Well Meaning Attorneys Make Honest Mistakes

Are the best document review attorneys working long hours at night at home? Can they print “interesting” docs or emails to firm associates upon request?  Does one doc review attorney out of 60 in a beautiful open-office space in Dallas have an ax to grind against your client or against a particular corporate player?  

Can an attorney email docs to a college roommate who now works at Bloomberg? Can they casually share a particularly “colorful” comment by Acme’s president with their spouse on the couch for a laugh? You need a solution that ends the back channeling. 

Wouldn’t it be great if your document review attorneys could access the docs from the office only if you choose — and only if the attorney’s face has been authenticated in front of the computer? That ideal state is available right now.

Professionals Are Humans, Too

The contract attorneys hired in Richmond, Atlanta, Philadelphia, and the Twin Cities are smart people who went to college, and then law school, and passed the state Bar. Most are earnest, well-meaning professionals. 

But they make honest mistakes. Documents get saved to the wrong server, emailed to the wrong people in error, backed up to the agency’s systems and stored forever.  Contract doc review attorneys live with people who work at law firms and newspapers or colleges and state legislatures. 

They change too  — impartial and professional one day, and driven by passions 90 days later — with access to evidence. And that evidence in the wrong hands can be devastating. Data loss prevention and other methodologies for controlling where sensitive client data goes are more important today than ever before, and more complicated today too, as projects involve more organizations.  

Take Control of The Document Review Environment

There is a practical, economical way of implementing best-practices InfoSec across all your doc review agencies. You can select the vendor who has the doc review lawyers with domain expertise, or just the right price, and “outsource” the infosec to an independent provider who’s only business is keeping your client’s information secure.

Do the contract attorney agency and the full-service ediscovery provider have backups of their network storage resources? Their email servers? The individual PCs in the review center?  Your key documents are on their network and in their backup snapshots, and perhaps even in their third-party data backup company’s storage systems. 

Recently one contract doc review agency in the US had a “leak.” Some PDFs of import docs of one of their clients leaked from the user’s PCs onto the agency’s email server and system backup tapes. The audit to prove that they had complied with the document destruction order cost about as much as they made on the project. 

If only the well-meaning doc review vendor had been able to segregate all the data on the matter to an independently managed info tech infrastructure, this could have all been avoided. 

People can make honest mistakes. People can also behave badly. That’s why you need a fast, secure, inexpensive computing infrastructure that provides complete isolation of your client sensitive confidential data so it can’t leak or be leaked. 

Solutions That Put You on the Right Side of the InfoSec Battle

Consider a secure, matter-specific information technology infrastructure and related services to get doc review projects started on the right InfoSec posture. From a practical perspective, a matter — or project — specific infrastructure means that for each document review and redaction project gets its own discrete, secure, virtual computer network with workstations, email, shared storage, and approved apps and constant auditing for each user working on that matter.  

These systems can be faster than traditional approaches, accessible (with proper permissions) from anywhere in the world, and surprisingly economical. 

Get a solution in which each virtual workstation has its own dedicated storage — that does not get backed up to the agency’s systems —  as well as a dedicated email account for the matter and user. 

With the right infrastructure, the email for project coordination, collaboration, and doc sharing is NOT inside the ediscovery vendor’s enterprise email system, with its own policies and backup protocols. 

Be sure that each workstation has firewall whitelist rules to ensure the doc review attorneys CAN access the sites they need and cannot access other sites, and, of course can only send/receive email to/from folks they should.  

A Matter Specific Infrastructure provides each document review attorney and project manager an individual virtual workstation for each new project, or matter, and at the end of the matter, the infrastructure is archived or deleted. You do not have to depend on the vendor’s IT staff to carry out the cleanup. Information security, convenience and cost-effectiveness are guaranteed. Worries  disappear.

To find out more, visit SecureReview at the LegalTech 2020 conference, booth #3231. SecureReview is a proud sponsor of LegalWeek, which takes place February 3 to 6, 2020, at the New York Hilton in Manhattan.

Consider the Consequences: Today’s Document Review Attorneys

Today, even for large law firms, one significant litigation or government investigation matter can lead to lawyers carefully reviewing thousands, or tens of thousands, of emails and memos and PowerPoints and spreadsheets from key players inside your client company for privilege, trade secrets, or any number of important facts and issues.

The powerful alchemy of AI and magic mojo of machine learning has not put document review attorneys across the globe out of business just yet. 

The relentless flow of email, Slack and Asana, iMessage and Skype, and the move to Office365  means there is a lot of content for boards and their attorneys to worry about. Maybe the robots will skillfully handle all this doc review one day soon, but for now ramping up a document review project — even after all the technology-enabled culling has happened just right  — is an important and expensive undertaking.  

Sensitive Documents Need Sensitive Environments

Often, depending on the number of docs, the complexity of the issues, and the number of bold-face names on the witness list, there may be an army of contract lawyers in Florida or Nashville or Bangalore that get to read these emails and docs.  If you’ve done all your ECA and TAR just right, you still have a bunch of sensitive docs and email from the important custodians, perhaps even C-level players, that attorneys need to pore over and make a decision about.

In many instances, contract attorneys will be needed to help your associates review the documents if you are to meet the court’s discovery schedule (or the strategically negotiated schedule with the DOJ lawyer). 

It happens every day in the AMLAW 100 and 200, in the Magic Circle, and in the Big Four. Projects are bigger each year and it takes teams of firms to handle today’s complex litigation and investigation matters. If it has not already happened to you, it will soon. Many of the people you (and your clients) need to work on the matter will NOT work at your firm.

For Document Review, Don’t Rely on Trust

Can you trust your ediscovery or “managed review” provider to have really thought through all the complexities of today’s infosec issues? Can they afford the latest in DLP software? They too are taking advantage of the gig economy players with rented space at the start of each review project. Ten or 20 or 80 contract lawyers working at PCs set up on folding tables yesterday; lawyers who were working somewhere else last week. 

How secure are these doc review operations? What can these vendors — with thin margins — focus on: good IT people, best practice procedures, or good review attorneys? If only there was a third-party providing security-as-a-service for legal document reviews.

Why Information Security Audits Aren’t Sufficient

When you regularly handle confidential documents, it’s an excellent idea to conduct information security audits. An information security audit is a great way to measure and assess the effectiveness of your security policies. An audit is an opportunity to ensure that your well thought out plans are technically sound.

But there’s one problem.

An audit is a snapshot. It captures no more than the precise moment the information security audit was conducted. There’s nothing to prevent a security breach from occurring a minute, a day, or a few months later. You would never know that there’s been a data breach if you’re relying solely on those audits to put your mind at ease.

Types of Security Audits

There is a great variety of security auditing tools and protocols for information systems. Here are five areas that are typically scrutinized:

  • Vulnerability tests find weaknesses in design, procedure, and implementation
  • Penetration tests discover opportunities for attacks to your digital resources
  • Risk Assessment allows management to decide which risks it is willing to take
  • Compliance tests assess how well the organization is adhering to agreed upon rules
  • Due Diligence Questionnaires determine how well partners comply

Data Breaches Despite Security Protocols

While this set of evaluations appears to provide an exhaustive, 360 degree view of a system’s information security, it’s not enough to prevent major damage. Take, for example, some recent high profile data breaches. It seems that every time you look, another well known organization falls victim to hackers and identity thieves. Surely, Macy’s had security protocols in place in October 2019 when malware installed on its e-commerce site went undetected for an entire week, according to Fast Company.

During that time, sensitive customer data, such as credit card numbers, names, addresses, phone numbers, and email addresses, was stolen. The same malware that affected Ticketmaster and Newegg.

Equifax is another example of a serious data breach at a business that should have had ironclad security protocols in place. And yet, in 2017, the sensitive information of 145 million consumers was exposed. The ripple effect of this information security breach is still being felt to the tune of $650 million. The company is subject to a class action suit, and may have to pay out up to $20,000 per customer.

Error, Negligence, and Bad Behavior

Audits are only a small part of an overall information security strategy. An audit occurs at a point in time. The instant that moment passes, your organization is vulnerable again.

Even though major corporations have infosec protocols in place and undergo regular audits, there’s a high risk for human error, negligence and bad behavior.

While it’s probably impossible to entirely eliminate risk, there is a way to greatly reduce risk. You should reasonably expect that your documents will be secure throughout the system. The secret to infosec success is layers.

Risk Reduction Through a Layered Approach

By all means, continue to conduct security audits. And consider adding a layer of security that continues to work for you all day, everyday, around the office and around the globe.

As good as a security audit can be, it just takes one person to break the system once the audit is complete. Don’t play a cat and mouse game with hackers. When you truly protect your documents, you’ll sleep better at night knowing that you have an impenetrable information security wall.