“If you think compliance is expensive, try non-compliance” – Former Deputy US Attorney General Paul McNulty
A common buzzword in the last few years, compliance is a top priority for many law firms. In the process service industry we’ve seen a significant increase in compliance requirements, especially in the financial sector. Whether mandated by federal or state rules and laws or put in place due to increasing pressure from clients, securing confidential information is critical for firms of every size. Being compliant requires a proactive approach that covers all the bases.
This responsibility extends to your vendors. With so much data being shared back and forth, it’s no longer enough to make sure your firm is taking the proper steps to protect and store information. If a leak occurs from a vendor’s employee who shouldn’t have had access to certain information or from a vendor’s hacked infrastructure, the end result of having your client data exposed is still the same as if it happened through your firm.
Ask the right questions of your vendors to make sure they’re doing everything necessary to stay compliant and protect the data they receive from your firm.
What To Ask Your Vendors
1. Who has access to data?
Investing in data security and encryption only goes so far. While these methods offer protection from the outside and in the event of issues such as a cyberattack, they offer little defense to the employees who have access to unencrypted information.
Also ask your vendor if they conduct background checks of employees, especially of those who will be handling personally identifiable information (PII). If not, your data could be in the hands of someone whose history and criminal records say they should not be given access. Even for process service companies, where much of the data is the court documents which are served and public information, PII such as addresses and social security numbers are frequently involved when locating individuals.
Check to see if your vendor has an access policy in place that specifies management of users and permission settings. There should also be an active password policy in place to make sure that those who do have access have secure and frequently changed passwords.
2. How is data backed up?
Clients have expectations and one of them is that a case will move forward in a timely manner. If data is lost, it can cause a significant impact on workflow. Does your vendor have a plan in place to ensure that their data is regularly backed up?
Fire, human error, viruses and floods can all cause data to be lost. How long would it take your vendor to be operational again should something happen to their primary data source? Many of the top tier data backups now have triple redundancy, with backups stored at three locations across the country to ensure continuity even in the event of a natural disaster that impacts an entire region.
3. Do you use independent contractors or employees?
Having control over who handles work product is extremely important. Similar to knowing who has access to your data, when information is handed over to a third-party independent contractor there are a large number of unknowns. Companies who only use employees will be able to dictate exactly how data is handled, stored and backed up.
4. What type of insurance do you have?
Even though a company may have a certificate of good standing or have been in business for a number of years doesn’t necessarily mean they have insurance coverage that would protect your firm should something go wrong. With the high stakes involved in legal cases, most law firms have significant levels of coverage. Given the role the services of vendors can play in the outcome of a case, it makes sense they should also carry extensive insurance including errors and omissions coverage.
In the event your firm needs to recover losses due to a mistake a vendor made, without insurance there could be little hope of regaining the full amount. Making sure that your vendors have insurance coverage will provide a layer of protection if needed.
5. What is a basic overview of your business continuity plan?
Business continuity plans (BCP) ensure that in the event of a natural disaster or other significant event there is a written and known plan to follow to make sure down time is limited. Each vendor should have a BCP in place. Even more importantly, they should understand what it involves and how to execute the plan.
Companies who have such a plan but don’t regularly review, modify and improve their plans will still encounter difficulty in regaining normal operations. The management team should be familiar with the steps that will need to be taken and what to expect in the event the BCP is activated. Even the best vendor will prove to be a liability if they can’t continue to provide the necessary functions and services your law firm needs under all circumstances.
Law Firms & Vendor Compliance
Checking in with your vendors can be as simple as a questionnaire or as extensive as in-person audits. However you choose to verify vendor compliance, this proactive measure saves time and headaches down the road. It’s much easier to be able to address potential concerns than to try to fix the damages from a lost case or data breach.