Published on May 14, 2020 Every industry is experiencing an unprecedented time in the wake of social distancing requirements. Previously, many document review supervising attorneys favored review teams working from a secure room, where reviewers were supervised in person. Because this is not possible today, remote review must be considered. But, many attorneys are rightly cautious: how secure can a remote review really be? With the help of strong security processes, biometrics technologies, and environment and device monitoring, attorneys are finding that even with virtual review, their clients’ information remains very secure.
Remote supervision of document review is not new. Some attorneys had already embraced this technology because the flexibility offered to document reviewers working from home creates cost savings. However, because remote review was not seen as a best practice for security when compared to in-person document review, it was not usually a preferred option. When not configured or managed correctly, remote review can indeed create security risks. Therefore, attorneys setting up remote reviews must understand the processes and features that can optimize project security. Their own reputation, and often that of their clients, hinges on the protection of clients’ confidential information.
Above all, it is important that attorneys work with a document review provider who understands the intricacies involved in a work-from-home environment and can adapt quickly to project needs. The partnership with the legal service provider must ensure business continuity and address specific security elements to safeguard the client corporation and its counsel.
Below are a few guidelines to keep in mind when working with a staffing provider for remote document review projects.
Protect Reviewers’ Devices from Viruses and Other Malware
Each remote device used for a contract attorney document review must be examined before it may connect to the review. The operating system and anti-malware software should be vetted to ensure that each device is compliant. Before and throughout the course of the review, each reviewer’s device should have up-to-date anti-malware software that continuously checks for and neutralizes threats to keep the device free from compromise. While the review occurs in a secure cloud environment, one of the most important reasons to still vet each device is to ensure that a keylogger program has not been installed on equipment utilized by the reviewer. Such malware programs can record every keystroke made by a computer and could be used to gain access to secure networks and possibly compromise confidential information.
Require a Secure Work Environment
Reviewers should work on a separate, secure private network. Driven has its own Citrix environment to ensure that the security protecting our clients’ data is built on the same technology that they trust and expect from on-premises reviews. Also, project-related emails continue to be protected through a dedicated reviewer email system.
The physical environment from which each reviewer works also impacts security. While reviewers on today’s projects are likely isolated, their review space should still be located out of the view of family members, roommates, and others. For example, a second desk located next to the reviewer’s desk may indicate a shared workspace, which can create security risks. A 360° scan of the workspace will provide a sense of the physical work environment, which may be useful when discussing security expectations with the reviewer.
While scans of the reviewer’s device should identify any peripheral devices, a room scan should also be used to determine whether such devices are near the reviewer’s workspace and reinforce expectations with the reviewer that unapproved peripheral devices cannot be connected during review. Some peripherals, such as printers, are never allowed, while others, such as keyboard, mouse, and additional monitors, can be used only after they are approved.
Beyond window-authenticated passwords for logins, multiple factor authentication based on the device itself is important for remote reviews. Three authentication factors should check whether the correct user is using the correct computer from the correct location by checking that a reviewer’s:
Monitor the Reviewers’ Presence
Various forms of electronic monitoring can automatically verify the identity and detect the presence of each reviewer. Depending on review needs and reviewer circumstances, this can include facial recognition, knuckle matching, and driver license scanning. When the reviewer logs in, the system will automatically detect if the authorized reviewer is present, as well as whether any individual who has not been approved comes into view of the computer screen. If reviewers step away from their computers, they can be automatically logged out.
Even if reviewers are not properly closing out of the system during each break, the system can automatically log the reviewers out if they step away from the computer. This functionality also helps keep track of breaks to ensure that hours worked are recorded properly.
Monitor the Reviewers’ Activities
As with in-person reviews, reviewer activities are monitored during the review. In addition to standard productivity monitoring that confirms reviewers are on task, their activities on their device, both inside and outside the secure review environment, are detected and logged. Activities such as the use of other applications, connection of peripheral devices and storage, and the presence of unauthorized people, are monitored. Any unauthorized activities are elevated as violations. Detected violations are reported to review managers and logged into reviewer reports. Certain violations, such as the presence of an unauthorized person or plugging in a thumb drive, can cause the reviewer to be shut out of the review immediately. In addition, detection of a violation should trigger a saved video recording, preserving footage of the violation for review managers.
Establish Work-From-Home Policies and Procedures for Reviewers, and Communicate with Them
Legal service providers should put into writing the expectations they have for reviewers working from home. At a minimum, these written policies should contain:
Confidentiality agreements should be adjusted to account for the change to a remote environment. Direct communication with reviewers is also imperative to ensure that as modifications develop, they are adopted and supported by each employee. Lastly, legal service providers should educate each reviewer on hacking trends. Taking the time to educate each reviewer is just another step to building and securing a safe work environment.
In addition to creating a secure work environment, it is important that your document review provider has a team who can communicate directly with the reviewers, some of whom may be unfamiliar with accessing the review environment. A strong review operations management team will help guide the reviewers into the private networks and troubleshoot for such issues as password resets, connectivity problems, and general technology questions. Such issues could impact business continuity if a strong, responsive team is not supporting the users.
Work with Established, Knowledgeable Providers
A strong partnership with a knowledgeable and technologically advanced legal services provider is essential. Different reviews will have different requirements, and your provider must act as a partner who can understand and serve the needs of each of your reviews. Driven is equipped to provide the security and peace of mind you need to protect your remote document review, ensure business continuity, and remain productive.
