Despite not yet knowing how COVID-19 will affect eDiscovery services in the long run, those who provide these services are experiencing new challenges. More and more attorneys are working at home, which increases the demand for remote document review. The environment presents several challenges that need to be addressed for reviewing quality and security. Adapting to new and evolving circumstances requires collaboration with clients and careful consideration of their needs and risk tolerances.
Typically, review teams work in an office setting under direct supervision on authorized equipment, which ensures established protocols are followed. This dynamic has been changed as a result of remote document review, forcing teams to outline and adopt new security protocols quickly. Providers of eDiscovery nevertheless have options for maintaining office-level security and working efficiently. The following considerations should be considered when creating a plan for addressing remote work policy changes:
Secure Remote Viewing and Ensure Proper Operation by Planning Ahead
eDiscovery providers need to consult their clients, counsel, and partners when updating their security policies for possible long-term remote work. The collaboration will help develop a comprehensive plan for document review that addresses the necessary provisions involving multiple parties, including training, remote staffing, oversight, information security, and confidential information handling. Consistency will also be enhanced through collaboration.
Do not Store Work-Related Files on Non-Work Computers or Cloud Storage
It’s better to be safe than sorry! Instead of storing things that you may need later in the cloud (Google Drive, Dropbox, iCloud), an external hard drive is a great way to store those essential documents for your job. Many employers will go out of their way to accommodate you if it means protecting valuable client information and/or company financials. Of course, some companies won’t care as much about privacy and security — just be sure you know what type of company you’re working for before leaving important files at risk when working from home.
Establish a Physical Workspace
Consider who will be there and the equipment needed when planning where to hold remote reviews. Work with clients and partners to understand what requirements surround the work area, including which types of workspaces are acceptable, and how security compliance is handled. Furthermore, determining the client’s expectations regarding mobile devices in the workspace is also useful.
Providing Secure Access to Data
To maintain data confidentiality and ensure the security of remote viewing services, controls should be implemented along with physical restrictions. Multifactor authentication and access programs are great places to begin. Programs that are updated and patches applied as needed will increase security and help clients feel at ease. Furthermore, it is a good idea to implement additional access point restrictions, such as limited registered IP addresses in each reviewer’s home office.
Select the Remote Viewing Devices
To review documents remotely, a device with advanced security and performance is required. Without these steps, the associated sensitive information may be exposed to vulnerabilities. Consult with clients, counsel, and providers about acceptable devices for remote review services.
It is more likely that employees will use their devices to perform work-related tasks when they work remotely. Reviewers must determine if personal computers are permitted and what software and hardware security should be implemented. Some clients may prefer to use a locked-down device for remote viewing purposes. It will most likely be necessary to use oversight and communication software when conducting remote viewings.
Several organizations have adjusted their remote reviewing policies in response to the Coronavirus pandemic. Despite the difficulty of transitioning to an online review process at first, there are benefits for eDiscovery professionals to do so, including more reviewers worldwide available to work on more projects and a faster response time. For document reviewers to be able to continue giving their clients excellent service outside of the office, security policies need to be carefully considered and adjusted as required.
Encrypt your Computer and Mobile Devices
There is no excuse for not having this security in place nowadays. TrueCrypt offers a free solution that can password protect any hard drive or memory device including thumb drives, SD cards, and iPods/iPads. You can also encrypt individual files if you don’t want to encrypt everything on a storage device at once. For mobile devices, we recommend using “full disk encryption” so that the entire device will be encrypted instead of just certain files. Apple’s iOS 9 introduced new full-disk encryption methods – make sure you have the latest version of iOS. Android encrypts everything in the newer versions, but make sure your phone is encrypted before you lose it or have it stolen!
Encrypt your E-mail and Use a Unique Password for Every Account
Most email providers (Gmail, Hotmail/Outlook, etc.) can decrypt your messages with either just your login information or by hacking into the server where they are stored. Additionally, if you set up 2-Factor Authentication on these accounts (and you should), make sure that you write down your “Recovery Codes” so that they aren’t lost when needed most. These codes let you access your accounts even if you lose your phone. This will make your document review process secured and simple.
Use Strong Passwords
The easiest way to do this is to use a password manager such as LastPass, RoboForm, or 1Password. These services will generate random passwords for you and keep track of all your passwords so that you don’t have to remember them yourself. You can access the service from anywhere in the world and only need to remember one master password. Additionally, these services offer two-factor authentication when signing into an account so that you are always protected — even if they get hacked!
Additionally, I would make sure that you are using some sort of document review software program that can perform robust analytics on the documents you produce i.e., redaction, Bates numbering, metadata tagging. This way if any files go “missing,” you will at least know which user/reviewer it was and what date/time it went out of your possession—which is exponentially more document review information than what most law firms have now in their traditional paper-based environment!
Remember that sometimes being safe from litigation risk means not engaging in risky behavior yourself by doing things like handing off documents over a public wireless network or using an insecure home computer for document review.