handling and delivery of those sensitive documents.

Best-of-breed platforms – Deposition portal, scheduling, transcript, video, invoice, payment, case management and intelligence solutions should be built on proven technology platforms  so that the final product is  compliant with HIPAA / HITECH (health privacy), PCI (financial services) and ISO 27001 (information security) standards.

Government readiness – Better deposition providers comply with the Federal Risk and Authorization Management Program, or FedRAMP, a government-wide initiative that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach employs a “do once, use many times” framework that saves government agencies time, money and redundant work. FedRAMP-compliant providers offer security models that are consistent with those of some of the most secure institutions on the planet, including the federal Department of Defense and Department of Justice.

Access control – In a law firm, it’s important to control who has access to what information. Administrators should demand powerful tools to manage access control to transcripts and other deposition resources. For example, if a paralegal leaves his or her job, you should be able to easily, securely and dependably move their permissions – i.e., which cases, transcripts, videos and lawyers they can work with – to their replacement. You should be able to clone entire employee access profiles, remove them entirely, or manage permissions more granularly.

Mature policies and procedures – Deposition providers’ systems and capabilities should be backed up by attention to the human factor in security with ongoing training and a culture of constant vigilance. Individual human behavior is often the weakest link, so providers’ staff should be trained thoroughly.

Documentation – Finally, all of a provider’s security efforts should be well-documented, making it easy for the provider to respond quickly and thoroughly to client inquiries. It’s important for service providers to be transparent to their clients. If they are not the weakest link, and are in fact one of the strong ones, that’s good; but they still need to be willing to prove it.