Cybersecurity: have you checked your service providers?

Posted: May 11, 2017

Cybersecurity is only as strong as your weakest link. No matter how well you shore up your firm or corporate legal department, you can still become vulnerable through a vendor. Chances are you’ve heard of more than one company recently that has suffered costly, embarrassing, and damaging breaches that jeopardized customer relationships. Perhaps you’ve even done business yourself with one of these victims.

For corporate legal departments, the weak link may be an outside law firm. For a law firm, the weak link may be a deposition solutions provider.

What can happen if, say, deposition solutions provider systems are hacked?

  • Personally identifiable information (PII) of lawyers, clients, witnesses and others can be grabbed from transcripts, scheduling and billing systems.
  • Confidential documents pertaining to undisclosed settlement terms can be exposed in the media or used for blackmail.
  • Private health information (PHI) can be exposed, risking a HIPAA violation.
  • Deposition transcripts, exhibits, videos and more can be stolen, changed, destroyed, altered, or publicized.

All of these scenarios jeopardize cases and reputations, potentially putting law firms out of business.

Industry fears

Companies that hire law firms and law firms that hire deposition solutions providers are becoming increasingly concerned about these risks. Two-thirds of chief legal officers view cybersecurity as very or extremely important, according to the Association of Corporate Counsel (ACC) Chief Legal Officers 2017 Survey (PDF).

The average total organizational cost of a security breach in the U.S. is $7 million, according to the Ponemon Institute and IBM. No firm wants to be in a position like the two U.S. firms that in 2014 and 2015 had more than 50 GB of compressed data on impending mergers and acquisitions stolen. “This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking, because you have information valuable to would-be criminals,” Preet Bharara, then U.S. Attorney of the Southern District of New York, said last year.

To address the cybersecurity risks, the Association of Corporate Counsel (ACC) has produced model cybersecurity practices, a de facto industry standard for law firms serving corporate counsel. It encompasses information retention/return/destruction, data handling and encryption, data breach reporting, physical security, employee background screening, and cyber liability insurance.

What a client should demand

The last thing a deposition services provider wants is to be the weak link in a client’s security. While providing state-of-the-art cybersecurity can be tough for small court reporting shops, providers with scale are more likely to have the resources to invest in the security infrastructure clients require (whether clients are asking for it explicitly or not).

Here are some security capabilities law firms and corporations should look for in deposition services providers:

End-to-end encryption – Look for vendors who use strong encryption (for example, AES-256) to secure communications between your workstations and your deposition provider’s servers, storage, video streams, audio streams and transcript delivery systems. Rather than transmitting unencrypted transcripts and videos – which, unfortunately, happens every day in this industry – look for a provider that employs strong encryption during all stages of handling and delivery of those sensitive documents.

Best-of-breed platforms – Deposition portal, scheduling, transcript, video, invoice, payment, case management and intelligence solutions should be built on proven technology platforms  so that the final product is  compliant with HIPAA / HITECH (health privacy), PCI (financial services) and ISO 27001 (information security) standards.

Government readiness – Better deposition providers comply with the Federal Risk and Authorization Management Program, or FedRAMP, a government-wide initiative that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach employs a “do once, use many times” framework that saves government agencies time, money and redundant work. FedRAMP-compliant providers offer security models that are consistent with those of some of the most secure institutions on the planet, including the federal Department of Defense and Department of Justice.

Access control – In a law firm, it’s important to control who has access to what information. Administrators should demand powerful tools to manage access control to transcripts and other deposition resources. For example, if a paralegal leaves his or her job, you should be able to easily, securely and dependably move their permissions – i.e., which cases, transcripts, videos and lawyers they can work with – to their replacement. You should be able to clone entire employee access profiles, remove them entirely, or manage permissions more granularly.

Mature policies and procedures – Deposition providers’ systems and capabilities should be backed up by attention to the human factor in security with ongoing training and a culture of constant vigilance. Individual human behavior is often the weakest link, so providers’ staff should be trained thoroughly.

Documentation – Finally, all of a provider’s security efforts should be well-documented, making it easy for the provider to respond quickly and thoroughly to client inquiries. It’s important for service providers to be transparent to their clients. If they are not the weakest link, and are in fact one of the strong ones, that’s good; but they still need to be willing to prove it.


Jim Ballowe

Jim is a veteran information technology professional, having worked with several global technology pioneers including Digital Equipment Corporation, HP & Lucent. His areas of expertise include enterprise architecture, infrastructure, information security, and product development and is helping Esquire and its clients navigate Litigation 2.0.