With major law firms, giant eDiscovery providers, and the ABA are all still getting hacked, the legal profession already has enough cybersecurity fish to fry. Unfortunately, the threat vectors aren’t slowing down to allow attorneys to play catch up. Confidential data thrashes around inside law firms like kids waiting for recess — penned up but prepared to make a chaotic mess if anyone cracks the door. But one offsite home of critical client data that might be overlooked is your chosen court reporters.
Given the adversarial nature of anything involving a reporter, they’re generally not going to have anything you’re worried about the other side seeing — which is nice — but that’s not the end of the inquiry. Evidence can be subject to “eyes only” agreements, the case could be handling trade secrets, and they’ve obviously got a lot of PII. Every word they’re typing throughout the deposition is potentially confidential. Court reporters are like a tidepool on the legal industry’s confidential data beach harboring a slice of the total in its own self-sustained community.
So are your court reporters securing that data? More importantly, how can you be so sure?
Generally, System & Organization Controls (SOC) reporting exists to help assure customers that an organization is ready to keep data secure from outside attack. A SOC 2 report is the fancy certification that companies can get detailing the processes that they follow to keep things secure. An expert takes a fine comb and guarantees that there aren’t any weak links of unpatched software or employees jumping data outside the network.
For court reporting, it’s a good guide for someone who needs to make sure a particular matter’s data stays secure. Strongly consider looking for that seal of approval.
But then someone pointed out to me that there’s an extra wrinkle when it comes to reporting because court reporters… aren’t always employees. A lot of transcription companies bring on court reporters as “routine freelancers.”
That doesn’t necessarily doom a SOC evaluation. Generally speaking, a competent SOC auditor will include contractors within the scope of the evaluation assuming the contractor has a major impact on the overall system being certified. In other words, the pest control guy that sprays the office once a month isn’t part of the evaluation… the 25 court reporters the service uses will be.
Still, it should give firms a little extra pause. Because a SOC report will consider the processes court reporters employ in that system, but may make additional representations that would only apply to the full-time staff as opposed to the reporters. In other words, the reporters meet the certification requirements, but if your client demands higher standards for network credentialing, you can’t necessarily rely on a report that states “employees use XYZ credentialing” because the court reporters would not be included in that definition. So… they might use the same security that the rest of the employees do. Or they might not? Just make sure you know what the certification is really certifying.
Of course some transcription companies have all their court reporters as full-time employees, which is the easiest because you know it’s all covered.
No matter how you go about the process, it’s safe to say that the method I deployed as a practicing attorney — the court reporter service that sent the nicest swag — is no longer enough in these times of high-tech threats.
Joe Patrice is a senior editor at Above the Law and co-host of Thinking Like A Lawyer. Feel free to email any tips, questions, or comments. Follow him on Twitter if you’re interested in law, politics, and a healthy dose of college sports news. Joe also serves as a Managing Director at RPN Executive Search.
Leave a Reply